It's important to remember that the HIPAA Security Rule states covered entities should maintain "reasonable and appropriate administrative, technical, and physical safeguards." With that being said, HIPAA provides a framework for creating processes, systems, and procedures. While there are no specific technological requirements for smartphones, computers, or tablets, it's imperative for any technical hardware or software used in a healthcare setting to undergo a risk assessment in order to stay HIPAA compliant.
The short answer is: HIPAA applies to any mobile device where PHI is stored or transmitted.
Here are a few key factors to consider in order to keep your smartphone HIPAA compliant:
Apps
Most health-related apps are not HIPAA compliant. Reputable developers, such as Google or Apple, may factor in HIPAA regulations when developing apps. A risk assessment should be conducted if you choose to use apps to manage PHI.
Additionally, make sure the software and applications on your phone are up to date. Updates usually contain bug fixes or vulnerability patches.
Public WiFi
Sending and receiving PHI over a public or insecure WiFi connection could be at risk, and is therefore considered a HIPAA violation. If you need to access PHI in a public space, you should have remote technology in place, such as VPN, with encrypts all data that is being transmitted and received.
Use Longer Passcodes
We've touched on the importance of passwords before, but it's worth repeating again! If you're using your smartphone in a healthcare setting, there better be a passcode or pin set up in order to access your phone. Four digit passcodes are easier to break, so the longer and more complex, the better.
Cloud
Cloud storage is commonly offered on mobile devices. Storing PHI in the cloud could leave the cloud provider at risk if they haven't signed a business associate agreement (BAA). Additionally, your camera roll may automatically be backing up the cloud. For example, if you have a photo of scan saved on your phone, you may unknowingly have it backed up in the cloud. Make sure you identify what information on your phone is being backed up in the cloud. If you do not have a signed BAA with a cloud service, it's best to restrict what gets backed up into the cloud, or turn the service off completely.
Text
Never use text to send PHI. If your organization uses an approved messaging app that's compliant, make sure all employees have access to it.