6 rules for protecting health information on mobile devices

Customers are walking around with powerful devices and expecting direct, real-time access to their healthcare records wherever they go. The challenge for payers is meeting that demand while safeguarding electronic protected health information (ePHI) shared through mobile channels. It's another example of technology racing forward while procedures to secure it catch up.

"Faster is not necessarily better," Kirk Nahra, partner in the Washington, D.C.-based law firm Wiley Rein, told FierceHealthPayer in an interview. "You have to think about what you're trying to accomplish, what your choices are, and then figure out a way that lets you achieve as much as you can with appropriate security boundaries. If the right person can get into your database, you've got to make sure the wrong person can't get in."

The consequences of failure to protect patient privacy are significant. HITECH provisions of the American Recovery and Reinvestment Act created notification requirements and the possibility of civil and criminal penalties for large-scale data breaches. 

So how do insurers reconcile the advantages of mobile communications with HIPAA requirements and risks? Consider educating customers about mobile communication risks.  According to Sherry Ryan, director and chief information security officer at Blue Shield of California, "People carry a great deal of their lives on these small, powerful and convenient devices. [They] don't appreciate the dangers mobile communications present to them in terms of their personal information and identities."

Payers can help customers reduce risk by encouraging them to keep mobile devices physically secure and protect them with strong passwords.