Continued Respiratory Therapy Phone: 866-382-0799


When Is HIPAA Security Required for Mobile Devices?

Kim Cavitt, AuD

May 16, 2022

Share:

Question

When is HIPAA security required for mobile devices?

Answer

HIPAA has a lot of implications and things you have to consider around using mobile devices. I'm going to consider mobile devices for us today to be a laptop, a tablet, a phone, or a smartwatch. We have to be very cognizant of all of the rules around these mobile devices.

Every practice needs to consider if they want to allow, by policy, their staff to access ePHI on mobile devices that the facility or practice does not own? That's your first decision. If you do allow that, then you need to make policies around those two separate pathways. Many entities that work in large medical facilities would never allow people to access ePHI on a personal device. They have a lot of rules around that and you have to log into a portal to be able to do anything using multi-step authentication. You have to determine what the rules are for your practice. Let's say you are allowing access to ePHI on a mobile device. You need to make sure that you use a password or user authentication. There have to be steps to be able to open the device itself before getting into the software. The first step is having to use a password to get into the laptop or other device.

You need to enable and install encryption. We should not be communicating any ePHI to any entity, including the patient, without going through an encrypted service. You can communicate with the patient about an appointment. You can communicate with the patient about services they need, such as a COVID test, what your policies are, or reminders. But you cannot communicate any ePHI, any test results, or anything specific to that patient without going through an encrypted service.

Install and activate remote wiping and/or remote disabling. I am an Apple person, so that's what I'm going to give an example of. Essentially,  that's where you find your iPhone and you kill your iPhone remotely. At any point in time, you can go to a third-party site and literally make that device a brick so that it doesn't actually function anymore. That's what you need to be able to do. If you have a device that is transmitting or storing ePHI, you need to be able to remotely shut that device down and remotely wipe it.

Disable and do not install or use file-sharing applications, such as Dropbox that multiple people, including people outside your facility, can access or utilize. This is especially important in your home or other location. You don't want to use file sharing when you're communicating about ePHI. The entity that might be file sharing with you may not be allowed access to that ePHI. The rule of thumb is to turn off all file sharing unless you're keeping everything internal-only in your practice. 

Install and enable a firewall as well as security software, such as Norton or another protection software. Keep your software up to date. When your service vendor provides a software update, whether that's Microsoft, Android, or Apple with an iOS update, make sure you download it and keep your software updated. Many times the iOS updates are around bugs and security fixes. That's why you always want to keep that up-to-date and current.

Maintain physical control. If you have a device that you're traveling with that stores or transmits ePHI, you want to make sure you keep that device on your person as much as possible. If you are doing work and accessing ePHI, you should not be on a public Wi-Fi network, whether that's at the library, Starbucks, or in your own hospital. You should never be doing report writing or communicating with your patients or anything that involves protected health information on a public unsecured network. Make sure that before you recycle a laptop, a tablet, your watch, or a phone you have completely wiped that device. Delete everything off the device before it's either recycled or destroyed. 

This Ask the Expert is an edited excerpt from the course, HIPAA for Allied Health Professionals, presented by Kim Cavitt, AuD.


kim cavitt

Kim Cavitt, AuD

Kim Cavitt, AuD was a clinical audiologist and preceptor at The Ohio State University and Northwestern University and has served as an Adjunct Lecturer at Northwestern and Western Michigan Universities. Since 2001, Dr. Cavitt has operated her own Audiology consulting firm, Audiology Resources, Inc. Audiology Resources, Inc. provides comprehensive operational, compliance and reimbursement consulting services to hearing healthcare providers. She is a Past President of the Academy of Doctors of Audiology (ADA), serves as the Chair of the State of Illinois Speech Pathology and Audiology Licensure Board, is Vice President of Government Relations for the Illinois Academy of Audiology and serves on committees through ADA and ASHA. 


Related Courses

HIPAA for Allied Health Professionals
Presented by Kim Cavitt, AuD
Video

Presenter

Kim Cavitt, AuD
Course: #1461Level: Introductory1 Hour
  'The speaker was very knowledgeable and engaging; she gave great examples and provided a lot of links and references'   Read Reviews
The foundations of HIPAA Privacy, Security, Breach Notification, and Marketing requirements and guidelines. HIPAA requirements and considerations for telehealth are also covered. This introductory course is intended for new hire trainings as well as for annual review.

Obstructive Sleep Apnea and Anxiety: What is the Connection?
Presented by Kelvin Imo, DDS, IAOS-Diplomate Candidate
Video

Presenter

Kelvin Imo, DDS, IAOS-Diplomate Candidate
Course: #1536Level: Introductory1 Hour
  'none at this time'   Read Reviews
Evidence in current research suggests sleep apnea and anxiety are connected, creating ongoing consequences for an individual's quality of life if left untreated. The course discusses the interrelationship between the two disorders and the recognition of high-risk groups for practitioners providing care.

Alzheimer’s 101: An Overview for Healthcare Professionals
Presented by Megan L. Malone, MA, CCC-SLP, Jennifer Loehr, MA, CCC-SLP
Video

Presenters

Megan L. Malone, MA, CCC-SLPJennifer Loehr, MA, CCC-SLP
Course: #2048Level: Introductory2 Hours
  'Lots of great info'   Read Reviews
An overview of dementia, Alzheimer's disease and related disorders for healthcare professionals. Strategies for assessment and diagnosis, improving communication with patients, understanding and managing behavioral challenges, care planning and promoting independence are discussed. Methods for supporting family and caregivers are also described.

Respiratory Therapy Without Borders, An International Perspective
Presented by Dorothy Honny Bendah, BS, RRT
Video

Presenter

Dorothy Honny Bendah, BS, RRT
Course: #1794Level: Introductory1 Hour
  'My nephew is from Ghana and I started my RT training at KUMC in 1970 so could understand the training with limited means we had NO textbook, limited instructors and trying to get respect from other hospital personnel'   Read Reviews
There was a dire need to demonstrate the relevance of respiratory care in The heat of the COVID-19 pandemic which saw an increase in demand for respiratory therapists in Ghana. The course introduces the unique formation of the Ghana Association for Respiratory Care (GARC), in collaboration with the international Council for Respiratory Care (ICRC), highlighting the contributions respiratory therapists make to the multidisciplinary team of healthcare professionals.

Effective Conflict Management Between Multidisciplinary Teams
Presented by Mira Rollins, OTR/L
Video

Presenter

Mira Rollins, OTR/L
Course: #1539Level: Introductory1.5 Hours
  'clear concise communication with specific steps'   Read Reviews
This course gives practical techniques to effectively manage conflict in health care resulting from high stress, fast-paced and demanding work environments. The course offers support and solutions for all levels of employers, including support staff, assistants, clinicians, and management.

Our site uses cookies to improve your experience. By using our site, you agree to our Privacy Policy.