Protecting Information on Mobile Devices

Mobile devices have become one of the largest causes of HIPAA data breaches in the country.  They are easily lost or stolen, and many times contain sensitive information that has been sent or received by the owner. To help prevent potential sensitive data breaches, we recommend the following procedures:

• DO NOT send any type of sensitive data to text pagers. Text pager message traffic is very easily monitored by publically available Web sites. A lost or stolen text pager that contains sensitive data could result in a breach notification (HIPAA violation). If a text page that contains sensitive information MUST be sent and it contains sensitive information, please delete that message from the text pager as soon as possible. Since we can’t control what someone might send to your text pager, please delete any messages you receive that contain sensitive information as soon as possible after receipt.
  
  
• You may send text messages containing sensitive data to PDAs (cell phones that are able to use text messaging and send or receive e-mail). The frequencies that text messaging devices use are far more secure that the frequencies used by text pagers.  In addition, it is illegal to monitor the text messaging frequencies. However, to prevent a breach, delete messages as soon as possible or encrypt your memory card. We recommend you delete the message immediately after sending or receiving the text or e-mail. We do not have recommendations on encryption options at this time because each brand and model may use different encryption methods. Consult the user manual for your device for more information as many devices have a built-in encryption capability that you can opt to turn on. There is also a great deal of information available on the internet.

It is important to know what to do if your pager, PDA or any other media storage device is lost or stolen:

• For HCA/HealthONE owned text pagers or PDA’s for incident reporting, contact the Facility Information Security Official (FISO), Facility Privacy official (FPO) or the Ethics and Compliance Officer (ECO) at the facility that provided the device.
  
  
• For devices owned by you or your office, contact your office manager or individual that manages the privacy of your practice’s patient information for incident reporting.
  
  
• For recurring numbers or email addresses that you may use, it is recommended to program the numbers into your device’s address book. This will ensure that typos are not entered when paging, texting or emailing information and inadvertently sending information to the wrong phone/person.  This will also ensure that you know who is sending you information. Until the senders information is programmed into the phone, only the number is displayed, not the senders name.