As physicians, nurses, therapists and health care providers continue to utilize new smart phones, tablets, and laptops in caring for patients, the Department of Health and Human Services (“HHS”) has responded with educational videos, worksheets and guidance to help health care providers  create a “culture of compliance and awareness” and to protect patients’ Protected Health Information (“PHI”).  While the material is focused on health care professionals, the information is also applicable to group health plan professionals and their business associates who use mobile devices to store and transmit PHI in connection with administration of group health plans.

In December 2012, HHS launched a new initiative called Mobile Devices: Know the RISKS.  Take the STEPSPROTECT and SECURE Health Information.  HHS also launched an educational webpage on safeguarding PHI on mobile devices.  The website includes five YouTube videos describing common compliance challenges with mobile devices.  The website also includes helpful resources that can be used to supplement HIPAA compliance training for employees of covered entities (and their business associates).  HHS’s educational website, videos and resources are available at www.HealthIT.gov/mobiledevices.  HHS cautions that these resources are only informational and do not guarantee compliance with HIPAA or other applicable laws.

By way of summary, HHS’s recommends the following five step plan that organizations can use to manage mobile devices:

  1. DECIDE: The health care provider must decide whether mobile devices will be used to access, receive, transmit, or store patient’s health information or be used as part of the organization’s internal networks or systems (e.g., Electronic Health Records system).
  2. ASSESS: The health care provider must consider how mobile devices affect the risks (threats and vulnerabilities) to the PHI that the health care provider holds.
  3. IDENTIFY: The health care provider must identify its mobile device risk management strategy, including privacy and security safeguards.
  4. DEVELOP, DOCUMENT, and IMPLEMENT: The health care provider must develop, document, and implement its mobile device policies and procedures to safeguard health information.
  5. TRAIN: The health care provider must train providers and professions on mobile device privacy and security awareness.

Regardless of whether the mobile device is personally owned and used at work (“bring your own device” or “BYOD”) or provided by the organization, a mobile device is susceptible to PHI privacy and security risks.  A mobile device can be lost or stolen.  An employee may inadvertently download viruses or other malware.  An employee may use a mobile device on an unsecured Wi-Fi network and may unintentionally disclosure PHI to unauthorized users.  HHS’s mobile device educational website offers the following tips to protect and secure health information:

  1. Use a password or other user authentication.
  2. Install and enable encryption.
  3. Install and activate wiping and/or remote disabling.
  4. Disable and do not install file-sharing applications.
  5. Install and enable a firewall.
  6. Install and enable security software.
  7. Keep security software up to date.
  8. Research mobile applications (apps) before downloading.
  9. Maintain physical control of your mobile device.
  10. Use adequate security to send or receive health information over public Wi-Fi networks.
  11. Delete all stored health information before discarding or reusing the mobile device.

Here is a link to HHS’s educational video series that provides scenarios of some common risks health care providers may face when using a mobile device for patient care. http://www.healthit.gov/providers-professionals/videos

 

Photo of Ryan Blaney Ryan Blaney

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a…

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including the Hatch- Waxman Act and Biosimilars Price Competition and Innovations Act.

Ryan serves information technology companies, public and private health care companies, hospitals and physician organizations, manufacturers, medical device companies, and health plans. He guides venture capital groups, private equity funds, investment banks, and other investors on health care regulatory issues in connection with financing, mergers and acquisitions, and restructuring.

Ryan’s work is greatly informed by his experience as a teacher. Prior to attending law school, Ryan earned a master’s degree in education and taught at an under-resourced Catholic middle school. He is known for his ability to communicate clearly and to coordinate large teams working on complex matters. Outside of his health law practice, Ryan has been repeatedly recognized for his public service and pro bono work. He has successfully handled numerous education-related cases, helped establish three nonprofit organizations and defended qualified recipients of disability benefits.

Photo of Tzvia Feiertag Tzvia Feiertag

Tzvia Feiertag is a senior associate in the Labor & Employment Law Department. She practices exclusively in the areas of ERISA and employee benefits-related tax law.

Tzvia advises a diverse group of clients, including Fortune 500 companies, financial service companies, media and publishing…

Tzvia Feiertag is a senior associate in the Labor & Employment Law Department. She practices exclusively in the areas of ERISA and employee benefits-related tax law.

Tzvia advises a diverse group of clients, including Fortune 500 companies, financial service companies, media and publishing companies, private companies and not-for-profit organizations on all aspects of pension and welfare benefit plans. She counsels clients on the design, implementation and operation of 401(k), defined contribution, defined benefit, and self-insured and fully-insured medical, life and disability plans, as well as cafeteria plans, health savings account plans, flexible spending account programs and severance plans.