When employees use mobile devices to access patient information
The use of mobile devices is widespread and accessing patient health information through one is fast and convenient. However, without proper safety measures, mobile devices present a risk to the security of protected health information, and organizations must ensure that patients’ protected health information remains secure.
Conduct a Risk Assessment of Mobile Devices
Conduct a risk assessment of the use of mobile devices within the organization. The assessment will determine how mobile devices are used and what protected health information (PHI) is being accessed and transmitted through these devices.
When accessing and sharing PHI via mobile devices, physicians and staff members are obligated to safeguard that PHI. Establish and enforce policies and procedures to ensure that mobile device use does not violate the Health Insurance Portability and Accountability Act (HIPAA).
Organization Owned Devices or Bring Your Own Device
Determine if your organization will provide physicians and staff with devices or if the organization will permit personal devices to access and transmit PHI. Each option has advantages and disadvantages and will require policies and procedures to ensure proper handling of protected health information.
Providing devices to physicians and staff can be expensive, but this option gives the organization more control over the devices and ensures that information is shared through HIPAA compliant platforms.
Allowing staff to use their personal devices is a less expensive option; however, it can increase the risk of unauthorized access to PHI and data breaches. Whichever option an organization chooses, they must have safeguards to protect patient privacy and other sensitive information.
Devices Owned by the Organization
Ensure that devices provided to workforce members are encrypted and have a secure HIPAA compliant messaging platform installed. Devices should be password protected and have automatic screen locks after a defined period of time. Require staff members to sign a device user agreement outlining appropriate device use, including how violations of policies will be addressed. Prohibit the use of devices by anyone other than the staff member assigned to the device.
Develop Policies for Mobile Devices
Develop policies on the appropriate use of mobile devices. The following issues should be addressed in policies:
- A Secure HIPAA Compliant Messaging Platform: HIPAA compliant messaging platforms are secure, encrypted platforms that can be used to transmit protected health information safely. These platforms can be integrated into a system’s electronic health record (EHR) and control access, and allow for user audits. If personal devices are used to transmit or receive PHI, a secure HIPAA compliant messaging platform must be installed on the staff member’s device.
- Texting with Patients: All communications with patients, including appointment reminders, must be conducted on secure HIPAA compliant messaging platforms and never on an unsecured personal messaging system.
- Texting with Colleagues: Text messages among staff members should be sent on a secure HIPAA compliant messaging platform and not on personal messaging systems.
- Do Not Text Patient Orders: The Centers for Medicare and Medicaid Services (CMS) prohibits providers from texting patient orders. Orders should be written in patient medical records or entered into the EHR's computerized provider order entry (CPOE).
- Automatic Screen Locking: Configure devices to lock automatically after a period of inactivity. This time frame should be short, usually five minutes or less.
- Password Protection: Require that all devices have strong password protection.
- Use Caution when Texting: Shorthand or abbreviations used in text messages can lead to confusion and should not be used when relaying patient information. Review messages before sending to be sure they are going to the right person and that auto-correct has not changed the message's meaning. Limit the amount of clinical information to the minimum necessary.
- Report Inappropriate Use: Require staff members to report unencrypted text messages that are sent or received or if a message was sent to the wrong person.
- Mobile Device Remote Wipe Waiver: Require workforce members using their personal electronic devices to access or communicate PHI sign a waiver that allows the facility to wipe the device remotely if it is compromised. Inform staff members that a remote wipe is a destruction operation that results in all data being deleted from the device, including any personal information, such as personal emails and pictures.
- Malware and Viruses: Viruses and malware can be introduced to a mobile device, especially if it is shared among multiple users. Malware and viruses increase the risk of breach of the organization’s networks and unauthorized access to patients’ PHI. A cyber-breach can result in fines and damage to the organization’s reputation.
- Photographs: Specify what devices are appropriate for employees to use for clinical images. Prohibit the use of personal devices for obtaining clinical images.
Organizations must ensure that PHI on mobile devices remains secure. This is accomplished through setting up security practices within the organization.
- Lost or Stolen Devices: Immediately report lost or stolen devices connected to the organization’s network to prevent unauthorized access to its networks. Lost or stolen devices should be remotely wiped immediately. If there is a suspected breach of PHI, the organization’s breach investigation process should be initiated.
- Termination of employment: Require access to system networks be removed from personal devices before an employee’s termination from the organization. If personal devices are not presented for removal from the network, it may be necessary to wipe the device remotely.
Text messages on personal and work-designated devices are discoverable during litigation. Remind staff not to text anything that would not be appropriate for documentation in a patient’s medical record. If a situation requires urgent communications, request an immediate call from the recipient of the text.
Retention policies for PHI on mobile devices should be in line with medical record retention policies for the organization.
Staff members may be tempted to answer calls, read personal text messages, or check their social media accounts on their personal mobile devices while on duty, which can distract them from their work and lead to medical errors. Establish policies to limit personal use of mobile devices while on duty. To reduce distractions, organizations may decide to identify “device-free” areas in the facility, such as the OR or the ICU.
Educate staff about the infection control risks associated with mobile devices and instruct staff to practice good hand hygiene before and after handling mobile devices.
HIPAA Training and Security Training
Include your organization’s mobile device policies in employee HIPAA and security training. Include information on how to protect devices from malware or viruses. Educate staff to beware of emails from unfamiliar sources or not to click links that may infect the device.
ECRI: Personal Electronic Devices in Healthcare. Published 12/4/2018
Is Texting a Violation of HIPAA? https://www.hipaajournal.com/texting-violation-hipaa/
You, Your Organization, and Your Mobile Device: https://www.healthit.gov/topic/privacy-security-and-hipaa/you-your-organization-and-your-mobile-device
Medical Mutual Insurance Company of Maine's "Practice Tips" are offered as reference information only and are not intended to establish practice standards or serve as legal advice. MMIC recommends you obtain a legal opinion from a qualified attorney for any specific application to your practice.