Mobile Devices and Protected Health Information

Mobile Devices in Healthcare

These days more mobile devices and Internet of Medical Things (IoMT) devices are more powerful and hold more information than ever before and pose heightened security risks.

This includes your smartphone, tablet, medical device (medical equipment storing electronic protected health information [ePHI]), and any other type of equipment that provides convenient access to your computer, ePHI, email, banking and social media accounts. Unfortunately, it could also provide the same convenient access for hackers.

Healthcare organizations, Covered Entities (CEs) and Business Associates (BAs), rely heavily on these devices in their organization to create, receive, maintain, or transmit ePHI and must include them in their enterprise-wide risk analysis and take action(s) to reduce risks identified to a reasonable and appropriate level. See 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B).

Additional risks when using mobile devices for PHI

Due to their small size and portability, mobile devices are at a greater risk of being lost or stolen. A lost or stolen mobile device containing unsecured PHI could lead to a breach, triggering HIPAA breach notification obligations for a CE and/or their BAs.

Additional risks and extra precautions should be taken when using personal mobile devices to store or access PHI. Permitting the use of personal mobile devices must be included in the risk analysis and requires the implementation of security measures sufficient to reduce those risks. If an organization prohibits the use of personal mobile devices for work activities (especially those activities involving PHI), policies, making any prohibitions clear, should be in place and enforced.

Did you know?

Access to information on mobile devices need not be limited to nefarious actions by malicious software and/or hackers, but could also originate from more mundane applications. A seemingly harmless mobile app or game may grant access to your contacts, pictures or other information on your device and send such data to an external entity without your knowledge.

As mobile devices are increasingly and consistently used by CEs and BAs and their workforce members to store or access PHI, it is important that the security of mobile devices is reviewed regularly, and modified when necessary, to ensure PHI remains protected. See 45 C.F.R. § 164.306(e).

Mobile Device Default Settings

Mobile devices, similar to many other computer systems, may be delivered by third party vendors with default settings, such as preset passwords or out dated firmware, which may create vulnerabilities. Such default settings may enable automatic connectivity to unsecure Wi-Fi, Bluetooth, cloud storage, or file sharing network services.

Organizations should take steps to ensure that mobile devices are properly configured and secured BEFORE allowing the device to create, receive, maintain, or transmit PHI. Additionally, workforce members should be trained in the proper, secure use of mobile devices to store or access PHI.


Training should include educating workforce members on the dangers of using unsecured Wi-Fi networks, such as public Wi-Fi offered in airports and coffee shops, as well as unsecured cloud storage and file sharing services.

Workforce members should also be trained on the risks of viruses and malware infecting mobile devices. Just as with other computer systems, malicious software that infects mobile devices could provide access to unauthorized individuals which could result in a breach of PHI.

Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

Don't Risk It
Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!