Are Your Employees’ Personal Mobile Devices Secure?

Benefit Comply Offers HIPAA Compliance Services for Employers and Business Associates. More Info >

In today’s technological world, employees are more and more likely to access their work accounts remotely – including by personal phones or tablets (“personal mobile devices”). This provides convenience and flexibility to your employees, but it can potentially put your information at risk if steps aren’t taken to protect it.

Under HIPAA, a breach occurs when unsecured Protected Health Information (PHI) is lost or stolen (or is otherwise disclosed to or accessed by an unauthorized person). Employees may use their personal mobile devices to access company email or systems that contain PHI. Therefore, appropriate safeguards must be put in place for such mobile devices to ensure that only the device’s owner has access to such information, and that at a lost or stolen device does not constitute a reportable breach.

Here are three concrete steps (and a few sub-steps) an employer might take to make sure any PHI related to its group health plans remains secure when accessed via personal mobile devices:

1. Make sure there are role-based access controlsin place to ensure that only those employees who need access to PHI have it.
2. Require as a condition of enabling access to the company’s email or other systems, that employees register such deviceswith the IT Department. As part of the registration process, the IT Department should:
   • Log and track the mobile device;
   • Enable any built-in encryption or otherwise ensure that the device is properly encrypted; and
   • Enable a required login passcode that meets the organization’s password complexity standards. (Employees should not have the option to bypass the passcode requirement.)
3. Incorporate into any existing Acceptable Use Policyor Bring Your Own Device (BYOD) Policy procedures specific to personal mobile devices. Include provisions that:
   • Prohibit employees from storing PHI locally on any mobile device;
   • Prohibit employees from sharing passcodes or otherwise enabling or promoting unauthorized access to a mobile device;
   • Prohibit employees from installing or using unapproved file-sharing software; and
   • Communicate a process for notifying IT when a device is lost or stolen.

While none of these steps is absolutely required, and organizations must weigh their potential risks and associated costs when completing the required HIPAA security risk analysis, ensuring that appropriate safeguards are implemented to reduce the risk of unauthorized disclosures of electronic PHI. Remember that if a lost or stolen personal mobile device is properly secured, then there is no breach risk. However, unsecured devices that have access to ePHI do need to be treated as a potential breach if lost or stolen. Ensuring that such devices are encrypted, password protected, and centrally tracked/managed, as well as training your employees on appropriate use of such devices, will greatly reduce your risk of unwanted exposure.

While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting or other professional advice or services. Readers should always seek professional advice before entering into any commitments.