• Print

Mobile Device Privacy and Security

Frequently Asked Questions

  1. Overview of Privacy, Security, and Mobile Devices
    If you are a covered entity or a business associate, yes. HHS OCR has detailed information explaining who is a covered entity. In general, individuals and organizations that meet the definition of a...
    The United States Government Accountability Office (GAO) recently issued a report to Congress called,  “Information Security: Better Implementation of Controls for Mobile Devices Should Be...
    The United States Government Accountability Office (GAO) recently issued a report to Congress called  “Information Security: Better Implementation of Controls for Mobile Devices Should Be...
    Risks (threats and vulnerabilities) vary based on the mobile device and its use. Some risks may be: A lost mobile device, A stolen mobile device, Inadvertently downloading viruses or other malware,...
    The Mobile Device Privacy and Security subsection of HealthIT.gov contains privacy and security tips and information to help protect and secure health information. Here are some important privacy...
  1. Mobile Device Ownership (BYOD vs. Organization-Provided)
    You must comply with the policies and procedures of the organization whose internal network or system you are accessing with your mobile device. Read the organization's mobile device policy. Take any...
    Follow the policies of the organization whose internal network or system you are accessing with your mobile device at any given time. Read each organization's policies and procedures for mobile...
    The organization should have policies and procedures in place for terminating access to health information when employment ends, the provider, professional or staff are no longer credentialed at the...
    The main difference is the policies and procedures that set the rules for your use of the mobile device. Many things are the same: the risks involved with using mobile devices and your responsibility...
    You may have heard the term "BYOD" which means "Bring Your Own Device." BYOD refers to using a personally owned mobile device for work. Many organizations have centralized security management to...
  1. Location of Mobile Device Use
    Be aware of where you are when using a mobile device, as well as the connection you are using to send, receive or access health information with your mobile device. The Mobile Device Privacy and...
    Here are some key tips for working remotely: Lock the screen of your mobile device and keep it in a secure location when you are not using it. Don’t let people around you see the numbers, letters,...
    Here are some key tips for working onsite: Lock the mobile device screen when not in use Keep the mobile device with you Activate automatic logoff or mobile device screen lock after a short time...
    Here are some key tips for using a mobile device in a public space such as a coffee shop or an airport Don't let people around you see the numbers, letters, symbols or pattern as you enter your...
  1. Using a Mobile Device to Communicate
    If your organization’s policies and procedures allow you to communicate with patients using a mobile device, and you choose to do so, consider using your mobile device to send a message that the...
    The risk of using a public wired Internet connection is that information can be intercepted in transmission between the mobile device and the system connection. When you transmit health information...
    Email by its very nature uses an unsecure protocol. There are a number of risks, including the possibility of data interception. However, there are a number of email encryption solutions that make...
    It depends. Text messages are generally not secure because they lack encryption, and the sender does not know with certainty the message is received by the intended recipient. Also, the...
    Bluetooth is an open standard for short-range radio frequency communication. If your mobile device has Bluetooth capability, turn off or set the Bluetooth connection capabilities to “nondiscoverable...

  1. Electronic Health Record/Health Information Exchange Access Using a Mobile Device
    The owner of the EHR system or HIE sets the policies and procedures that apply to that system. To follow those policies and procedures, you may have to have certain security safeguards or...
  1. Backing Up Data Stored on a Mobile Device
    The specific technique for backing up data from a mobile device to a secure server depends on the type and operating system of the mobile device you are using and the security configurations of the...
  1. Mobile Device Disposal
    Yes, but only after removing the electronic protected health information (ePHI) stored on the mobile device, or destroying the mobile device itself before disposing of it. The HIPAA Security Rule...
  1. Mobile Device Security Incident Reporting
    Follow your organization’s mobile device policies and procedures. Report security incidents immediately to the appropriate person in your office or organization following the organization’s security...
  1. Mobile Device Passwords
    A password policy is a set of rules designed to increase mobile device privacy and security by encouraging users to create and use strong passwords. Because of the sensitivity of health information,...
    Tips for protecting passwords include: Do not reveal or share your password with anyone else Do not write down your password Do not communicate your password by e-mail, instant messaging, or texting...
    A strong password is one that is easy for you to remember and hard for anyone else to guess. A strong password should be at least six characters in length, and should include a combination of upper...
    Try combining three words, changing the uppercase and lowercase letters, and replacing letters with numbers or symbols. Let’s take the words "privacy and security" and look at the different passwords...
  1. Mobile Device Encryption
    CMS’ Stage 2 Electronic Health Record Incentive Programs Final Rule and CMS MU stage 2 guidance explain that eligible professionals or hospitals must conduct or review a security risk...
    The National Institute of Standards and Technology (NIST) has issued FIPS 140-2 [PDF - 1.4 MB], Security Requirements for Cryptographic Modules. FIPS 140-2 refers to the Federal Information...
    Encryption is a method of converting an original message of regular text into encoded text. Read more about encryption on the Mobile Device Privacy and Security website. You can also read HHS OCR’s...
  1. Mobile Device Privacy and Security Video Series
    Dr. Anderson's Office Identifies a Risk, one of the videos in our video series focuses on a fictional office’s experience Identifying and mitigating one mobile device risk. < Back to FAQs
    A Stolen Mobile Device, one of the videos in our video series, explores some preventive measures for safeguarding health information against the risk of a mobile device being lost or stolen. <...
    Can You Protect Patients' Health Information When Using a Public Wi-Fi Network?, one of the videos in our video series , explores some privacy and security risks when transmitting health information...
  1. Definitions for Mobile Device Privacy and Security
    An application (app) is a software program that performs a specific function directly for a user. Applications you can download include games, email organizer tools, note-taking systems, or even EHR...
    Remote disabling enables you to remotely lock or completely erase data stored on a mobile device if it is lost or stolen. If the mobile device is recovered, it may be unlocked. You should make sure...
    For purposes of the Mobile Device Privacy and Security subsection of HealthIT.gov, an “organization” includes: The entity for which a health care provider or professional works A health care setting...
    For purposes of the Mobile Device Privacy and Security subsection of HealthIT.gov, a provider or professional is a person who works with health information. A provider or professional can be a person...
    For purposes of the Mobile Device Privacy and Security subsection of HealthIT.gov, a mobile device is a handheld transmitting device with the capability to access, transmit, receive, and store health...
    If you see https, the session between the web server and the browser on the mobile device you are using is encrypted. You can easily identify web servers that have https configured by looking at the...
    For purposes of the Mobile Device Privacy and Security subsection of HealthIT.gov, “health information” is information about a patient’s medical condition or medical history that can be used to...
    Wi-Fi stands for Wireless Fidelity. It refers to the range of technologies for wireless data networking. Wireless data networking links computers (e.g., mobile devices) without wires (e.g., Internet...
    Remote wipe enables you to remotely erase the data on the mobile device if the device is lost or stolen. If you enable the remote wipe feature on your mobile device, you can permanently delete data...
    A virtual private network (VPN) is built on top of existing physical Internet networks. A VPN provides a secure communications tunnel for information transmitted between the private and public...
    A firewall is a security tool that limits access between networks and/or systems. A personal firewall controls traffic going to and from your mobile device. You can set the security policy. You can...
    Mobile device time-out or automatic logoff locks the mobile device screen or logs you off the network or system after a period of inactivity. When the time-out or logoff feature is activated, no one...
    Security software, such as anti-virus software or anti-spy software, protects against malicious programs such as viruses, spam and malware. A virus is a self-replicating program that runs and...
  1. Submit a Question or Comment
    You can submit a comment or question regarding the Mobile Device Privacy and Security subsection of HealthIT.gov to ONC through onc.request@hhs.gov. We may not be able to answer your question or...
    You can email OCR at ocrmail@hhs.gov. You can also learn more about the HIPAA Privacy, Security and HITECH Breach Notification Rules by visiting OCR’s website. < Back to FAQs

NOTE: The content on the Mobile Device Privacy and Security subsection of HealthIT.gov is provided for informational purposes only and does not guarantee compliance with Federal or state laws. Please note that the information and tips presented may not be applicable or appropriate for all health care providers and professionals. We encourage providers, professionals, and organizations to seek expert advice when evaluating these tips. The Mobile Device Privacy and Security subsection of HealthIT.gov is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. It is also not intended to serve as legal advice or offer recommendations based on a provider’s or professional’s specific circumstances. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.