Contributed by: Lee Kim, Esq.


The ONC Health IT Mobile Devices roundtable is being aired today, on March 16, 2012, by way of live video webcast at 

Here are my thoughts upon hearing the content (which is certainly instructive and helpful) (and this was submitted to ONC Health IT for public comment):

1. By way of background, I am intellectual property and health information technology law attorney at Tucker Arensberg, P.C. in Pittsburgh, PA.  I am also a former IT professional (including in health IT).  While encryption is an addressable implementation specification, encryption plug-ins and stand-alone programs have come a long way in terms of end user usability and feasibility of implementation.  Sensitive data should be encrypted (including protected health information), whether data at rest and data in motion, including without limitation e-mail, files, backup media, and the like. 

2. Not only should encryption be used, but a non-ascertainable and non-guessable private key or password should be used.  Private keys or passwords should not be easily discoverable (such as taped to a keyboard or monitor) and should not be vendor defaults.

3. When storage media and devices which may contain protected health information are at the end of their life cycle, they should be properly disposed of.  Any storage media, whether stand-alone or embedded within a device, should be purged or otherwise eliminated such that such information cannot be reconstructed by an unauthorized person.

4. Access control also needs to get better within healthcare facilities.  HIPAA audit trails should be accurate.  The use of mobile and other computing devices should be increased to ensure that there is no "sharing" of logins or other authentication means.

5. As to mobile devices, the software which resides on them should respect the encryption and other security controls, as opposed to being "rogue" applications which may not. 

6. There is an increasing threat of heuristic malware and hence a need for anti-malware solutions which not only take into account malware signatures, but also examine the heuristics of malware (for malware code which cannot be detected with traditional engines which scan for signatures or for which a signature is not yet known).  There needs to be a solution for mobile devices and  standard computing devices.

7. Remote wipe of mobile devices should be used whenever possible in case a device is lost or stolen.

All covered entities and business associates should review their HIPAA Security Rule policies and ensure that they are complying with the Rule to the fullest extent possible.  As stated in our previous blog entries, HHS, through its OCR enforcement arm, is starting to enforce breaches in a very significant way.