You are leaving Medscape Education
Cancel Continue
Log in to save activities Your saved activities will show here so that you can easily access them whenever you're ready. Log in here CME & Education Log in to keep track of your credits.


Your Mobile Device and Health Information Privacy and Security

  • Authors: Leon Rodriguez, JD; Farzad Mostashari, MD, ScM
  • CME Released: 9/13/2013
  • Valid for credit through: 9/13/2014
Start Activity

Target Audience and Goal Statement

Target Audience.


Upon completion of this activity, participants will be able to:

  1. Objective #1
  2. Objective #2
  3. Objective #3


As an organization accredited by the ACCME, Medscape, LLC, requires everyone who is in a position to control the content of an education activity to disclose all relevant financial relationships with any commercial interest. The ACCME defines "relevant financial relationships" as financial relationships in any amount, occurring within the past 12 months, including financial relationships of a spouse or life partner, that could create a conflict of interest.

Medscape, LLC, encourages Authors to identify investigational products or off-label uses of products regulated by the US Food and Drug Administration, at first mention and where appropriate in the content.

Accreditation Statements

    For Physicians

  • Medscape, LLC is accredited by the Accreditation Council for Continuing Medical Education (ACCME) to provide continuing medical education for physicians.

    Medscape, LLC designates this enduring material for a maximum of 0.25 AMA PRA Category 1 Credit(s)™ . Physicians should claim only the credit commensurate with the extent of their participation in the activity.

    Medscape, LLC staff have disclosed that they have no relevant financial relationships.

    Contact This Provider

For questions regarding the content of this activity, contact the accredited provider for this CME/CE activity noted above. For technical assistance, contact [email protected]

Instructions for Participation and Credit

There are no fees for participating in or receiving credit for this online educational activity. For information on applicability and acceptance of continuing education credit for this activity, please consult your professional licensing board.

This activity is designed to be completed within the time designated on the title page; physicians should claim only those credits that reflect the time actually spent in the activity. To successfully earn credit, participants must complete the activity online during the valid credit period that is noted on the title page. To receive AMA PRA Category 1 Credit™, you must receive a minimum score of 75% on the post-test.

Follow these steps to earn CME/CE credit*:

  1. Read the target audience, learning objectives, and author disclosures.
  2. Study the educational content online or printed out.
  3. Online, choose the best answer to each test question. To receive a certificate, you must receive a passing score as designated at the top of the test. We encourage you to complete the Activity Evaluation to provide feedback for future programming.

You may now view or print the certificate from your CME/CE Tracker. You may print the certificate but you cannot alter it. Credits will be tallied in your CME/CE Tracker and archived for 6 years; at any point within this time period you can print out the tally as well as the certificates from the CME/CE Tracker.

*The credit that you receive is based on your user profile.


Your Mobile Device and Health Information Privacy and Security


This feature requires the newest version of Flash. You can download it here.

  • Leon Rodriguez, JD: Hello, I'm Leon Rodriguez, Director of the Office for Civil Rights at the United States Department of Health and Human Services. I would like to welcome you to this program titled "Your Mobile Device and Health Information Privacy and Security." With me today is Dr Farzad Mostashari, National Coordinator for Health Information Technology. Welcome, Farzad.

    Farzad Mostashari, MD, ScM: Nice to be here, Leon.

  • Slide 1.

    Slide 1.

    (Enlarge Slide)
  • Mr Rodriguez: Farzad, I want to share with our audience the goals of this program. They are to review their obligations under the HIPAA Security Rule to safeguard their patients' electronic protected health information (ePHI), to highlight tips for ensuring that ePHI is secure on mobile devices and finally, to identify resources where they can find more information on compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

    Farzad, I thought it might be interesting in your role as National Coordinator for Health Information Technology to talk about the growing importance of mobile devices in today's medical practice.

    Dr Mostashari: Absolutely, Leon. These devices are great. Our patients use them, we use them in our own lives, and we are now beginning to use them more and more as part of delivering health care. They're always with us, they are connected to the Internet, and they are a platform on which all sorts of applications and services could be loaded. That is what makes them so powerful. Each of those items -- the fact that we take them around with us, the fact that they are connected to the Internet, and the fact that they can put all different sorts of applications on top of this platform -- also introduce risks.

  • Slide 2.

    Slide 2.

    (Enlarge Slide)
  • Mr Rodriguez: What we're going to talk about today is the idea of patient trust. Maybe you can talk a little bit also about how patient trust fits into the equation of being able to use these mobile devices.

    Dr Mostashari: Absolutely. Patients expect that their healthcare providers are going to keep their information private and secure. We also know that those covered entities and their business associates are required to be in compliance with the HIPAA Security Rule. Mobile device security is your obligation; know the risks, take the steps, secure and protect your patients' health information.

    Mr Rodriguez: We are going to show a short video that is going to illustrate the kinds of ways in which ePHI can be placed at risk.

  • Slide 3.

    Slide 3

    (Enlarge Slide)

Data at Risk

Doctor on phone in car: "No, go ahead and just get a table. I'll be right there. I just need to check to see if my patient's lab results have come in.

[The doctor leaves her laptop in the trunk of her car. The scene changes to the arrival of a police car following the theft of her computer.]

Police officer: "Sorry, doctor. We'll do everything in our power to recover your property. Understand we will be starting a criminal investigation."

Doctor: "I understand. What's our next step?"

Police officer: "I'm going to need as much information as possible about your laptop -- make, model, serial number, what kinds of records were on it."

Doctor: "All my patients' information was on it."

Police officer: "OK. You need to notify your security personnel at your medical group or hospital. Patient health information may be at risk now."

Doctor: "I don't understand how this could happen. It was only a few minutes for lunch."

Dr Mostashari: Leon, what happens next?

Mr Rodriguez: Well, from our perspective, there are a bunch of steps that this provider will now need to take. The first is they are going to need to engage in what we call "breach notification."

That means they need to submit a notification to our office and to the affected patients that their health information is now at risk. The only way they can avoid that is if the information is what we call unreadable, unusable, or undecipherable.

Dr Mostashari: If that were an encrypted laptop, would they have to do the breach notification reports?

Mr Rodriguez: Then the matter would be done and they would not have to report to us.

Dr Mostashari: What if it is over a certain number of records that are breached?

Mr Rodriguez: Then the standards are different. If it is over 500, they not only need to report to us and to the patients, but also to the local media, and we conduct an investigation as we would with any complaint that our office receives. If it is a smaller breach, then we simply collect that information. Some of those result in an investigation but not all of them.

Dr Mostashari: I can tell you as a doctor, that is not something I would look forward to doing -- alerting the media and my patients -- but as we learned in medical school, sometimes an ounce of prevention is worth a pound of cure.

Mr Rodriguez: Well, these mobile devices are a particular area where that lesson applies. Along the lines of your point about an ounce of prevention being worth a pound of cure, let’s talk about that risk analysis process for mobile devices and let's start by the first step, which is evaluating the risk itself. Why don't you talk about that a little bit?

  • Dr Mostashari: When reviewing your HIPAA compliance related to mobile devices, organizations in healthcare should consider the following questions:

    • Who owns the devices?
    • Are personal devices that are used at work registered?
    • Are you using a virtual private network (VPN) to exchange information so the information does not actually reside on the device? (Once the connection is broken, there is no information stored.)
    • Do you back up personal health information from the mobile devices onto the servers?
    • Can you remotely wipe off the devices if they are lost or compromised?
    • Have your policies and procedures been updated to address mobile devices?
    • Finally, is your workforce properly trained?

    Mr Rodriguez: I would like to expand on a couple of the points that you highlighted. When we are talking about who owns the devices, there is obviously a different level of control if the device is owned by an individual employee or a physician or if it is actually a device owned by your enterprise, so you can control the nature and content of that device. Wiping off devices is not a concept that I think everybody knows. Many devices these days have an ability to actually erase anything that is on that device from a remote location. That provides a critical added level of security if that device is lost or stolen.

  • Slide 4.

    Slide 4.

    (Enlarge Slide)
  • There are some best practices if a device is lost or stolen, which you can engage to minimize those sorts of risks. One, of course, is password protection or some other key in order to disable access by a third party that does not have the authority to use that device. You can also have a device deactivated after a period of time -- the kind of thing that happens when your screen saver comes on your computer. Providers are counseled to avoid storing data actually on the device.

    Dr Mostashari: That's the safest thing.

    Mr Rodriguez: These days with cloud computing with servers, there are ways to remotely store data so if the device becomes compromised, it does not actually reach the data.

    Depending on who you are, your level of resources, and what kind of organization you are in, another option is to encrypt the device. When we talk about encryption, it basically means scrambling the data on the device and then having some sort of electronic key that will let the right person unlock the device. That may not always be the right solution for every enterprise but it is certainly something we encourage.

    We talked about wiping technology before - - that is an important best practice and relatively easy to use. We also encourage enterprises to either disable file sharing or to not use it at all and finally to install or enable firewalls that prevent other sorts of invasions into critical information. I think you have some additional best practices that you might like to talk about.

  • Slide 5.

    Slide 5.

    (Enlarge Slide)
  • Dr Mostashari: That's right. It is always important to install and enable security software and keep that security software up to date. It is important not to just download apps without doing a little research on the security of those applications. Maintaining physical control of the devices is very important and it can be tempting to click on the free Wi-Fi, but be aware that when you are logging into public Wi-Fi, it is a vulnerability -- it is potentially pretty simple to eavesdrop electronically on the information spilling back and forth on your device. Finally, if you are going to reuse or discard a device, make sure you delete all stored data, in particular, any personal health information if any is stored before discarding or gifting the device.

    Mr Rodriguez: I might like to underscore that last point. It is something that we see a lot of in the Office for Civil Rights, in which you return either a leased device or a piece of equipment or you stop using it but you fail to get rid of the information on there. A lot of times that puts that information right out in the public domain. Recently, we resolved a case in which a physician's practice returned a digital photocopier that was then leased to a major network and the network discovered all kinds of easily accessed protected health information on that device. That shows how important that point you just made is.

  • Slide 6.

    Slide 6.

    (Enlarge Slide)
  • There is a common sense, 5-step process for developing a policy to protect mobile devices. The first, of course, is deciding what you want to do about how you use mobile devices. Why don't you elaborate on that a bit?

    Dr Mostashari: That's right. First of all, plan ahead. Decide to what extent and how mobile devices are going to be used to access, receive, transmit, or store patient health information, and how they are going to be used as part of your organization's internal networks and other systems, like your electronic health record systems. It is really important to understand and to mitigate the risks to your organization before you allow the use of mobile devices.

    Mr Rodriguez: The critical thing here is we are not discouraging people from using the devices but we are asking to be mindful about the manner and extent to which they are going to use those devices.

    Dr Mostashari: That's right: Be thoughtful.

  • Slide 7.

    Slide 7.

    (Enlarge Slide)
  • Mr Rodriguez: The second step -- once you have decided where and how and in what manner you are going to use those devices -- is to make an assessment of the risks that those devices may present. You want to think both in terms of the risk that resides on the devices and how that risk fits in the overall picture of the health information that your organization holds. That requires you to conduct a risk analysis. When we talk about risk analysis we are really talking about looking at what information is stored, how that information may be vulnerable, what threats there may be to that vulnerable information, and the probability of those threats coming to pass.

    How you conduct that risk analysis is going to depend on who you are and what kind of practice you have. If you are a solo provider, you might conduct that risk analysis on your own. If you work in a larger organization, maybe a multiphysician practice or even in a hospital, then your organization or an office manager might be the one who is going to conduct the risk analysis.

    The next critical step is to identify the strategy.

  • Slide 8.

    Slide 8.

    (Enlarge Slide)
  • Dr Mostashari: Once you have assessed what the risks are, then you have to identify what your risk management strategy is going to be, including privacy and security safeguards. One thing to make sure everyone understands is that whatever your strategy is, it needs to provide for evaluation of that strategy and ongoing maintenance of the mobile device safeguards you have in place.

    Mr Rodriguez: The key at this stage is to know what you have. Where is the electronic health information stored? It is not always in obvious places. We think about our computer systems, we think about those tablets we might be using, but it also might be on a piece of medical equipment. It might, in fact, be on a device that you might carry out portably. It might also be on mobile devices that a patient may, for a variety of reasons, end up carrying. You need to be aware of all those possible locations for health information and do a proper risk analysis to make sure you maximize the level of protection.

    Dr Mostashari: One thing, Leon, that I would highly recommend to providers is to never let someone stick a USB drive into your servers or your computers. That is a classic way they end up getting infected. In addition to the kind of mobile devices we are talking about, all those thumb drives and USB drives carry real risks.

    Mr Rodriguez: That 20-second lapse of letting somebody invade -- that could significantly compromise your patients' information.

  • Slide 9.

    Slide 9.

    (Enlarge Slide)
  • You've done the assessment, you've thought about what kind of steps you want to take, now it's time to actually develop, document, and implement. Before I get into the details, I want to talk about that middle word, "document." As you know, we in the Office for Civil Rights are an enforcement organization. We conduct investigations and the first thing we look at is documentation. What does the paperwork say about what an organization did to protect its patient information? I am often fond of saying that it is a lot like fifth-grade math. ...

    Dr Mostashari: Show your work, right?

    Mr Rodriguez: The most important thing, that is absolutely right, is to show your work. First, you need to have a documenting mobile device management policy. You need to talk about how you are going to inventory those devices, what's on those devices, and what those devices are. That also means being aware, not only of the devices that you own, but the devices that your employees own, and on which device your information may either reside or pass through.

    You need to decide whether you are even going to allow your employees to utilize their own devices as part of your practice. You need to think about what restrictions you may want to impose on mobile use and what security configurations and technical controls you may want to place We do not prescribe those as a matter of the HIPAA Security and Privacy Rules; these are industry standards. The National Institute of Standards Technology has some clearly articulated standards but because we recognize that we are speaking to a lot of different kinds of environments, we do not prescribe specific security and technical controls.

    Thinking about information storage, you want to avoid having patient information on those mobile devices all together. You want them in a server or in a cloud location or something like that. You need to think about how you are going to recover a device that might have been compromised, stolen, or lost.

    Dr. Mostashari: You need to deactivate it.

    Mr Rodriguez: Yes, how are you are going to deactivate that device? Finally -- this is not always the most comfortable thing -- you need to think about workforce sanctions. You are a physician and you understand that it's not just about you living by these rules but it is about your staff in your office understanding that they are going to be held accountable for the consequences and rules. That goes to the next concept of training. I think you have some tips to share with us as to how you would accomplish that.

  • Slide 10.

    Slide 10.

    (Enlarge Slide)
  • Dr Mostashari: What we find in implementation of any sort of change within the practice and software and security is that there needs to be ongoing awareness and training. When it comes to privacy and security, there needs to be ongoing training around the risks when using mobile devices so people understand the vulnerability and the threats. You need to understand and train folks on how to physically secure the mobile devices so the chances of them being lost or stolen are reduced. We see this a lot where they're not locked up, not kept secure.

    Then, how about the information on the device? If any personal health information is on the device, it really should be protected and secured, encrypted, for example. In general, staff members need to know how to avoid common mistakes when using mobile devices like downloading apps or going to websites that are more likely to be infected.

    Mr Rodriguez: I appreciate you alluding to the idea of these are common-sense steps. There's nothing exotic, nothing hyper-technical. We're really talking about common steps that you would take in your ordinary day-to-day life to protect anything that you want to protect.

  • Slide 11.

    Slide 11.

    (Enlarge Slide)
  • Let's summarize a bit. A point that I would like to make is that the HIPAA Privacy and Security Rules are meant to be more than binders on a shelf. They're meant to be a living, breathing process.

    Dr Mostashari: It is also part of "meaningful use." I know a lot of providers are engaging and moving toward the meaningful use requirements and it does require that you pay particular attention to documenting your security assessment in light of the changes that are taking place, keeping that up to date, and reviewing and mitigating any risks that would be found.

    Mr Rodriguez: This all takes diligence. It is not meant to overwhelm your practice but there is a little of work involved. It is critical because it is all about your patients' trust, as you have said.

    We have a lot of information that our offices have made available to providers. That can be found at Mobile Health Security: Mobile Health Device Privacy and Security, a wonderful tool that I recommend providers visit. Our own website, the HHS Office for Civil Rights contains additional detailed tools and guidance.

    Farzad, it was a real treat working with you today and discussing this topic.

    Dr. Mostashari: Thanks for the partnership.

  • Slide 12.

    Slide 12.

    (Enlarge Slide)
  • Dr. Rodriguez: Thank you all for participating in this activity. You may now take the CME posttest by clicking on the "Earn CME Credit" link. Please also take a moment to complete the program evaluation that follows.

  • Slide 13.

    Slide 13.

    (Enlarge Slide)

This transcript has been edited for style and clarity.

  • Print