HIPAA Final Rule for Mobile Device Use in Home Health and Hospice

Home health and hospice providers are at ever increasing risk of Health Insurance Portability and Accountability Act (HIPAA) violations due to vulnerabilities related to the growing use of mobile electronic devices. The HIPAA Security Rule “requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”

The recently posted final rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the GeneticInformation Nondiscrimination Act; Other Modifications to the HIPAA Rules addresses electronic media and the transmission of protected health information through a web-based portal, e-mail, on portable electronic media, or other means, covered entities. According to the rule, covered entities should ensure that reasonable safeguards are in place to protect the information. This final rule defines electronic media as:

  • Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; and

(2) Transmission media used to exchange information already in electronic storage media. Transmission media includes, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media.

Transmissions of protected health information via paper, facsimile, and voice via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.

The U.S. Department of Health and Human Services (DHHS) offers extensive guidance on privacy and security considerations when using mobile devices for the storing and transmission of protected health information. This information can be accessed at: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security .

For purposes of the Mobile Device Privacy and Security,” a mobile device is a handheld transmitting device with the capability to access, transmit, receive, and store health information, and the provider has control over the mobile device. Examples of mobile devices include smartphones, tablets, and laptops.”

The DHHS site provides details on the following tips for protecting and securing health information when using a mobile device at How Can You Protect and Secure Health Information When Using a Mobile Device?

  • Use a password or other user authentication.
  • Install and enable encryption.
  • Install and activate remote wiping and/or remote disabling.
  • Disable and do not install or use file sharing applications.
  • Install and enable a firewall.
  • Install and enable security software.
  • Research mobile applications (apps) before downloading.
  • Maintain physical control.
  • Use adequate security to send or receive health information over public Wi-Fi networks.
  • Delete all stored health information before discarding or reusing the mobile device.

Also, guidance is available for healthcare organizations that allow their staff to use mobile devices for work at You, Your Organization and Your Mobile Device , such as:

  • Decide whether mobile devices will be used to access, receive, transmit, or store patients’ health information or be used as part of your organization’s internal network or systems, such as an electronic health record system.
  • Understand the risks to your organization before you decide to allow the use of mobile devices.
  • Conduct a risk analysis to identify threats and vulnerabilities.
  • Identify a mobile device risk management strategy, including privacy and security safeguards.
  • Develop, document, and implement your organization’s mobile device policies and procedures
  • to safeguard health information such as:
    • Mobile device management
    • Using your own device
    • Restrictions on mobile device use
    • Security or configuration settings for mobile devices
  • Conduct mobile device privacy and security awareness