The decision to allow mobile devices to access and/or store PHI is a critical one. The ease of access to the information must be balanced with the danger that can come if the device is lost or stolen; which is much more likely to happen to phones, tablets, and laptops.
If you decide to allow mobile devices to access or store PHI, you must implement and document safeguards to protect the PHI in the event of loss or theft.
Here are some best practices to follow when using mobile devices.
1. Maintain a log that indicates who is responsible for what device, a description of the PHI on the device, the encryption method for the device, and the purpose the device is leaving the facility.
2. Approve all mobile devices to ensure proper security features (encryption, screen lock, mobile tracking, etc.) are installed before any mobile device is permitted to access PHI.
3. Identify who is to be notified and how in the event a mobile device is lost or stolen. Ensure anyone who uses a mobile device to access PHI knows who to contact and how, if necessary.
4. Encrypt all PHI stored on mobile devices.
5. Ensure that all PHI contained on a mobile device is removed or the device is destroyed when it is decommissioned.
If implemented properly, these five steps can allow your organization to responsibly deploy mobile device technology, and potentially save it from a large fine. Not deploying proper safety measures, regardless of whether you are a Covered Entity or Business Associate, puts your organization and individual's sensitive information at unnecessary risk.