hipaa-mobile-health
Installation
SKILL.md
HIPAA Mobile Health — mHealth Privacy and Security
Overview
Mobile health (mHealth) encompasses the use of mobile devices, applications, wearable sensors, and remote patient monitoring systems to deliver healthcare services and manage health information. OCR has issued specific guidance on HIPAA compliance for mobile devices, recognizing that the proliferation of smartphones, tablets, and wearable health technology creates significant risks to the confidentiality, integrity, and availability of ePHI. The regulatory landscape intersects HIPAA (for covered entities and business associates), FDA regulation (for mobile medical devices/software as a medical device), and FTC jurisdiction (for consumer health apps not covered by HIPAA).
Regulatory Framework
HIPAA Security Rule — Mobile-Relevant Provisions
- §164.310(b): Workstation use — policies specifying the proper functions to be performed and the physical attributes of surroundings for workstations accessing ePHI (includes mobile devices)
- §164.310(c): Workstation security — physical safeguards for workstations accessing ePHI to restrict access to authorized users
- §164.310(d): Device and media controls — policies for receipt, removal, disposal, and re-use of hardware and electronic media containing ePHI
- §164.312(a)(1): Access control — unique user identification, emergency access procedure, automatic logoff, encryption and decryption
- §164.312(a)(2)(iv): Encryption and decryption (addressable) — encrypt ePHI stored on mobile devices
- §164.312(d): Person or entity authentication — verify identity of persons seeking access via mobile
- §164.312(e)(1): Transmission security — protect ePHI transmitted over wireless and cellular networks