Wednesday, August 5, 2015

New Guidance on Mobile Device Security for Health Care Providers

Written By Joanne Ceballos

At the end of July the National Institute of Standards and Technology of the U.S. Department of Commerce (“NIST”) released a draft practice guide, Securing Electronic Health Records on Mobile Devices, that demonstrates how health care IT professionals can use existing technologies, including commercially available and open source tools, to better protect electronic protected health information (“ePHI”) systems and facilitate secure sharing of ePHI through mobile devices.  According to the guide, the full text of which is available here, “many health care providers are using mobile devices in health care delivery before they have appropriate privacy and security protections in place.”  The guide is intended to provide a technical roadmap for achieving HIPAA-compliant use of mobile devices by health care professionals.

In order to arrive at their recommended solution, which can be implemented as outlined in the guidance or customized to a particular health care provider’s IT environment, NIST simulated interaction among mobile devices and an EHR system supported by the IT infrastructure of a medical organization.  They tested hypothetical scenarios in which a primary care physician uses a mobile device to send a referral containing a patient’s clinical information to another physician, to send an electronic prescription to a pharmacy, or to add information to a patient’s electronic health record.  In each scenario the mobile device interacts with an EHR system.

Health care providers using mobile devices to access or transmit patients’ ePHI are well-advised to confirm that their IT professionals are familiar with the guide’s recommendations.  Business Associates of health care providers who access or transmit ePHI via mobile devices should also consult with their IT personnel to determine whether those recommendations should be implemented by the Business Associate.  

Comments of the draft guidance may be submitted to NIST by September 25, 2015 via e-mail at HIT_NCCoE@nist.gov.