Securing EHRs on Mobile Devices—New NIST Guidance: HIPAA & HITECH Act Blog by Jonathan P. Tomes

JonTomesThe single biggest category of DHHS civil money penalties involves loss or theft of EHRs on mobile devices. The only guidance in the Security Rule for such devices appears is in the following standards and implementation specifications:

  • 310, Physical Security, which requires safeguards for facility access controls, workstation use, workstation security, and device and media controls. Although one could take a narrow reading of facility access to limit it to buildings and other places where one could find electronic equipment, media, and data, the better view in light of today’s use of mobile computing devices just about anywhere is a broad reading, which requires physical security of your laptop when you use it at, say, a table in Panera Bread or your cell phone when you make a call at, for example, the gate in the airport while waiting for your flight. That table at Panera’s is then your workstation and requires security. Maybe it’s a locking cable to lock the laptop to the immobile table for when you get up to go to the dispenser to refill your drink, or maybe it’s a policy that requires you to carry the laptop with you wherever you go.
  • 31, Technical Security has the following relevant standards:
  1. a) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information (“EPHI”) to allow access only to those persons or software programs that have appropriately granted access rights. Its implementation specifications are these:

(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.

(ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary EPHI during an emergency.

(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt EPHI.

(c) Standard: Integrity. Implement policies and procedures to protect EPHI from improper alteration or destruction. Its implementation specification requires a mechanism to authenticate EPHI (Addressable). Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner.

(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed. No implementation specification.

(e) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. It has these two implementation specifications:

(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of.

(ii) Encryption (Addressable). Implement a mechanism to encrypt EPHI whenever deemed appropriate.

These technical security controls would involve passwords, thumbprint readers, eyeball scanners, encryption, firewalls, and the like and would cover access both to the device (data at rest) and to electronic transmission (data in motion). How do you protect your data while it is moving through cyberspace?

Although the Security Rule does not require encryption because it is an addressable implementation specification, if the data is encrypted consistent with the National Institute of Standards and Technology (“NIST”) Encryption standard, DHHS considers it “secure” (unreadable), and the loss of secure data need not be reported to DHHS, the individual, or the media. See HHS,Gov, Health Information Privacy, “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” at Thus, only in a very rare case would encryption of portable devices not be required as a practical matter if not a legal one.

Now, however, although it may not be legally required, NIST, along with the National Cybersecurity Center of Excellence (“NCCoE”), has published its Guide for Securing Electronic Health Records on Mobile Devices. If you followed that guidance, it would be nearly impossible for DHHS to find you guilty of willful neglect or for not having implemented reasonable and appropriate security measures in your security measures for such mobile devices. The guidance is available at NIST SP 1800 and is available free of charge at

The guidance covers how to implement a security architecture to improve device security and to better protect EPHI that is accessed, stored, or transmitted through mobile devices. It explains how you can use commercially available and open-source technologies and tools as part of a cybersecurity strategy to ensure you can both access and share ePHI in a secure manner and cross-maps them to the HIPAA standards.

And by the way, the guide carries on what EMR Legal, Veterans Press, and this blog have stressed ever since HIPAA first came out—the need for an original and regularly updated risk analysis. In short, studying this guide will help you convert HIPAA’s vague guidance, as above, into good security measures for these high-risk portable devices that make clinical, practical, and economic sense.

Alice here: We―that is, Jon Tomes and I―invite you to consider having a written  process/procedure/policy in place so that you and your workforce know where to look for the answer as to what to do about securing EHRs on mobile devices and how to do it. If you need to draft or update your HIPAA policies, especially regarding securing EHRs on mobile devices, and would like guidance as to how to do so, consider using a book by Jonathan P. Tomes, The Complete Guide to HIPAA Policies and Procedures, with an accompanying CD of dozens of sample policies and procedures, available for purchase on our website at Jon gives you everything that you need to know about the requirements regarding HIPAA policies and procedures in this book. I contributed a chapter on how to write policies and procedures in general, including essential parts, such as introduction, assumptions, definitions if the policy so warrants, policy/procedure, enforcement, and signature(s). Remember to base your policies/procedures on an updated risk analysis under HIPAA and to train your workforce on your policies/procedures. A really thorough appendix in the book includes a matrix of required, addressable, and other policies/procedures to help you figure out where you are, where you need to be, and how to get there.

As an aside and a heads-up, Jon Tomes will be presenting a HIPAA webinar on the topic “Mental and Behavioral Health: When Can You and How Do You Report a Danger to Others?” on October 16, 2018, at 1 pm EST. You will be able to register for it as soon as it appears on the website. We will keep you posted. As always, thanks for reading Jon’s blog, and let us know if you need us to help you with your HIPAA compliance efforts.

seo by: k.c. seo