Mobile device security: Protecting our patient’s protected health information

12517mobiledevices640At Texas Children’s, we strive to be leaders in patient care, education and research. One of our obligations as leaders is to stay mindful of the sensitivity of the information at our fingertips. We have a duty to our patients and our Health Plan members to access, use and maintain their Protected Health Information (PHI) in a responsible manner.

Mobile devices, such as laptops, smartphones, tablets, and thumb drives, are important tools for today’s busy workforce. However, technology that delivers these advantages also represents a significant risk to protecting PHI. In fact, most breaches of PHI reported to the Office of Civil Rights, the federal agency that enforces privacy regulations, are related to the theft or loss of mobile devices.

Federal Enforcement

Following a breach of unsecured PHI, federal law requires organizations to notify the impacted patients, the Office of Civil Rights (OCR), and in cases involving more than 500 patients, the media. In some cases, OCR has levied substantial fines against institutions.

  • The University of Mississippi Medical Center agreed to pay $2.75M after it reported a stolen laptop that led to a breach of unsecured PHI affecting approximately 10,000 patients.
  • Lahey Hospital and Medical Center agreed to pay $850,000 after it notified OCR that a laptop was stolen from an unlocked treatment room. The hard drive contained the PHI of 599 individuals.
  • Massachusetts Eye and Ear Infirmary settled a case for $1.5M after reporting the theft of an unencrypted personal laptop.

We are not immune from these risks. Just recently, a Baylor College of Medicine/Texas Children’s Hospital physician’s personal laptop was stolen from his car. The physician had stored information on approximately 100 patients on the device. While the laptop was not encrypted with Texas Children’s Hospital – or Baylor College of Medicine-approved software, it happened to have other encryption software installed that prevented us from having to notify the patients and OCR. We were fortunate in that circumstance and can’t rely on continued good luck when it comes to the protection of our patients’ and Health Plan members’ information.

Privacy safeguards

Protecting PHI takes a multi-pronged approach. The following privacy safeguards should be cemented into your daily routine.

Mobile device safeguards

  • Mobile devices must be installed with Texas Children’s Hospital or Baylor College of Medicine-approved encryption software
  • Do not put PHI on flash drives, memory cards, other unencrypted devices, or open access devices
  • Maintain your personal mobile devices by installing anti-virus software and security updates
  • Do not transmit PHI using unsecured, public Wi-Fi networks
  • Use strong passwords and screen locks
  • Download applications only from trusted sources
  • Do not store PHI on your personal device

Tip: The safest way to access PHI is by using the Texas Children’s remote capability: https://remote.texaschildrens.org. This feature allows registered users to remotely access the Texas Children’s secure network (e.g., from your home computer or mobile device).

Physical safeguards

  • Do not leave mobile devices unattended (e.g. in your car), even if only for a few minutes
  • Never share your password or allow others to access your sign-on
  • Lock your mobile device when not in use

Other privacy safeguards

  • Do not leave documents containing PHI unattended (e.g. in your car)
  • Be mindful of where you have sensitive conversations with colleagues and patients

Remember! The best practice for remotely accessing patient or Health Plan member PHI is via the Texas Children’s remote portal.

Contact us

If you have questions about mobile device security, please contact the Texas Children’s Compliance and Privacy Office at 832-824-2085 or via email at compliance@texaschildrens.org.