Mobile Devices and HIPAA Compliance

Mar 02, 2016 at 12:12 pm by Staff

Mobile device are proliferating in medical practices today. Laptops, tablets, even cell phones are now used to access PHI about patients. If you use any of these devices, your data can be more at risk than using regular PCs that do not leave your desk.

Mobile devices can be very convenient when it comes to looking up patient information, but you need to take extra precaution with them to protect your patient's medical information. There are some basic guidelines that you should follow when using your portable device.

First, are you using the device inside your office? Make sure that your device is connected to your office's Wi-Fi network. This may sound simple, but a lot of Internet providers will provide free "hot spots" in your office if you get your Internet from them. This is convenient for your patients out in the waiting room, but you don't want your device using it.

If you have taken the device out of the office and connected an Internet company's free Wi-Fi hotspots, it may try to automatically reconnect to it when you are in your office. These hot spots are not secure and you need to make sure that you don't use one of them to access PHI. Check with your company's IT professional to make sure you are using the "office Wi-Fi" all the time when you are in the office.

If you are out of your office "down at the coffee shop" or any other place where you can get Internet access, follow these guidelines with your mobile device. First, only connect to your EMR via a VPN (Virtual Private Network) before you bring up your software. If you don't have a VPN set up on your mobile device, check with your IT company and have them install one on your device. A VPN encrypts the data between your device and your office.

Alternatively, if your EMR is completely cloud based (does not run on a server in your office), then your application should only run in a web browser using HTTPS:// or a secure connection. This is the type of connection that you would see when you hit your bank's web site.

I strongly recommend that you don't store ANY patient information actually on your device. If all data is accessed remotely, and is never actually stored on your device, you don't have to report it to anyone if it is stolen. Even a PDF of a patient's lab results, stored on the device, makes that device "reportable" if it is lost or stolen.

If your EMR requires that you store actual patient information on the device, then the hard drive has to be encrypted. This usually only applies to laptops, as opposed to tablets or cell phones, because most don't have the ability to store patient data.

Additional recommendations: Make sure you password protect your device and use a strong password. Change your password often. Keep your device with you when you are in public and don't let others see your screen when you are looking at patient information. Don't share your device with anyone and be very careful of what APPS you install on your device.

Lastly, have your IT employee or provider install tracking software on your device. It has a much higher chance of being located, if it is lost or stolen, if a location tracking program is installed. Most tracking programs can also do "remote wipe" so all data/programs/everything can be wiped off if the device cannot be returned.

Tim Taylor is the Founder and president of TaylorWorks Inc., a leading managed service provider in Central Florida. Since 1999, TaylorWorks has provided companies with proactive IT support and consulting. Tim successfully guided his company and team over the past 5 years through a 300 percent growth rate. In Tim's career, he has been a programmer, a network engineer and IT company owner. Originally from Memphis, Tenn., Tim has a business degree from the University of Memphis.

Sections: Orlando Regulatory