HHS Creates Mobile Device Privacy and Security Website: High Expectations for Mobile Device Security


The U.S. Department of Health and Human Services recently posted a website focusing on mobile devices and health information privacy and security at http://www.healthit.gov/mobiledevices. The website includes five videos on mobile device security, tip sheets and frequently asked questions and answers on mobile device security, a five-step process for addressing mobile devices within a healthcare organization, and downloadable posters promoting mobile security.

The five-step process that HHS identifies includes:

 1.  Deciding appropriate use for mobile devices within the organization;
 2.  Assessing the risks associated with mobile devices;
 3.  Identifying a mobile device risk management strategy;
 4.  Developing, documenting, and implementing mobile device policies; and
 5.  Training the workforce on the policies.

The videos cover basics of mobile device security, focusing on issues such as including mobile devices in the risk assessment, preparing for and responding to the theft of a mobile device, and appropriate safeguards when using a mobile device to handle health information on a public Wi-Fi network.

A few takeaways from the website:
• Mobile device security is a significant priority for HHS, as evidenced by the resources put into this website and recent enforcement actions (e.g., the recent settlement with Massachusetts Eye and Ear Infirmary)
• HHS expects health care entities to explicitly address mobile device security in their risk assessment, include it in their risk management plans, implement detailed policies, and conduct training specific to mobile devices
• The website includes resources, such as the videos and downloadable posters, that organizations can consider using as part of their security training and awareness.

Based on this website and recent enforcement actions, it appears more likely that if a HIPAA-covered entity experiences a breach involving a mobile device and did not have a risk assessment, policies, and training related to mobile devices, then HHS will consider taking formal enforcement action.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:


Davis Wright Tremaine LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.