What are the HIPAA Requirements for Mobile Devices?

HIPAA Requirements for Mobile Devices - HIPAAGuide.net

The HIPAA requirements for mobile devices are that they are included in risk analyses, that apps and services are configured to reduce risks to a reasonable level, and that members of the workforce are trained on the appropriate use of mobile devices. It is may also necessary to install remote lock and remote wipe capabilities on certain mobile devices – including those belonging to members of the workforce.

Mobile devices – including cell phones, tablets, and laptops – are increasingly used by healthcare providers and their workforces to enhance communication and productivity. However, it is important to be aware of the risks associated with mobile devices and the subsequent threats to Protected Health Information (PHI) that is created, received, maintained, transmitted, or accessed by mobile devices.

Risks when using Mobile Devices in Healthcare

The risks when using mobile devices – compared to using desktop computers – are that mobile devices are smaller and more portable and at greater risk of being lost or stolen. A lost or stolen device that is storing PHI or has access to PHI could lead to a data breach if the data stored on the device is unsecured or if access from the device is not prevented in a timely manner – for example – by changing user login credentials.

In addition, mobile devices can be sold with default settings or applications which are unsecure. Such default settings may enable connectivity to unsecure Wi-Fi, Bluetooth, cloud storage, or file sharing network services. Healthcare providers must ensure that any new mobile devices added to a network are properly configured and secured before allowing the devices to be used for creating, receiving, maintaining, or transmitting PHI.

Similarly, malware that infects mobile devices could provide access to unauthorized individuals which could result in a breach of unsecured PHI. Unauthorized access to unsecured PHI maintained on mobile devices can also originate from non-malicious sources. A seemingly innocuous mobile app or service could access contacts, pictures, or other information, and send the data to an external entity without the user’s knowledge.

Personal Mobile Device Use Can Increase Risks

The risks when using mobile devices in healthcare can increase when workforce members are allowed to use personal mobile devices to store or access PHI. This scenario can result in workforce members taking photos of patients or their medical records and sharing them on social media within a matter of seconds. Due to this risk, covered entities and business associates should prohibit the use of personal mobile devices whenever practical.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

If it is not practical to prohibit the use of personal mobile devices, the HIPAA requirements for mobile devices take on greater significance. Risk analyses should account for the possibility of unauthorized disclosures of PHI on social media, apps and services should be configured to permit the minimum necessary access to PHI, and the sanctions policy for violating the HIPAA requirements for mobile devices should be highlighted during HIPAA training.

Additionally, workforce members should be trained in the proper, secure use of mobile devices to store or access PHI. Such security awareness training could include educating workforce members on the dangers of using unsecure Wi-Fi networks, unsecure cloud storage, and file sharing services. Workforce members should also be trained on the risks from phishing, and from viruses and malware infecting mobile devices.

10 Tips to Help Secure PHI when Using Mobile Devices

  1. Develop and enforce policies for the compliant use of mobile devices in the workplace.
  2. Install and configure Mobile Device Management (MDM) software on all mobile devices.
  3. Configure devices to use a VPN by default and block access to unsecured Wi-Fi networks.
  4. Block the downloading of third party apps unless they are approved and whitelisted.
  5. Ensure automatic lock/logoff capabilities are enabled on devices and applications.
  6. Install anti-virus/anti-malware software and implement a patch management program.
  7. Install remote lock and remote wipe capabilities for applications with access to PHI.
  8. Verify that apps used to store PHI or with access to PHI have minimum permissions.
  9. Implement measures to delete PHI stored on a device before discarding or reusing the device.
  10. Ensure the termination procedures required by §164.308 are applied to mobile device users.

Complying with the HIPAA Requirements for Mobile Devices

The HIPAA requirements for mobile devices are extensions to the HIPAA requirements for all devices that create, receive, maintain, transmit, or have access to PHI. Due to the size and portability of mobile devices – and because many healthcare professionals use personal mobile devices in the workplace – complying with the HIPAA requirements for mobile devices can be harder.

If your organization encounters challenges complying with the HIPAA requirements for mobile devices, or requires assistance on how to incorporate training for securely using personal mobile devices in security awareness training programs, it is advisable to seek advise from a HIPAA compliance professional.