Mobile devices are frequently used to access, share, or communicate information about an individual’s or a patient’s health records or status. Any mobile device that receives, transmits or stores protected health information (PHI) must comply with the Health Insurance Portability and Accountability Act (HIPAA).
While organizations often have HIPAA polices that cover all forms of communications (e.g. verbal, fax, email, and in-person), mobile devices have their own set of privacy issues. A staff person from a local health department recently contacted the Network about whether other public health agencies have stand-alone HIPAA policies that specifically address mobile device usage.
Because the use of mobile devices are of concern with regard to HIPAA due to the high risk of interception of data in transit and the accidental divulgence of patient data when devices are lost or stolen, many organizations have opted to have specific policies regarding employee use of mobile devices to communicate information that may include PHI.
The Office of the National Coordinator for Health Information Technology has materials on privacy, security and mobile devices to help organizations protect and secure health information when using mobile devices. Additionally, this example of a mobile device policy template may be helpful.
Network attorneys are available to answer questions on this and other public health topics at no cost to you, and can assist you in using law to advance your public health initiatives. Contact a Network Attorney in your area for more information.
The legal information and assistance provided in this document does not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.