Privacy and Security Mobile Device Project launched

March 1, 2012

Physicians using smartphones and other mobile devices to access patients' electronic health records are increasingly at risk for data breach, but a new initiative from the Office of the National Coordinator for Health Information Technology (ONC) of the US Department of Health and Human Services (HHS) may allay some fears about possible violations of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

Physicians using smartphones and other mobile devices to access patients' electronic health records are increasingly at risk for data breach, but a new initiative from the Office of the National Coordinator for Health Information Technology (ONC) of the US Department of Health and Human Services (HHS) may allay some fears about possible violations of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

In January, ONC's Office of the Chief Privacy Officer announced initiation of the Privacy and Security Mobile Device Project in conjunction with the HHS Office for Civil Rights to develop security best practices for personal mobile devices that are used outside healthcare facilities considered "Covered Entities" under HIPAA to access, store, or work in protected health information files. Devices include laptops, tablets, smartphones, personal data assistants, and data storage devices (such as USB drives). The goal is to help healthcare professionals to secure information from cyber attack or data loss without compromising the convenience of remote access.

Developed by a team of cybersecurity and healthcare subject matter experts, ONC's Cybersecurity Checklist,
"10 Best Practices For The Small Healthcare Environment," comprises administrative, technical, and physical safeguards with specific, practical steps for implementation. Best practices discussed include password choice and protection (as well as forgotten passwords), virus detection and antivirus software, firewalls, accessing HIPAA-protected information, controlling physical access, limiting network access, disaster planning, maintaining good habits of computer use, mobile device protection, and creating a security culture.