6 rules for protecting health information on mobile devices

Customers are walking around with powerful devices and expecting direct, real-time access to their healthcare records wherever they go. The challenge for payers is meeting that demand while safeguarding electronic protected health information (ePHI) shared through mobile channels. It's another example of technology racing forward while procedures to secure it catch up.

"Faster is not necessarily better," Kirk Nahra, partner in the Washington, D.C.-based law firm Wiley Rein, told FierceHealthPayer in an interview. "You have to think about what you're trying to accomplish, what your choices are, and then figure out a way that lets you achieve as much as you can with appropriate security boundaries. If the right person can get into your database, you've got to make sure the wrong person can't get in."

The consequences of failure to protect patient privacy are significant. HITECH provisions of the American Recovery and Reinvestment Act created notification requirements and the possibility of civil and criminal penalties for large-scale data breaches. 


"People carry a great deal of their lives on these small, powerful and convenient devices. [They] don't appreciate the dangers mobile communications present to them."

So how do insurers reconcile the advantages of mobile communications with HIPAA requirements and risks? Consider educating customers about mobile communication risks.  According to Sherry Ryan, director and chief information security officer at Blue Shield of California, "People carry a great deal of their lives on these small, powerful and convenient devices. [They] don't appreciate the dangers mobile communications present to them in terms of their personal information and identities."

Payers can help customers reduce risk by encouraging them to keep mobile devices physically secure and protect them with strong passwords.  

In addition, payers should "watch the house" by enforcing their own internal policies to protect ePHI:

  1. Know where ePHI is stored in your organization. Is it housed, for example, in an old database created for a function that's no longer done? Then consider destroying that database securely in keeping with records management requirements.  
  2. Know who has ePHI access in your company, and confirm that access is required in current roles. For example, it's not appropriate for an executive who began her career as a coder to retain a coder's access to the claims system.     
  3. Consider company issued-devices for work-related mobile communications, in which staff should not use their own cell phones or tablets to do business. Although expensive, issuing work-only devices for employees ensures information stays protected. However, be aware that some employees will resist carrying additional devices and prefer to bring their own.  
  4. Track mobile devices through asset management programs. "We can't protect what we don't know about," Paula Ciotti, compliance officer at Anthelio Healthcare Solutions, Inc., in Dallas, said.
  5. Make technological upgrades, such as anti-virus and patch management, to approved devices.  
  6. Dispose of obsolete devices securely. Wipe hard drives or memory cards to prevent ePHI retrieval by unauthorized people.