Synergy - January/February 2013 - 12

continuing education

• PHI should not be downloaded to an
unsecure site or location . It should not
be printed off or otherwise obtained in
hard copy from the mobile device that
is left available in an unsecured area or
where one may have access that does
not require at a minimum a password
to obtain such information or access .
Providers need to have reasonable
tracking measures in place to monitor
and restrict downloading PHI to
unsecured devices .
• If possible, limit use of the mobile
devices used in the hospital setting for
only patient care purposes and do not
allow for accessing of databases that are
not necessary . Policies and procedures
in this regard will limit the likelihood of
viruses, malware and other types of
intrusions into the mobile device or
database that may compromise security
and privacy or assist those who are
attempting to “hack” into the system . In
addition, it should be required that an
antivirus software be maintained, kept
up to date and scheduled to run on a
regular basis .
• If there is a breach of the system, a lost
mobile device or a known unauthorized
disclosure due to the use of a mobile
device, there must be policies and
procedures on how it must be reported
to the medical leadership, with
mandatory action on such breach or
disclosure to specific people in a
particular format within a set time period .
• Disposal or reuse of mobile devices
should be subject to specific standard
policies and procedures . The
information maintained on mobile
devices should be removed and its
memory “scrubbed” to ensure that no
PHI is still on the device . If the mobile
device is to be disposed of, it should be
done with an appropriate third party
that disposes of such devices in a
secure method .
Medical staff policies and procedures
should address when, where and how

SYNERGY January/Febr uary 2013

mobile devices should be used in
accessing or discussing PHI . One should
not openly discuss or obtain PHI on their
mobile device when others may hear or
see the information . There should also
be policies and procedures regarding the
access of PHI from a third party’s mobile
device or from an unsecured area .
In order to ensure that the medical staff
understands the importance of patient
privacy and the use of mobile devices, it
is suggested that the hospital involve its
medical leadership in establishing and
developing its policies and procedures
relating to privacy and confidentiality of
medical records, including how mobile
devices may or may not be used, as it
applies to a particular facility . Although
this may be easier in theory than it is in
practice, the medical staff may be aware
of instances where mobile devices may
be used in practicing medicine, how such
devices may make practice medicine
more efficient and convenient, and how
such devices may actually improve the
quality of care received by a patient . It is
also important to have ongoing education
of the medical staff to keep them up to
date on the current laws and regulations
governing PHI, and the hospital’s mobile
device policies and procedures so that
they clearly understand how mobile
devices may be utilized in the workplace .

Conclusion
The recommendations set forth above are
generalized in nature . Specific policies
and procedures should be created based
upon use, facilities and other issues that
are unique to your organization . The
U .S . Department of Health and Human
Services has issued guidance on ensuring
security when using mobile devices and
protection of PHI in the process . In addition
to establishing policies and procedures,
hospitals must train their medical staffs,
as well as employees and contractors, on
HIPAA privacy and security as they relate
specifically to mobile devices if they are to

be used . Adopting a mindset that a provider
will develop these protections at a later
time, or that a provider is simply “careful”
with the use, transfer and/or downloading
of information is not acceptable . Such a
choice may lead to inadvertent disclosures
of PHI, which is devastating to patients, as
well as an assessment of significant financial
penalties or sanctions against the facility .■
Patrick D. Souter, Esq., is a member with
Looper, Reed & McGraw, P.C., in its Dallas
office. His practice is concentrated in the areas
of transactional and administrative healthcare
along with corporate, securities and antitrust
law issues faced by healthcare providers. Souter
received his BBA in finance and his JD from
Baylor University. He is currently licensed by
the State Bar of Texas and has gained admission
to practice before the U.S. Fifth Circuit Court
of Appeals, United States District Court for the
Northern and Eastern Districts of Texas and the
United States Tax Court. He is certified by the
Texas Board of Legal Specialization in Health
Care, being one of only 56 attorneys that
currently possess that designation.
Mary Modal, Tablets Set to Change Medical
Practice, QuantiaMD (June 15, 2011), available at
www .quantiamd .com/q-qcp/qrc_tablets .pdf . Id .
According to 45 CFR § 103, “Protected Health Information,” or
what is commonly referred to as “PHI,” is individually identifiable
health information that is created or received by a healthcare provider,
health plan, employer, or healthcare clearinghouse that relates to
the past, present, or future physical or mental health or condition
of an individual; the provision of healthcare to an individual; or the
past, present, or future payment for the provision of healthcare to an
individual transmitted by electronic media, maintained in electronic
media, or transmitted or maintained in any other form or medium .
See www .gpo .gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010title45-vol1-sec160-103 .pdf .
The Health Insurance Portability and Accountability Act of 1996, as
amended (Public Law 104-191) .
This includes legislation similar to HIPAA at the state level as well as
various federal and state statutes related to confidentiality .
U .S . Department of Health and Human Services, Massachusetts
provider settles HIPAA case for $1 .5 million, Press Release
dated September 17, 2012, available at www .hhs .gov/news/
press/2012pres/09/20120917a .html .
45 CFR Part 160 and Subparts A and C of Part 164 .
45 CFR Part 160 and Subparts A and E of Part 164 .
42 C .F .R . § 482 .24(b)(3), see also The Joint Commission Standards,
IM .02 .01 .01 .
Although medical staff policies are the focus of this article, the same
principles and considerations would be equally applicable to other
types of healthcare facilities and to independent professional groups
as well .
U .S . Department of Health and Human Services, Security Rule
Guidance Material, available at www .hhs .gov/ocr/privacy/hipaa/
administrative/securityrule/securityruleguidance .html

http://www.quantiamd.com/q-qcp/qrc_tablets.pdf http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec160-103.pdf http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec160-103.pdf http://www.hhs.gov/news/press/2012pres/09/20120917a.html http://www.hhs.gov/news/press/2012pres/09/20120917a.html http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html

Synergy - January/February 2013

Table of Contents for the Digital Edition of Synergy - January/February 2013