Asset 19
Protecting Your Personal Health Information When Using Mobile Devices
Protecting your personal health information is of utmost importance as cyber criminals are constantly developing ways to steal this information from unsuspecting users.  The portability of mobile devices has added an additional layer of concerns to consider when assessing these security threats and protecting yourself from data theft.

What is PHI?

Protected health information (PHI), also referred to as personal health information, is the demographic information, medical histories, test and laboratory results, mental health conditions, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the primary law that oversees the use of access to and disclosure of PHI in the United States. HIPAA defines PHI as “data that relates to the past, present or future health of an individual; the provision of healthcare to an individual; or the payment for the provision of healthcare to an individual. HIPAA regulates how this data is created, collected, transmitted, maintained and stored by any HIPAA-covered organization.”

What identifies personal health information?

HIPAA lists 18 different information identifiers that, when paired with health information, become PHI. Some of these identifiers on their own can allow an individual to be identified, contacted or located. Others must be combined with other information to identify a person. This list includes some of the following:
  • Name
  • Address
  • Phone number
  • Email address
  • Fax number
  • Social Security number
  • Medical record number
  • Account number
  • Dates related to an individual such as birthdate, admission date, etc.
  • Biometric IDs, such as a fingerprint or voice print
  • Full-face photographs and other photos of identifying characteristics
  • Health plan beneficiary number

Safeguarding personal health information

Mobile devices, such as smartphones, tablets, laptops have added a new layer of complexity to this task. The great advantage of these devices is portability, also their greatest vulnerability, making them susceptible to loss and theft. For that reason, personal health information should only be stored on mobile devices if absolutely necessary, and steps must be taken to minimize the risks to privacy. Before you store personal health information on a mobile device, take these steps first.
STOP.
Ask yourself: Do I really need to store any personal health information on this device?
THINK.
What are the alternatives? For example, would de-identified information serve the same purpose? Can you access the information remotely through a secure connection or virtual private network instead?
PROTECT.
If you must store personal health information on mobile devices, make sure they are encrypted and protected with strong passwords. Try to store the least amount of information possible, for the shortest amount of time. Need more information? Call (888) 880-2536