Go to AAD Home
Donate For Public and Patients Store Search
Go to AAD Home
Main menu
Membership
Meetings & Education
Practice management
Clinical & quality
Publications & apps
Career development
Advocacy
Back
Account
Pay dues
Member ID
Join the AAD
Member benefits
Find a member
AAD governance
Support AAD
Community Programs
AAD Help Center
2026 Annual Meeting
2026 Innovation Academy
Academy meetings archive
Professional education
Claim CME & view transcript
Upcoming events
Residents & medical students
Patient education materials
DataDerm
Coding Resource Center
MIPS & fee schedule
Teledermatology
EHR & health tech
Insurance & drugs
Compliance & practice scope
Managing your practice
Contact PM staff
Clinical guidelines
Quality measures
DataDerm
Quality & patient safety
Clinical Community
Clinical care resources
Position statements
JAAD
JAAD International
JAAD Case Reports
Dermatology World
DermWorld Insights & Inquiries
Derm Coding Consult
DermWorld Meeting News
Impact Report
Other publications
Academy Apps
Career launch
Job board
Burnout & wellness
Diversity
Awards, grants, and scholarships
Leadership Institute
Volunteer opportunities
Ethics & professionalism
Take action
Advocacy priorities
State advocacy resources
Legislative Conference
Position statements
Promote the specialty
Key Contacts
Patient advocate resources
SkinPAC
Advocacy Update
Welcome!
Facebook Twitter Instagram
Advertisement
Advertisement

HIPAA resource center

Securing mobile devices

image showing a mobile phone

Today, we are accustomed to quick communication across a variety of platforms: chat, text, email, and more. The convenience of mobile technology in health care sells itself, but when we use electronic communications to send patient information, called Protected Health Information (PHI), federal law requires safeguards to protect patient privacy. Noncompliance could result in compromised PHI and hefty fines. Use this guidance to ensure you are communicating securely.

Necessity of a Business Association Agreement (BAA)

Only use communications platforms that are compliant with HIPAA. The simplest way to tell if a vendor complies with HIPAA is to determine whether it signs Business Associate Agreements (BAAs). The BAA is a contractual commitment by the vendor to follow HIPAA as a business associate (BA). Vendors that offer communications for health care usually provide a BAA online, with digital signatures for convenience. Alternately, you can use the Academy’s BAA template (PDF). Keep a copy of the BAA for at least six years, as HIPAA requires.

Application of general HIPAA requirements to mobile devices

  • Ensure your policies and technology follow HIPAA requirements:

  • Access to PHI must be limited to authorized users who require the information to do their jobs.

  • Software must keep a log of who accesses PHI, and your policies should require regular review of the log to detect unauthorized access.

  • Users must use a unique username and password or PIN to gain access.

  • PHI transmitted beyond an organization’s internal firewall must be encrypted.

  • PHI stored on a mobile device should always be encrypted.

HIPAA-compliant vendors

Do not use your general texting app or email app in your phone as they do not usually have the recommended level of encryption, which prevents unauthorized access to the information. Even if they do encrypt, these vendors have not signed BAAs with your organization. As a result, using such a service to send PHI violates privacy law and breaches the transmitted patient data.

Many patient portals and EHRs offer apps that support compliant communication. But you can also use a stand-alone platform. Here are some popular HIPAA-compliant communication vendors*:

Texting/chat vendors: Tiger Connect, OhMD, DrFirst, Spok

Email vendors: Google Workspace, Office 365, Virtru, GoDaddy

* These vendors are shared on an informational basis only, as this in no way represents an endorsement/recommendation by the Academy. Please feel free to compare, evaluate, and consider which ones best meet your needs.

These vendors typically use cloud technology to provide their services. Cloud storage provides a variety of security functions in comparison to on-site servers. Cloud technology can encrypt your data before or after it is transmitted. Data encryption adds another layer of protection to PHI. Another added benefit of a cloud system is the ability to implement Single Sign-On (SSO) and Multi-Factor Authentication (MFA).You can find information about the vendors’ HIPAA compliance on their websites, or speak to a representative.

HIPAA technical and policy tips

Follow the policy and technical tips below to reduce your vulnerability to violations and breaches.

Icon depicting training staff

1. Establish appropriate institutional policies and procedures for mobile access to PHI.

People often think of HIPAA as a technology problem, but most of its requirements have to do with setting proper policies. In fact, most breaches of PHI are caused by human error, either because of inadequate policies or because staff did not follow the policies. Outline clear policies and procedures and provide regular staff training.

Icon depicting locked mobile screen

2. Require lock screens and timeouts on all phones that access PHI.

If staff access PHI on their personal phones, ensure that the phones are reasonably secure. Phones must use lock screens that authenticate access by password, PIN, or biometrics. Phones must also lock automatically after a period of inactivity.

Icon depicting a BAA signed document

3. Use only secure mobile applications from vendors that have signed BAAs.

Policy should require staff to access PHI only through designated apps, such as EHR or patient portal apps, telehealth apps, or HIPAA communications platforms. Apps should encrypt data in transit and at rest (stored). Staff should not download medical photos or other PHI to their phones, because these may be backed up automatically to a cloud service such as iCloud or Google photos, which breaches the PHI.

Icon depicting encryption

4. Require encryption of all data stored on any mobile device that accesses PHI.

Most phones encrypt their storage by default, but confirm that any device used to access PHI is encrypted. Devices that are encrypted do not have to be reported as HIPAA breaches if they are lost or stolen.

Icon depicting mobile updates

5. Regularly update phones and sensitive applications with security patches.

Policy should require that staff regularly update phones with security patches from the service provider or manufacturer. Install security updates as soon as possible. Having the most current updates minimizes your vulnerability to malware. Keep applications updated for the same reasons, especially apps that access PHI.

Icon depicting backing up mobile

6. Develop processes to ensure backup of all PHI obtained through remote devices.

Destroying the only copy of PHI is a HIPAA violation, even if that PHI is on a mobile device. If you use a patient portal or EHR app, these generally backup PHI automatically, if the data is ever stored on the mobile device at all. Check with your vendor to be sure.

Icon depicting multifactor authentication for mobile

7. Implement multifactor authentication (MFA) and single sign-on (SSO) for sensitive applications.

MFA requires more than just a username/password to access PHI, which makes it more difficult for hackers to access your accounts. For example, to complete login, MFA might require the user to enter an additional authentication code sent by text. SSO allows users to log on to the network only once, rather than requiring logins for each individual program. Along with improved accessibility, SSO allows for easier monitoring of device access.

Icon depicting terminating access

8. Terminate user access as soon as the user leaves the organization.

Many breaches have been caused by failure to terminate a user’s access after they have left the organization. Even if staff access PHI through their personal phones, you must still be able to terminate their access upon their departure.

Icon depicting secure wifi

9. If your phone is connected to Wi-Fi, ensure you are connected to a secure platform that requires a password.

If you are using public Wi-Fi, consider adopting a virtual private network (VPN). A VPN allows you to make a private wi-fi connection from any location and control who can access the data. A VPN conceals your IP address and encrypts your data, which makes your device more secure.

Icon depicting network segmentation

10. Consider implementing network segmentation and an intrusion prevention system (IPS).

Configure your secure network to restrict access to known devices authorized to access PHI. Segment applications that access and store PHI from other applications. This can help limit cyberattacks from spreading across your network. Working in tandem with a firewall, an IPS can detect security threats and take action to defend against the attack.

AAD compliance products

Get expert compliance help

Find training guides to help you and your staff comply with HIPAA, CLIA, and more in the AAD Store.

Shop now

Related Academy resources

eCompliance Certification

Ideal for educating new hires or for annual recertification of current staff on HIPAA, OSHA, and CLIA.

OSHA compliance guide

Learn how to comply with OSHA, the policies required, and how to handle an inspection.

CLIA compliance guide

Learn how to comply with CLIA regulations and how to handle an inspection.

Contact practice management

Use our online form to contact practice management staff with questions or concerns.

Advertisement
Advertisement
Advertisement