Mobile devices contribute to PHI breaches

Healthcare providers have gained unprecedented flexibility to collect and access resident and patient data from outside the walls of the facility. New requirements for electronic health records are accelerating the pace of innovation. Along with the increased efficiency and timeliness of action these technologies allow, new risks of compromising protected health information (PHI) have also developed.

David M. Oatway

Data from the Health and Human Services (HHS) Office for Civil Rights, the investigative agency concerned with HIPAA and HITECH Act compliance, show more than 5 million patients had their PHI compromised in 2010. Laptops and other mobile storage and access devices accounted for 59% of the incidents. Twenty percent of the incidents were from business associates, who are now covered under the HITECH Act.

The stakes are higher than ever before with the HITECH Act having increased the monetary consequences of PHI breaches. For instance, Massachusetts General Hospital resolved a “potential” violation of HIPAA Privacy and Security Rules for $1 million on February 14, 2011. (You can learn more about the case specifics at

HHS has also imposed a $4.3 million civil money penalty on CIGNET of Maryland for HIPAA Privacy Rule violations. As you can see, the Office for Civil Rights is serious about protecting an individual’s PHI.


The Minimum Data Set that is completed on residents contains complete medical, social, and mental data on the people being assessed. Unauthorized disclosure of electronic records compromises their privacy to an extent not possible with paper-based records.

Long-term care facilities care for the population most vulnerable to identity theft. Our residents are adults with work histories and Social Security numbers. Many are not able to manage their affairs. So in addition to the risk of compromised PHI, they are also at risk of identity theft. An MDS form contains all of the information needed to fabricate an identity, even down to the person’s nickname. An unsecured laptop, tablet, PDA, or smartphone could harbor a treasure trove of this information. A misplaced backup hard drive or memory stick can also contain thousands of opportunities for identity theft.


The Office for Civil Rights advises covered entities to be extremely cautious in allowing the offsite use of, or access to, electronic protected health information (ePHI). This guidance was written in 2006, before the explosion of mobile devices, but it is still in effect, and is still the best advice. Covered entity security officers must include all ePHI access and storage in their risk assessment and mitigation. Additionally, all ePHI must be secured when at rest, in movement, and in use. This can be more challenging for mobile devices, especially newer devices that offer increased ease of use but may not have the security features necessary to be HIPAA-compliant.


Periodic assessment of all PHI and ePHI is required by HIPAA. Significant emphasis and attention should be directed toward remote access and portable ePHI. All of the standards of the HIPAA Privacy and Security rules apply to remote access ePHI.

If a device does not meet HIPAA standards, it must be either modified or not used to access ePHI. For example, smartphones often have 4-digit “passwords,” far below the common requirement of a strong password of seven characters from upper case, lower case, number, and symbol. The device should not be considered to access ePHI unless secondary access software implements appropriate security.

Specific policies and procedures should be developed for safeguarding ePHI during remote access. Security awareness must be constantly reinforced for all personnel whom are given remote access. All other personnel must be aware of the prohibition for remotely accessing ePHI. This means employees who wish to work from home must obtain the proper permissions, training, and technology to safely do so. Also, the unauthorized copying of data containing ePHI must be prohibited.

Web Resources

HHS Office for Civil Rights

This website has a wealth of information, including the source legislation and regulations discussed in this article. Citations and actions are listed, with the names of the institutions, nature of breaches, and numbers of individuals affected.


Go here for the Advanced Encryption Standard requirements and the listing of validated applications. Presence on this list should be cited by vendors to demonstrate compliance of the technology they propose if they claim to meet the Advanced Encryption Standard.

Yale University HIPAA compliance

This (and many other university websites) has excellent guidance and examples that can be modified for a facility’s use.

It is essential that authorized remote data storage and access conform to appropriate standards, along with written and enforced policies and procedures. Access must be limited to only that information which the individual has a need for in his or her role within the organization.

Laptops, smartphones, data disks, and other mobile devices have been left in taxis, stolen from homes, and otherwise compromised outside of the workplace. Personnel who are custodians of PHI data must be trained in the procedures to identify a potential breach as well as the notification requirements in the event of a breach. Just having a great policy and procedure is not enough-there should be documented training and enforcement. Noncompliance cannot be tolerated, and a sanction policy must be developed and enforced.


Encrypting all data on portable devices to the National Institute of Standards and Technology (NIST) Advanced Encryption Standard is the best practice. Data with that level of protection cannot be read and is therefore not considered to be at risk of breach.

All but the largest covered entities (and even most of them as well) rely on third-party vendors to provide their information systems. Security officers are advised to review their contracts with all vendors to ensure they are complying with the expected level of data protection. To be considered compliant with the HITECH Act requirement, the encryption software must be registered and listed on the NIST Advanced Encryption Standard registry. A salesman’s assurance that their encryption is “just as good” might be true, but that promise offers no protection in the event of a breach.


The minimum protection ePHI data must have is secure transmission. Ideally, data should be encrypted before transmission and at least in secure socket layer-or SSL-communication mode. Again, the process used to transmit data must be secure, and it should be forbidden to transmit ePHI by email. As with data encryption, covered entities can require certification from their vendors that the data movement protocols meet government requirements.


The HITECH Act specifies that if PHI data is breached, notification of all affected persons is required. If 500 or more individuals are affected, the media and the secretary of HHS must be notified. Don’t even think of not complying with the notification requirement-you’ll turn a civil issue into a criminal one.

Loss of mobile devices constitutes a potential breach. In the case of a potential breach, if the provider can prove that all information on the devices is encrypted in the NIST Advanced Encryption Standard, then notification is not required. But that burden of proof is the provider’s alone.

Disclaimer: This article is not legal advice. Consultation with licensed and experienced legal counsel is advised.

Just having a great policy and procedure is not enough-there should be documented training and enforcement.

David M. Oatway, RN, MPH, is a long-term care IT consultant based in Key West, Florida. He has been the Chair of the HIMSS Post-Acute Care Special Interest Group, Vice Chair of the American Association of Nurse Assessment Coordination (AANAC), and a member of the American Health Information Management Association (AHIMA). He developed one of the first clinical MDS systems (CHAMP). He is the database manager of the STRIVE national nursing home time study which developed the RUG-IV Medicare PPS. He can be reached at Long-Term Living 2011 May;60(5):20-23

Topics: Articles , Technology & IT