Mobile devices like smartphones and tablets have become an important part of daily life in many practices and organizations, allowing quick information sharing and access to online services. However, they also pose risks, especially for those who handle sensitive data such as Protected Health Information (PHI). According to the U.S. Government Accountability Office (GAO) report “Information Security: Better Implementation of Controls for Mobile Devices Should Be Encouraged” (GAO-12-757, 2012) [1], attacks on mobile devices are increasing and many users do not take basic security steps, such as setting strong passcodes or installing updates. This gap in security leaves mobile devices vulnerable and raises the possibility that sensitive information could be intercepted or stolen.
In healthcare settings, organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) must take additional precautions to keep PHI safe. Under the HIPAA Security Rule (45 C.F.R. §§ 164.302–318), covered entities are required to use proper administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI. One crucial guideline is that PHI should never be shared through unsecured text messages. If you need to discuss patient data by text, always use a secure, HIPAA-compliant texting app with built-in encryption and identity verification. This helps prevent unauthorized access and protects patient privacy. Failing to do so can trigger investigations by the U.S. Department of Health and Human Services’ Office for Civil Rights, and may result in significant penalties (45 C.F.R. Part 160, Subpart C).
The GAO’s report highlights that many problems stem from a lack of awareness and training. Even small changes—such as requiring staff to enable password protection, limiting use of public Wi-Fi, and deploying remote-wipe features in case a device is lost or stolen—can make a big difference. Additionally, educating employees about phishing schemes, suspicious links, and the importance of keeping apps updated can stop a number of attacks before they start. For healthcare providers, these steps also support HIPAA compliance by reducing the risk of unauthorized disclosures of PHI.
Finally, creating a clear written policy on mobile device use can help practices ensure that staff recognize their responsibilities and follow standardized rules. This policy should address the proper handling of PHI, as well as the technical and procedural safeguards—like encryption, antivirus software, and routine device updates—that keep mobile devices secure. By combining these basic security actions with ongoing training, organizations can follow through on the recommendations from the GAO’s report while also protecting PHI and complying with HIPAA.
Sources Cited
[1] U.S. Government Accountability Office, Information Security: Better Implementation of Controls for Mobile Devices Should Be Encouraged (GAO-12-757), 2012,
https://www.gao.gov/products/GAO-12-757
[2] HIPAA Security Rule, 45 C.F.R. §§ 164.302–318.
[3] HIPAA Enforcement, 45 C.F.R. Part 160, Subpart C.
