HHS OCR Issues Guidance on Mobile Devices and Compliance with HIPAA
In October 2017, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued Health Insurance Portability and Accountability Act (HIPAA) guidance regarding the use of mobile devices in the healthcare field. The guidance recognizes the risks of mobile device use while also acknowledging the central role such devices play in many businesses.
The first risk noted by the OCR is of mobile devices being lost or stolen. Since devices used to create or access protected health information (PHI) may be taken off-site, the risk of being lost or stolen is much greater. Regardless of the nature of the device, if it has unsecured PHI, a breach of that PHI could trigger breach notification obligations for covered entities and business associates.
The other risks raised by the OCR are those involving unsecure Wi-Fi and cloud storage applications, as well as the danger of having a mobile device infected with viruses or malware through email, websites or the downloading of apps. Entities that handle PHI must institute security protocols to assure that hackers cannot gain control of PHI and other private information through these methods.
The OCR then provides a number of tips to secure mobile devices:
- Implement policies for use of mobile devices that are used to handle PHI;
- Consider using Mobile Device Management (MDM) software to secure mobile devices;
- Install or enable automatic lock/logoff functions;
- Require authentication to access devices;
- Keep devices’ security features updated;
- Procure encryption, anti-virus/anti-malware software, and remote wipe capabilities;
- Use a privacy screen to prevent viewing by third-parties;
- Assure that Wi-Fi networks used are secure;
- Use a secure Virtual Private Network (VPN);
- Institute policies regarding downloading third-party apps on devices which access PHI;
- Delete all PHI from device before disposing of; and
- Provide training on secure use of mobile devices for all employees.
The OCR’s issuance of guidance on the topic of mobile devices tends to show that the government is increasing its vigilance in the area. All covered entities and business associates that utilize mobile devices should take the necessary steps to protect and secure any PHI, or risk steep HIPAA liabilities for any non-compliance in the event of a breach.
Wachler & Associates will continue to stay up to date with the OCR’s guidance on HIPAA compliance and other current healthcare topics. If you or your healthcare entity have any questions pertaining to HIPAA compliance, please contact an experienced healthcare attorney at (248) 544-0888, or via email at wapc@wachler.com. You may also subscribe to our health law blog by adding your email at the top right of this page.