With the ever-increasing use of mobile devices in the workplace that create, receive, maintain, and transmit electronic protected health information (ePHI), the Department of Health and Human Services (HHS), Office for Civil Rights (OCR)’s latest Cybersecurity Newsletter issued an important reminder of the importance of mitigating the risks surrounding the use of mobile devices.

Mobile devices pose unique security risks because of their portability, small physical size, and capacity to store vast amounts of data. Both the Federal Trade Commission (FTC) and OCR frequently remind all organizations, but especially those entities that process ePHI, of the importance of protecting data on mobile devices.

The OCR newsletter is a useful reminder that entities should properly configure security measures on mobile devices so that they are only capable of connecting to secure networks and are resilient against malicious software. Workforce training and education on an entity’s policies and procedures is key to ensuring such efforts are successful. OCR stresses that mobile devices should be included in an organization’s enterprise-wide risk analysis and that organizations implement security measures to reduce identified risks to a reasonable and appropriate level, as required by the Health Insurance Portability and Accountability Act (HIPAA) rules.

OCR included a list of tips to help covered entities and their business associates protect ePHI while using mobile devices.

Here is the full list of OCR tips:

• Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain or transmit ePHI.
• Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
• Install or enable automatic lock/logoff functionality.
• Require authentication to use or unlock mobile devices.
• Regularly install security patches and updates.
• Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
• Use a privacy screen to prevent people close by from reading information on your screen.
• Use only secure Wi-Fi connections.
• Use a secure Virtual Private Network (VPN).
• Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
• Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
• Include training on how to use mobile devices securely in workforce training programs.

The Federal Trade Commission has issued similar advice for businesses about building security into connected devices including proper authentication, reasonable security measures, and carefully considered default settings.

For more OCR guidance on cyber security, please follow this link: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html.

If you have any questions about ePHI/mobile device security or HIPAA compliance more generally, please feel free to contact any member of Drinker Biddle’s Health Care Team or Information, Privacy, Security and Governance Team. 

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.