Skip to main content


Monitor Mobile Devices to Ensure Patient Privacy (or Pay the Price!)

Oct 30, 2013 10:00AM ● By MED Editor

Mobile devices have become an essential part of healthcare delivery, with nine out of ten physicians and mid-level practitioners using smartphones or tablets at the point of care, according to a report from Physicians Practice.

While the impact of mobile devices on quality of care lacks research, the impact on patient privacy is unquestionable. If lost or stolen, mobile devices pose a major risk for patient data breaches – which can cost clinicians and their employers big time.

In January 2013, the Department of Health and Human Services announced its aim to better protect patient privacy and safeguard patients’ health information. When the final omnibus rule went into effect, the HHS Office for Civil Rights began enforcing—quite vigorously—the new HIPAA privacy and security rules. From unencrypted devices being lost or stolen to employees snooping in patient medical records, the OCR is penalizing healthcare organizations for patient data breaches with hefty fines worth millions of dollars.

To prevent a patient data breach, consider these best practices for mobile device use at your facility:

Ownership. A breach of PHI is less likely when a facility owns its employees’ mobile devices and requires certain passwords and privacy settings be followed, suggests the National Federation of Independent Business. Consider putting an employee agreement in place regarding expectations for minutes, reimbursement and personal use.

Training. Your internal policies and training regarding HIPAA adherence must be all encompassing and well documented. If a patient data breach or HIPAA violation occurs, your organization can be found liable—even if an employee is responsible—if you do not outline appropriate use of mobile devices.

Encryption. If a device is lost or stolen and not encrypted (whether it is owned by the facility or the employee), OCR will likely fine the employer. Most mobile devices have built-in encryption capabilities, or you can buy and install more advanced encryption tools to protect information sent by and stored on phones and tablets.

Security. Other methods to secure PHI include using a password and activating a screen lock after the device has been idle for 60 seconds. In addition, disable file-sharing applications and keep your security software up to date. It’s also smart to use adequate controls when accessing Wi-Fi.

Social media. Eliminate the temptation to tweet about an ill-mannered patient or post a photo of a patient’s broken extremity by banning social media apps on mobile devices. If identifiable patient information is released in this manner, you can expect a fine from OCR. Other consequences include employee termination, decreased patient satisfaction scores and even a class-action lawsuit.

Tana Phelps is a marketing specialist at Cassling, a Midwest healthcare company that provides local imaging equipment sales and service, and marketing and professional services.