HIPAA Mobile Device Policy Checklist


As healthcare organizations strive to improve communications among care team members and with patients, they increasingly look to mobile technologies. Of course, one of the key considerations when deploying mobile communication is maintaining HIPAA compliance. These regulations and rulings are constantly being altered and updated to protect patients - as a result, it can be difficult to keep up with the myriad of compliance requirements. Failing to do so, however, creates significant risk.

HIPAA has outlined some of the basic steps that you can take to protect healthcare information while using a mobile device. They have also compiled a list of some of the most common risk factors that medical professionals encounter while using mobile technologies. We’ve summarized some of that information here, but you can find more detailed information about these regulations at Even if you are already using HIPAA compliant services, adding these additional layers of security will be beneficial when accessing healthcare information on mobile devices.

  1. Ensure that your devices, and sensitive files, are protected with a password or authentication requirement.

  2. Are you utilizing a two-part login process, such as a password and a security question? This is intended to help keep information secure in case a password is lost or stolen.

  3. Have you enabled timeout features on your devices, so that they log users out after a period of inactivity?

  4. Check your devices’ encryption technologies, firewall and antivirus protection to ensure that they are up-to-date and functioning properly.

  5. Be certain that your devices have remote wiping or disabling features according to your organization’s policy. These features allow your device to be wiped or locked remotely in the event that it goes missing.

  6. Disable file sharing options on your device to help keep files secure.

  7. Are you investigating mobile apps and downloads prior to installing them? Make sure that these are from trusted sources and that you have a full understanding of their functionality.

  8. Follow proper guidelines for deleting medical information before repurposing or disposing of your device.

Common risks to avoid:

  1. Avoid using unsecured networks, as this can lead to increased risk of data breaches. If you have the ability to access your organization’s records using a VPN, virtual private network, it is important to utilize it. This serves as a means of encrypting your information to help keep it private.

  2. When possible, it’s recommended that you turn off services like Bluetooth and Wi-Fi, as they can be used to discover your device.

  3. If you aren’t able to keep your devices with you, put them in a secured spot to keep them from being lost or stolen.

  4. It’s recommended that you regularly back-up important information to avoid losing vital data. HIPAA’s Security Series addresses more than just human threats to data, but also reminds us that natural disasters and environmental threats can wreak havoc on data stored mobily.

  5. Regularly train your team on HIPAA’s policies and procedures, documenting the training that they’ve received.

  6. Create mobile device policies to outline proper procedures for accessing and storing healthcare information.  

These are just some of the helpful practices outlined by HIPAA; it’s important to utilize your organization’s mobile policy and contact your Privacy and Security Officer if you have additional questions. HIPAA also offers a variety of resources, and even games, designed to increase your understanding of their policies and practices for more information.