If an organization allows providers and professionals to use mobile devices for work, the organization should have reasonable and appropriate mobile device policies and procedures. The policies and procedures should describe any configuration requirements for mobile devices used by providers and professionals for work. It is your responsibility to understand and follow your organization’s mobile device policies and procedures. Read more about developing mobile device policies and procedures.

You may have heard the term "BYOD," which means "Bring Your Own Device." BYOD refers to using a personally owned mobile device for work. You should let your organization know you want to use your personally owned mobile device. Many organizations have centralized security management to make sure mobile devices accessing their internal networks or resources are compliant with their security policies. Centralized security management includes:

• Configuration requirements, such as installing remote disabling on all mobile devices
• Management practices, such as setting policy for individual users or a class of users on specific mobile devices.

It is your responsibility to understand and follow the organization’s mobile device policies and procedures.

It is important to know what to do and who to contact when a mobile device is lost or stolen or when you suspect health information has been compromised. The HIPAA Privacy Rule standard for Personnel Designations requires a Privacy Officer. A Security Officer develops and implements policies and procedures required under the HIPAA Security Rule. The organization’s Privacy Officer and Security Officer could be the same person.

Registering your mobile device with the organization will allow the organization to control who has access to its network or system and will keep unauthorized persons from accessing its network or systems. Registering your mobile device with your organization may also help the organization or police find your mobile device if it is lost or stolen. Contact your organization’s Privacy Officer or Security Officer to register your mobile device. You may need to provide the serial number of your mobile device.

Many organizations have centralized security management to make sure mobile devices accessing their internal networks or resources are compliant with their security policies. Centralized security management includes:

• Configuration requirements, such as installing remote disabling on all mobile devices
• Management practices, such as setting policy for individual users or a class of users on specific mobile devices.

A Virtual Private Network, or VPN, is one way to create a secure connection even on a public unsecured network. A VPN provides security in an unsecured environment. The connection between your mobile device and the server is encrypted, so information you send or receive is protected due to the encrypted tunnel established by the VPN, even on an unsecured network. VPNs can be established over all Internet connectivity options.

The risk of using a public Wi-Fi access point (hotspot) or public wired Internet connection such as at a hotel or airport is that information can be intercepted between the mobile device and the system connection (such as a hospital). A VPN allows secure remote access from a mobile device to internal resources such as hospital networks and systems. This protects data from unauthorized access while being sent over the Internet using an unsecured network. A VPN establishes a secure private connection by encrypting data from the mobile device to the connected system so it cannot be intercepted.

VPNs are generally implemented by the organization. Organizations would need to buy VPN hardware/software to implement this type of secure connectivity with their internal resources by authorized remote users.

Due to their small size and portability, mobile devices have a higher risk of being lost or stolen than desktop computers. If you store unsecured health information on a mobile device and the device is lost or stolen, the confidentiality and privacy of health information may be compromised.

If you are allowed to store data on your mobile device, you should know whether the organization has any limits to data storage. For example, does the organization require you to delete information after it has been backed up to a secure server? Does your organization require you to delete information after a set period of time?

If you are allowed to store data on your mobile device, it is a good idea to regularly back up the data to a secure server. If you regularly back up your data and the mobile device is lost or stolen, the data will still be available on the secure server.

The specific technique for backing up data to a secure server depends on the type and operating system of the mobile device you are using and on the security configurations of the secure server. Follow your organization's policies and procedures to determine how to back up the data.

Remote wiping is a feature for lost or stolen mobile devices that remotely erases all the data on the mobile device. Some mobile devices have built-in remote wipe capability that the organization or authorized user can enable.

Remote disabling enables you to lock or completely erase data stored on a mobile device if it is lost or stolen. If the mobile device is recovered, it may be unlocked.

Providers and professionals who use mobile devices to access, transmit, receive or store health information need security training specific to mobile devices. Safeguards will not protect health information unless providers and professionals are trained to follow and enforce those safeguards. Security awareness is a byproduct of training. Privacy and security awareness and training should be an on-going part of the provider's and professional’s work environment.

Read more about an organization’s mobile device privacy and security awareness and training. Watch the Mobile Device Privacy and Security video series to help raise mobile device privacy and security awareness.