54
applications ensure that data on mobile devices can be automatically synchronized to your network or
cloud server-such as Dropbox, Evernote, Apple iCloud, Microsoft Office 365 or other synchronization
tools and so forth.
6. The standard configuration will require network drive folder level passwords where feasible, when the
files relate to confidential or proprietary information.
7. Laptops and [insert type of device(s)-for example, “Smartphone and Tablet”], will be encrypted at either
the entire drive or solid-state memory level, or with a partition encryption where the partition contains
ePHI.
8. Encryption keys will be separate from the device and maintained with appropriate complexity by the
Security Official or their designee. NOTE: Organizations are required by HIPAA to appoint a Privacy and
Security Officer. However depending upon the size and complexity of the organization, this official may
be the Office Manager, Physician in charge or “responsible security individual”.
9. Screenshots with ePHI shall not be saved to laptops or [insert type of device(s)-for example,
“Smartphone and Tablet”] unless encryption is enabled.
10. The standard configuration will require malicious software protection to be enabled on the laptop and
[insert type of device(s)-for example, “Smartphone and Tablet”], along with automatic live updates.
Note: Smartphones, tablets and other mobile devices are also susceptible to viruses or spyware!
11. If laptops [insert type of device(s)-for example, “Smartphone and Tablet”] are used, the security official
will enable automatic updating of security patches.
12. When laptop or mobile device security patches or updates are not automatically downloadable but
otherwise can be downloaded from a website, the security official will notify, by email, all employees
who have a laptop or [insert type of device(s)-for example, “Smartphone and Tablet”], requesting they
download and install the update. The security official will request a confirmation receipt of the email
and notification of the update. The security official will track responses and if necessary take possession
of the device to ensure updates.
13. [Optional] Laptops or [insert type of device(s)-for example, “Smartphone and Tablet”] will be configured
with remote security controls that will remotely wipe the device upon loss or theft, scan for malware,
provide Global Position System (GPS) tracking, encrypt partitions or memory that stores ePHI, alert or
block introduction of unauthorized Subscriber Identity Module (SIM) cards.
14. Smartphones and tablets that are used to access, receive or transmit ePHI via email shall only do so with
this medical practice’s secure domain mail server or [insert type of secure encrypted email system].
Email settings shall be configured to limit the number of recent or emails stored on the device.
15. Smartphones and tablets that are used to access, receive or transmit ePHI shall be configured to limit
the number of text messages stored on the device. Only secure text messaging systems shall be used.
16. Laptops or [insert type of device(s)-for example, “Smartphone and Tablet”] that use wireless
communications including Bluetooth will be configured to always turn off the “Discoverable Mode” to
ensure the device is not viewable by unauthorized persons. Alternatively, where “Discoverable Mode” is
necessary for proper pairing, the user shall be trained to disable this mode when in public places where
data and conversations can be discovered by nearby unauthorized individuals.
17. Laptop and [insert type of device(s)-for example, “Smartphone and Tablet”] users will be trained and
periodically reminded to pair their devices with the pairing laptop in private locations, and not public
locations. Users will be trained to understand that there may be eavesdroppers who may be hacking,
sniffing, or setting up malicious code.