You, Your Organization, and Your Mobile Device

If you use a mobile device to access an organization’s internal network or system, the owner of that network or system’s policies and procedures apply to your use of the mobile device to gain such access. It is your responsibility to understand and follow the organization’s policies and procedures.

Here are some questions to consider when using a mobile device to access an organization’s network or system, such as an EHR:

Does your organization have a mobile device use policy?

If an organization allows providers and professionals to use mobile devices for work, the organization should have reasonable and appropriate mobile device policies and procedures. The policies and procedures should describe any configuration requirements for mobile devices used by providers and professionals for work. It is your responsibility to understand and follow your organization’s mobile device policies and procedures. 

Does your organization allow you to use your personally owned mobile device for work?

You may have heard the term "BYOD," which means "Bring Your Own Device." BYOD refers to using a personally owned mobile device for work. You should let your organization know you want to use your personally owned mobile device. Many organizations have centralized security management to make sure mobile devices accessing their internal networks or resources are compliant with their security policies. Centralized security management includes:

  • Configuration requirements, such as installing remote disabling on all mobile devices
  • Management practices, such as setting policy for individual users or a class of users on specific mobile devices.

It is your responsibility to understand and follow the organization’s mobile device policies and procedures.

Do you know who your organization's Privacy Officer and Security Officer are?

It is important to know what to do and who to contact when a mobile device is lost or stolen or when you suspect health information has been compromised. The HIPAA Privacy Rule standard for Personnel Designations requires a Privacy Officer. A Security Officer develops and implements policies and procedures required under the HIPAA Security Rule. The organization’s Privacy Officer and Security Officer could be the same person.

Does your organization require you to register your mobile device with the organization?

Registering your mobile device with the organization will allow the organization to control who has access to its network or system and will keep unauthorized persons from accessing its network or systems. Registering your mobile device with your organization may also help the organization or police find your mobile device if it is lost or stolen. Contact your organization’s Privacy Officer or Security Officer to register your mobile device. You may need to provide the serial number of your mobile device.

Many organizations have centralized security management to make sure mobile devices accessing their internal networks or resources are compliant with their security policies. Centralized security management includes:

  • Configuration requirements, such as installing remote disabling on all mobile devices
  • Management practices, such as setting policy for individual users or a class of users on specific mobile devices.

Does your organization have a Virtual Private Network (VPN) that allows you to access, receive, or transmit health information securely with your mobile device?

A Virtual Private Network, or VPN, is one way to create a secure connection even on a public unsecured network. A VPN provides security in an unsecured environment. The connection between your mobile device and the server is encrypted, so information you send or receive is protected due to the encrypted tunnel established by the VPN, even on an unsecured network. VPNs can be established over all Internet connectivity options.

The risk of using a public Wi-Fi access point (hotspot) or public wired Internet connection such as at a hotel or airport is that information can be intercepted between the mobile device and the system connection (such as a hospital). A VPN allows secure remote access from a mobile device to internal resources such as hospital networks and systems. This protects data from unauthorized access while being sent over the Internet using an unsecured network. A VPN establishes a secure private connection by encrypting data from the mobile device to the connected system so it cannot be intercepted.

VPNs are generally implemented by the organization. Organizations would need to buy VPN hardware/software to implement this type of secure connectivity with their internal resources by authorized remote users.

Does your organization have a policy about storing health information on your mobile device?

Due to their small size and portability, mobile devices have a higher risk of being lost or stolen than desktop computers. If you store unsecured health information on a mobile device and the device is lost or stolen, the confidentiality and privacy of health information may be compromised.

If you are allowed to store data on your mobile device, you should know whether the organization has any limits to data storage. For example, does the organization require you to delete information after it has been backed up to a secure server? Does your organization require you to delete information after a set period of time? Does your organization require you to backup health information from your mobile device to a secure server?

Does your organization require you to backup health information from your mobile device to a secure server?

If you are allowed to store data on your mobile device, it is a good idea to regularly back up the data to a secure server. If you regularly back up your data and the mobile device is lost or stolen, the data will still be available on the secure server.

The specific technique for backing up data to a secure server depends on the type and operating system of the mobile device you are using and on the security configurations of the secure server. Follow your organization's policies and procedures to determine how to back up the data.

Does your organization require you to enable remote wiping and/or remote disabling on your mobile device?

Remote wiping is a feature for lost or stolen mobile devices that remotely erases all the data on the mobile device. Some mobile devices have built-in remote wipe capability that the organization or authorized user can enable.

Remote disabling enables you to lock or completely erase data stored on a mobile device if it is lost or stolen. If the mobile device is recovered, it may be unlocked.

Does your organization offer mobile device privacy and security awareness and training?

Providers and professionals who use mobile devices to access, transmit, receive or store health information need security training specific to mobile devices. Safeguards will not protect health information unless providers and professionals are trained to follow and enforce those safeguards. Security awareness is a byproduct of training. Privacy and security awareness and training should be an on-going part of the provider's and professional’s work environment.

Watch the Mobile Device Privacy and Security video series to help raise mobile device privacy and security awareness.

NOTE: The content on the Mobile Device Privacy and Security subsection of HealthIT.gov is provided for informational purposes only and does not guarantee compliance with Federal or state laws. Please note that the information and tips presented may not be applicable or appropriate for all health care providers and professionals. We encourage providers, professionals, and organizations to seek expert advice when evaluating these tips. The Mobile Device Privacy and Security subsection of HealthIT.gov is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. It is also not intended to serve as legal advice or offer recommendations based on a provider’s or professional’s specific circumstances. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.