The single most common way Protected Health Information (PHI) is compromised is through the loss of devices themselves, whether this happens by accident or by theft.

Technology — thumb drives, CDs, smart phones, tablets — has made it possible for large amounts of information to be tucked into our pockets or purses and carried to our cars, homes, favorite coffee shops, or hotel rooms at conferences. Files that used to take up an entire wall can now fit on a 2-inch thumb drive, a mini iPad, a laptop.

But with this amazing technological convenience, comes increased responsibility.

“Covered entities and business associates must understand that mobile-device security is their obligation,” said Susan McAndrew, former deputy director of health information privacy at the Office of Civil Rights (OCR).  “Our message to these organizations is simple: encryption is your best defense against these incidents.” And the incidents she’s referring to are the breaches of PHI that result from lost or stolen devices.

Encryption and then some

In addition to encryption, here are some questions you’ll need to address in order to handle patient data on mobile devices in ways that are safe and HIPAA compliant:

  • Do you have procedures in place for keeping track of hardware and software within your practice?
  • Have you designated someone in your office as the person responsible for maintaining records of hardware and software?
  • If people on your staff are allowed to remove electronic media that contain or may be used to access PHI, do you have procedures in place to track that media externally?
  • Have you addressed the issue of how to appropriately dispose of hardware, software, and patient data? Who in your office is in charge of that?

For mobile device security, treat your devices like money.

You wouldn’t leave a roll of $20’s sitting on the front seat of your car, or your wallet lying open on a little table at Starbucks while you get up to grab your non-fat latte. Guard your mobile devices the same way you protect your cash. It’s a good rule of thumb, as well as a good way to keep things like thumb drives safe.