6 rules for protecting health information on mobile devices

Email
Tools

In addition, payers should "watch the house" by enforcing their own internal policies to protect ePHI:

  1. Know where ePHI is stored in your organization. Is it housed, for example, in an old database created for a function that's no longer done? Then consider destroying that database securely in keeping with records management requirements.  
     
  2. Know who has ePHI access in your company, and confirm that access is required in current roles. For example, it's not appropriate for an executive who began her career as a coder to retain a coder's access to the claims system.     
     
  3. Consider company issued-devices for work-related mobile communications, in which staff should not use their own cell phones or tablets to do business. Although expensive, issuing work-only devices for employees ensures information stays protected. However, be aware that some employees will resist carrying additional devices and prefer to bring their own.  
     
  4. Track mobile devices through asset management programs. "We can't protect what we don't know about," Paula Ciotti, compliance officer at Anthelio Healthcare Solutions, Inc., in Dallas, said.
     
  5. Make technological upgrades, such as anti-virus and patch management, to approved devices.  
     
  6. Dispose of obsolete devices securely. Wipe hard drives or memory cards to prevent ePHI retrieval by unauthorized people.

Related Articles:
Consumer use of mobile devices for healthcare continues to grow
Security of mobile devices a continuing concern
Insurers develop next generation of mobile apps
10,000 mobile apps to improve health … and counting
Insurers serious about mobile apps