Portable devices have become the mainstay of many individuals ’ communications and information handling, but whether used by staff for business purposes or used by patients for their own personal purposes, considering the privacy and security of information is essential. The HIPAA regulations require the use of the mode of communication requested by the individual, if the provider has the capability to reasonably do so, and also require the consideration of secure technologies for communications and storage of data. The result is that the use of portable devices by patients and staff can be complicated and requires careful consideration of the regulations, how the devices will be used and secured, and patient desires.

HHS compliance audit activity and enforcement penalties are both increased, especially in instances of will ful- neglect of compliance or lack of a complete risk analysis, if, for instance, your organization hasn’t adequately considered the impact of mobile devices on your compliance. Given that mobile devices are a leading source of breaches of PHI, it is essential to consider these devices and how their use affects the privacy and security of PHI; not doing so is inviting enforcement action by HHS.

This session will review the requirements and current issues pertaining to mobile devices and present ways for the attendees to consider how to accomplish business objectives within the HIPAA regulations as well as meet patient desires under the rules, including processes for managing portable devices, policies needed for ensuring secure communications and storage where needed, and procedures for meeting and documenting patient requests for communication preferences. Recent guidance from the National Institute of Standards and Technology on the use of mobile technologies with EHR data will be discussed and practical ways of using mobile devices securely will be presented.

The session will explain the HIPAA regulations that apply to the use of portable devices, both as tools for staff to use, and as a means of communication with patients. Proper use of portable devices requires consideration of a variety of purposes: for personal use, for business use not involving any identifiable patient information, for business use that does involve identifiable patient information, and for communications with patients. Each type of use requires careful consideration of the rules and the risks to the confidentiality, integrity, and availability of information.

For business uses with no patient information, the constraints are few, so long as you are sure there is no patient information involved with those uses. But if you include any patient information, you need to ensure the information is protected. Even so, patients are allowed to ask to communicate with you in any way you can reasonably handle. Just what is reasonable and what is allowed according to guidance from HHS is discussed.

Once patient information is involved, the devices used by a provider or their staff must be properly secured through the use of good passcodes and encryption with remote wiping of data if lost or stolen, and if you allow staff to use their own devices for business work, what happens when they trade in their old phone when the new one comes out?

If you communicate with patients using portable devices, you need to consider the issues of privacy and security, as well as those of triaging incoming communications and documenting conversations. Just plain texting is not readily adaptable to the requirements of patient care and documentation, but secure, appropriate solutions are available.

Finally, we will discuss the enforcement of HIPAA rules and how they relate to mobile devices, the issues that can lead to enforcement, and the impacts of enforcement actions, including monetary settlements and corrective action plans.

In this session

  • Review of Mobile Device Issues and Requirements
  • Guidance from NIST on Using Mobile Devices with EHRs
  • Explanation of HIPAA Regulations and Mobile Devices
  • Discussion of Variety of Uses of Mobile Devices
  • Requirements for Securing Information on Mobile Devices
  • Requirements to Meet Patient Preferences for Communications
  • Being Prepared for HIPAA Enforcement


  • Presentation and explanation of regulatory requirements, typical situations, and appropriate responses to patient communications requests to develop understanding of the rules surrounding patient communications and access of information under HIPAA.
  • Discussion of information security issues related to communications and the risks associated with insecure communications, so you can know how to explain the risks of insecure communications to patients.
  • Presentation of NIST guidance on using mobile technology with EHR data, including recommended measures.
  • Discussion of policies and procedures for managing and auditing the use of insecure communications including communications made at the request of patients.
  • Presentation of requirements for encryption according to best practices, and explanation of technologies that can provide encryption and security, to help you know when secure communications are required and what must be done to secure communications and devices.
  • Learn how training and education must take place and documented to ensure your staff uses portable health information properly and does not risk exposure of PHI.


  • Compliance director
  • CEO
  • CFO
  • Privacy Officer
  • Security Officer
  • Information Systems Manager
  • HIPAA Officer
  • Chief Information Officer
  • Health Information Manager
  • Healthcare Counsel/lawyer
  • Office Manager