Are Your Mobile Devices HIPAA Compliant? Practical Steps to Ensure Compliance


Mobile device use is becoming more commonplace in health care. Health care professionals use text messaging to communicate with each other about patient status. Medical schools now provide residents tablets to use as textbooks and to round on patients. With the increased use of mobile devices comes increased opportunity for HIPAA compliance issues. In the recently launched initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, OCR and ONC provide tips on ways to safeguard protected health information (PHI) when using mobile devices such as laptops, tablets and smart phones.

Questioning Your HIPAA Compliance

When reviewing your current HIPAA compliance related to mobile devices consider the following questions:

  • Who owns the devices?
  • Are personal devices used at work registered?
  • Are you using Virtual Privacy Network (VPN) to exchange information? 
  • Do you back up PHI from mobile devices on servers?
  • Can you remotely wipe off devices?
  • Do your policy and procedures address mobile devices?
  • Is your workforce properly trained?

The answers to these questions might surprise you. Depending on your most recent analysis, the risk may not be fully contemplated in your current policies or training. Even if you require physicians and employees to use your mobile device, they could be using their personal phones to take pictures or text about your patients. A current assessment is warranted given the new OCR and ONC educational materials.

Security Tips for Mobile Device

OCR and ONC suggest the following measures to ensure that PHI is secure on mobile devices, including:

  • Use a password or other user authentication. You can also activate a screen lock after the device has not been used for a period of time. 
  • Install or enable encryption.
  • Install or activate remote wiping and/or disabling.
  • Disable or do not use file-shared applications.
  • Install or enable firewalls. 
  • Install or enable security software.
  • Keep your security software up to date.
  • Research apps before downloading.
  • Maintain physical control.
  • Use adequate controls when using Wi-Fi.
  • Delete all stored PHI before reusing or discarding a device.

Considered implementing these security precautions as part of your policy development and training of workforce members. Although the changes are not required under HIPAA, they lay the foundation for best practices and should be at least analyzed and documented as part of a risk assessment under the HIPAA security rule.

Five-step Process for Policy Development

The key to compliance is updating your current policies and/or developing new policies that specifically discuss the use of mobile devices. In developing a policy, OCR and ONC recommend the following five-steps:

Step 1: Decide. Decide whether mobile devices will be used to access, retrieve, store or create PHI. The OCR/ONC educational materials identify related risk to consider when making this decision:

  •  A lost mobile device
  • A stolen mobile device
  • Inadvertently downloading viruses or other malware
  • Unintentional disclosure to unauthorized users when sharing mobile devices with friends, family and/or coworkers
  • Using an unsecured Wi-Fi network

Step 2: Access. Conduct a risk assessment to determine the risk of mobile device use in your organization related to the relative benefits. Consider both devices that are personally owned and devices that are owned by the organization. Continue to conduct risk assessments related to new technology. Remember to document risk analysis, including:

  • Which mobile devices are being used to communicate with your organization’s internal networks or system (e.g., the electronic health records (her) system or Health Information Exchange)?
  • What information is accessed, received, stored, and transmitted by or with the mobile device?
  • HHS OCR HIPAA Security Series Basics of Risk Analysis and Risk Management.

Step 3: Identify. Identify your organization’s mobile device risk management strategy, including privacy and security safeguards. Your strategy should provide for evaluation and implementation of current safeguards in place.

Step 4: Develop, Document and Implement. When thinking through the implementation of your organization’s policy, OCR and ONC suggest you consider:

  • Mobile device management, including how your organization is keeping track of mobile devices.
  • BYOD (bring your own device), including whether health care professional should be allowed to use their own devices or connect to your internal systems through their own devices.
  • Restrictions on the use of devices, including whether health care professional can use mobile devices to connect to your EHR, when they are not on your campus or at your facilities, or to text PHI.
  • Security/configuration settings on devices, including determining configurations both inside and outside the firewall.
  • Information storage on devices, including allowing apps to be downloaded.
  • Misuse of devices, including processes and procedures.
  • Recovery and deactivation, including processes for wiping or disabling laptops and for employees that leave the organization.
  • Training, including training of all workforce members and medical staff and holding the workforce accountable for noncompliance.

Step 5: Train. OCR and ONC suggest that privacy and security training be ongoing and include the following topics: 

  • Risks (threats and vulnerabilities) when using mobile devices for work
  • How to secure mobile devices
  • How to protect and secure health information
  • How to avoid mistakes when using mobile devices

These policies and procedures should be thought through and written in easily understood language. The workforce should be able to understand their obligations under the policies and procedures developed at your organization.

Enforcement Has Already Begun

With OCR enforcement on the rise related to mobile devices and HIPAA, health care organizations should conduct a risk assessment of their current compliance. OCR started off 2013 with an announcement of its first enforcement action against a hospice that lost a laptop with less than 500 patients, specifically mentioning the website providing its new mobile device educational information. [Jim Wieland and Josh Freemire discuss the hospice settlement in their article, “First OCR Settlement Involving a ‘Small’ Breach Focuses on Mobile Device Security,” published separately in this issue of the Health Law Alert.]

More Information

Additional information on HIPAA compliance and mobile devices, including checklists, videos, FAQs and tips, is available at

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Written by:


Baker Donelson on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.