Kusserow’s Corner: Mobile Devices Continue to Lead in HIPAA Security Violations

The following is a reminder that although communicating with patients using mobile devices such as smartphones and tablets is commonplace in health care, lost or stolen devices continue to result in more than two-thirds of the HIPAA security breaches of electronic protected health information (ePHI). According to Dr. Cornelia Dorfschmid, a leading expert on this subject, “these types of breaches underscore the importance of continuing in conducting ‘baseline’ security reviews for HIPAA compliance that extends to mobile devices. Ironically this is an area often times does not get the needed attention and the result is that it is common for individuals with mobile devices not having passwords to access information; not encrypting stored data; and using Wi-Fi or unsecure cellular networks to send and receive information risk exposing ePHI”.

This growing dependency on mobile devices translates to increased risk for the organization. Unauthorized access to sensitive information on a device would be considered a HIPAA Privacy violation. And while a data breach or HIPAA violation could be the result of a deliberate act, it may also simply arise from the loss or theft of the mobile device. As such, unauthorized disclosure of protected health information (PHI) is a risk because mobile devices store data on the device itself in one of two ways: (1) within the computer “onboard memory” or (2) within the SIM card or memory chip. Thus, mobile devices used to exchange ePHI retain a record of that data on the device. The HIPAA Security Rule permits doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, and pharmacies, among others in the electronic transfer of PHI between healthcare providers and patients by email or text messaging to communicate with each other about patient status. Medical schools now provide residents tablets to use as textbooks and to round on patients. All this has led to increased potential for HIPAA security violations that can result in civil penalties of up to $50,000 per violation and a maximum penalty of $1.5 million for all violations of an identical provision during a calendar year.

HIPAA and the HITECH Act specifically require covered entities and their business associates to conduct periodic risk analyses of the potential risks and vulnerabilities to ePHI maintained on all of its systems, including mobile devices. They further mandate that reasonable safeguards be applied to such devices, as well as appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI (P.L. 104-191). This raises questions and concerns of violating the HIPAA Security Rule. According to HHS, the HIPAA Security Rule outlines national standards designed to protect individuals’ ePHI that is “created, received, used, or maintained by a covered entity. The HHS Office of Civil Rights (OCR) and Office of the National Coordinator (ONC) for Health Information Technology have posted tips on ways to safeguard PHI when using mobile devices such as laptops, tablets and smart phones in a section entitled “Your Mobile Device and Health Information Privacy and Security.”

15 Tips for “HIPAA Proofing” Mobile Devices

  1. Provide management, accountability, and oversight structure for covered entities to ensure proper safeguards and policies and procedures are in place.
  2. Establish policies, protocols, processes, and procedures to both protect ePHI in a mobile device environment, as well as for addressing a security breach as they are the foundation for best practices.
  3. Keep an inventory of personal mobile devices authorized for use by health care professionals to access and transmit ePHI; establish rules for such use.
  4. Have an outside independent security risk assessment to determine (a) if personal mobile devices are being used to exchange ePHI; (b) which ones are being used on internal networks; (c) what information is being accessed, received, stored and transmitted; and (d) whether proper authentication, encryption, and physical protections are in place to secure the exchange of ePHI; and (e) that users have been properly trained on security procedures.
  5. Use a device key, password or other user authentication to verify the identity of a user, process, or device.
  6. Install and/or enable encryption that will protect health information stored on and sent by mobile devices.
  7. Install or enable firewalls, as well as regularly update security software such as anti-malicious software (also called malware).
  8. Install or activate remote wiping and/or disabling.
  9. Ensure those with mobile devices understand that they must keep them under personal control or in locked offices or lockers when not in use.
  10. Install radio frequency identification (RFID) tags on mobile devices to help locate a lost or stolen mobile device.
  11. Establish remote shutdown tools to prevent data breaches by remotely locking mobile devices.
  12. Ensure to disable and not install or use file-sharing applications on devices used for ePHI transmission.
  13. Establish an electronic process to ensure the ePHI is not destroyed or altered by an unauthorized third party.
  14. Ensure the education and training of health care providers on the processes and procedures to use when using mobile devices to access ePHI and educating clinicians on the risks of data breaches, HIPAA violations and fines.
  15. Delete all stored PHI before reusing or discarding a device.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow’s Corner Newsletter

Copyright © 2014 Strategic Management Services, LLC. Published with permission.