In October 2017, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued Health Insurance Portability and Accountability Act (HIPAA) guidance regarding the use of mobile devices in the healthcare field. The guidance recognizes the risks of mobile device use while also acknowledging the central role such devices play in many businesses.
The first risk noted by the OCR is of mobile devices being lost or stolen. Since devices used to create or access protected health information (PHI) may be taken off-site, the risk of being lost or stolen is much greater. Regardless of the nature of the device, if it has unsecured PHI, a breach of that PHI could trigger breach notification obligations for covered entities and business associates.
The other risks raised by the OCR are those involving unsecure Wi-Fi and cloud storage applications, as well as the danger of having a mobile device infected with viruses or malware through email, websites or the downloading of apps. Entities that handle PHI must institute security protocols to assure that hackers cannot gain control of PHI and other private information through these methods.