On December 12, 2012, the U.S. Department of Health Human Services (HHS) launched a new website focused on the use of mobile devices in relation to health information privacy and security. The website is entitled Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The website provides educational materials, such as videos and fact sheets, aimed at promoting best practices for safeguarding protected health information on mobile devices like laptops, tablets, and smartphones.
Included on the website is the following five-step process for addressing mobile devices within a healthcare organization:
- Decide appropriate use for mobile devices within the organization;
- Assess the risks associated with mobile devices;
- Identify a mobile device risk management strategy;
- Develop, document, and implement mobile device policies; and
- Train the workforce on the policies.
Additionally, the website contains a number of videos covering the basics of mobile device security. The videos address subjects such as mobile devices in the organization’s risk assessment, preparing for and responding to the theft of a mobile device, and appropriate safeguards when using a mobile device to handle health information on a public Wi-Fi network.
Based upon the information on the website, as well as recent enforcement actions related to mobile device issues (for example, the Massachusetts Eye and Ear Infirmary (MEEI) Resolution Agreement1), health care providers who are Covered Entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) should consider taking appropriate steps regarding the use of mobile devices, such as performing an appropriate risk assessment, developing policies and procedures addressing the use of mobile devices, and providing adequate training to workforce members on the use of such devices. This new website can serve as a helpful tool when taking such actions.
1 In September 2012, MEEI paid $1.5 million to HHS to settle potential violations of the HIPAA Security Rule following the submission of a breach report by MEEI related to the theft of an unencrypted personal laptop containing electronic protected health information (ePHI). An investigation conducted by the HHS Office for Civil Rights indicated that MEEI failed to take necessary steps to comply with Security Rule requirements, including conducting a thorough analysis of the risk to confidentiality of ePHI maintained on portable devices and adopting policies and procedures to restrict access to ePHI to authorized users of portable devices. The MEEI Resolution Agreement and accompanying Corrective Action Plan between HHS and MEEI are available here.