In October 2017, the Office for Civil Rights (OCR) provided guidance for properly handling Mobile Devices in the health care field.

Mobile devices are becoming more common in the health care industry.  These devices often have higher risks of potential breach of protected health information (PHI).  In the guidance, the OCR reminded health care organizations to include mobile devices in their risk analysis and to take steps to reduce the risk of a breach.

The OCR outlined some of the possible risks of using mobile devices. One major risk presented deals with the issue of the devices’ portability and small size leading to them being easily lost or stolen. If the PHI on the device is unsecured, such as the device is not encrypted and locked, that would constitute a breach.

Additionally, there is a potential risk if the mobile device is a personal device, rather than provided by the health care organization.  Personal devices can often be infected by malware as they don’t have enterprise level protection. This can potentially lead to a breach. The health care entity should have policies that govern the usage of mobile devices, whether they are personal or company owned.

The OCR also brought up an issue with many devices, not just the mobile versions.  Many devices come with default credentials and settings that are never changed after the device is set up for the user.  Some of these default settings might include the device automatically connecting to unsecured wireless, Bluetooth, or file sharing networks.  Health care IT departments and teams will want to configure mobile devices properly, helping to reduce the risk of connecting to unsecured networks.

The guidance also brings up training for workforce members on how to properly use mobile devices.  This training might include the “dangers of using unsecure Wi-Fi networks, such as public Wi-Fi offered in airports and coffee shops, as well as unsecure cloud storage and file sharing services.”  It can also include the risks of viruses and malware that might infect a mobile device.

Another potential risk on mobile devices are mobile applications or games that could access information on that device.  If PHI is stored on the device, or even patient contact information, it might be breached by a third party due to a mobile application.

Finally, the OCR provided a list of all safeguards that can help protect mobile devices, such as using automatic logoffs, enabling encryption, and installing patches and updates on a regular basis.


To learn more about what you can do to protect your organization’s mobile devices, join HIPAAgps today.