OCR and OCN Issued Guide to Ensure Healthcare Mobile Devices are HIPAA

by | Dec 18, 2013

The Office for Civil Rights and the Office of the National Coordinator have both recently provided guidelines and tips which healthcare professionals can use to ensure that their devices are made secure and ePHI is properly safe.

The advice has been issued on HealthIT.Gov, which lists a number of steps that can be taken to ensure that ePHI is not disclosed by mistake and security holes are effectively closed. A series of simple measures have been supplied, and while there are multiple security measures to take, these security procedures are not being implemented by many healthcare organizations. The procedures and practices include the following data security practices:

  • Make sure all mobile devices have a secure password – PIN numbers and passwords must be employed to prevent access to mobile devices and passwords must be hidden while they are typed to prevent unauthorized peeple from viewing the passcodes.
  • Data encryption software implementation on all databases storing ePHI and employee data.
    Install software that allows a device to be remotely accessed so that data can be erased should the device be lost or stolen. As a minimum safety measure mobiles and laptop devices must have the facility to be remotely disabled in case of loss or theft.
  • File sharing should be disabled – File sharing is a feature of modern operating systems which enable users to easily share data; yet this feature can be a major security hole that leaves laptops and mobile devices easily accessible to cybercriminals. Data can be obtained and copied without the knowledge of the user if file sharing is switched on.
  • Installation of Firewalls must be on all servers and mobile devices. The firewall must remain constantly active.
  • Installation of anti-virus and anti-malware software to prevent viruses and other harmful software from making security holes. The software licenses must be maintained, updates to virus definitions should be set to automatic and regular scans should be carried out on all devices.
  • Test mobile applications before installation – When installing mobile phone apps, access must be granted to allow the app to obtain certain information. It is essential that all security and privacy information is tested before an app is installed to ensure it is not unknowingly given access to ePHI held on the device.
  • Ensure that all devices are physically secure where they are located– Because small electronic decides can simply be lost or stolen, all staff must take care to make sure that their devices are not left unattended.
  • Secure all technological devices using public Wi-Fi – Wi-Fi must only be used to connect to the internet should that connection be encrypted. Public Wi-Fi can easily allow hackers and the owners of the routers to access protected data on devices connected via their networks.
  • Text messages should use encryption software – Text messages can be easily tracked and may remain on remote servers for a considerable duration of time, exposing data to any person with access to the servers. Encryption software for mobile devices is vital.
  • Securely erase all data that is not needed – Even deleted files can be restored so it is essential that all data is securely erased before a device is decommissioned, destroyed, disposed, sold on or returned to a leasing agency.

Following all of these standard security procedures will help to ensure mobile devices are made HIPAA compliant and the ePHI of patients is properly secured.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy