HHS Creates Mobile Device Privacy and Security Website: High Expectations for Mobile Device Security

more+
less-
more+
less-

The U.S. Department of Health and Human Services recently posted a website focusing on mobile devices and health information privacy and security at http://www.healthit.gov/mobiledevices. The website includes five videos on mobile device security, tip sheets and frequently asked questions and answers on mobile device security, a five-step process for addressing mobile devices within a healthcare organization, and downloadable posters promoting mobile security.

The five-step process that HHS identifies includes:

 1.  Deciding appropriate use for mobile devices within the organization;
 2.  Assessing the risks associated with mobile devices;
 3.  Identifying a mobile device risk management strategy;
 4.  Developing, documenting, and implementing mobile device policies; and
 5.  Training the workforce on the policies.

The videos cover basics of mobile device security, focusing on issues such as including mobile devices in the risk assessment, preparing for and responding to the theft of a mobile device, and appropriate safeguards when using a mobile device to handle health information on a public Wi-Fi network.

A few takeaways from the website:
• Mobile device security is a significant priority for HHS, as evidenced by the resources put into this website and recent enforcement actions (e.g., the recent settlement with Massachusetts Eye and Ear Infirmary)
• HHS expects health care entities to explicitly address mobile device security in their risk assessment, include it in their risk management plans, implement detailed policies, and conduct training specific to mobile devices
• The website includes resources, such as the videos and downloadable posters, that organizations can consider using as part of their security training and awareness.

Based on this website and recent enforcement actions, it appears more likely that if a HIPAA-covered entity experiences a breach involving a mobile device and did not have a risk assessment, policies, and training related to mobile devices, then HHS will consider taking formal enforcement action.

Topics:  Data Protection, HHS, HIPAA, Mobile Apps

Published In: Administrative Agency Updates, Communications & Media Updates, Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »