Creating mobile device policies can be tricky. Burdensome security policies and strategies that diminish productivity will most likely result in employee workarounds that defeat security efforts.1,2 Additionally, human error and criminal intent can defeat the best-intentioned employee laptop and storage device security strategies. Despite these difficulties, mobile device policies are a necessary part of a comprehensive information security program to prevent HIPAA data breaches.
Encryption can secure PHI as it moves though the information stream and into computers and mobile devices. Encrypted PHI is less likely to be compromised if devices are lost, stolen or nefariously accessed. Additionally, there are various technologies available on the market that can dynamically detect and redact PHI and block sensitive information from being downloaded to certain devices.1
The HHS HealthIT.gov website has extensive guidance on using mobile devices in clinical practice. The website includes videos on securing PHI on mobile devices, downloadable posters, presentations and fact sheets to help covered entities comply with HIPAA data security requirements.
Bring Your Own Device (BYOD) Policies
A bring your own device (BYOD) policy should be put in place when administrators, clinicians and staff are allowed to use personally owned devices (e.g., laptops, tablets, smartphones) to access, manipulate, use, copy, store or move PHI. Lost and stolen devices are a major source of data security breaches.3 The simple act of enabling device security options such as password protection, device encryption, fingerprint or facial authentication, and time-out locks can help prevent HIPAA data beaches by making the PHI inaccessible.
Many device users don’t even realize when they are exposing PHI to a security breach. For example, various apps don’t store content on a device, they store it in the cloud. In many apps, the content is stored in the cloud by default, which requires device users to disable the cloud storage function if they don’t want data to be held there. When users don’t disable cloud storage, PHI can exist in multiple locations on cloud servers that cannot be controlled by the covered entity that is responsible for the security of the PHI. Covered entities that allow BYOD should develop and implement a policy defining how PHI must be protected, what steps must be taken if a personally owned device that potentially contains PHI is lost or otherwise compromised and the personal consequences of violating the BOYD policy.2,4
More Information About Preventing HIPAA Data Breaches
- Overview: Preventing HIPAA Data Breaches: Case Studies and Best Practices
- Best Practices: Best Practices for Preventing HIPAA Data Breaches by Criminal Hackers
- Case Study Comparison: HIPAA Data Breaches and PHI on Stolen Laptops
- Closed Claim Case Study: Misdelivered Email Results in a HIPAA Data Breach
- Closed Claim Case Study: Employee Voyeurism Leads to a HIPAA Data Breach
- Closed Claim Case Study: Unsecured PHI on a Lost Flash Drive Results in a HIPAA Data Breach
Additional Resources for Policyholders
Guidance and additional information on the HIPAA Security Rule and on medical records security, access and release are available to all NORCAL policyholders by contacting a NORCAL Risk Management Specialist at 855.882.3412.
Information and Network Security Coverage
Call NORCAL Customer Service at 844.4NORCAL or visit our Information and Network Security coverage page for more information about this coverage available at no additional cost as part of the Health Care Professional (HCP) policy.
1. Bitglass. “2014 Bitglass Healthcare Breach Report.” (accessed 5/14/2018)
2. Pennic J. “68% of Healthcare Data Breaches Due to Device Loss or Theft, Not Hacking.” HIT Consultant. (accessed 5/14/2018)
3. Verizon Enterprise. “2018 Data Breach Investigations Report.” (accessed 5/14/2018)
4. Virtu. “HIPAA Email Compliance: 6 Best Practices for Medical Data Security.” January 8, 2015. VirtuBlog. (accessed 5/14/2018)
Additional Linked Resource
Office of the National Coordinator for Health Information Technology (ONC). “Your Mobile Device and Health Information Privacy and Security.” HealthIT.gov. (accessed 5/14/2018)