How to Safely Manage Your Mobile Media


Mobile devices are commonplace in modern offices. As a covered entity (CE) or a business associate (BA), you will undoubtedly have mobile devices and media to manage. Electronic protected health information (ePHI) is not only on your desktop computer but may be on many devices, from laptops to thumb drives and from smartphones to external hard drives.

However, these smaller devices can easily leave the building, sometimes by accident. This puts your organization at risk of a privacy breach. As a CE or BA, you are responsible for maintaining the confidentiality, integrity, and availability of ePHI. Therefore, you must be able to account for any mobile device containing ePHI, safely reuse it, and properly dispose of it.

How to Account for Your Mobile Media

Imagine a hard drive containing thousands of private records suddenly goes missing. Did an employee take it home? Is it lost? If a mobile device leaves the building without your knowledge, anything can happen to it.

Accountability means you must know where all media containing ePHI moves inside and outside of your organization. To establish an accountability plan, you will need to:

  1. Take a compete inventory of your mobile devices (ex. tablets, memory cards, backup disks).
  2. Create a check-out/check-in log.

Anyone who wants to remove a device from the organization must be able to justify the need and then log the removal. A person approved to regularly use mobile media outside the facility should sign the media out as a long-term checkout, so the device’s location is on record.

How to Reuse Your Mobile Media

Mobile devices and media are sometimes reused in an organization or donated to charity. In either event, you need to remove all ePHI from these devices before they can be safely reused.

There are many software cleaning solutions (sometimes called “disk wipe” software) on the market. They may require you to run the software through the memory drive a few times to eliminate all the data. Always follow the instructions provided, keeping record of the item being sanitized and who it is signed out to.

How to Dispose of Your Mobile Media

Organizations will often dispose of mobile devices and media at the end of their lifecycle. However, disposal requires you to remove all ePHI and permanently destroy the device.  The most reliable way to do this on a hard drive is to use a degausser. If you don’t have one, you can wipe the device clean with disk wipe software and then physically destroy it. Page 8 of the NIST “Guidelines for Media Sanitization” describes ways to destroy a device.

After you dispose of an inventory item, document the following:

  1. Name of the media destroyed
  2. Method of destruction
  3. Date of destruction
  4. Person or organization destroying the media

To protect your ePHI from unauthorized access and a potential breach, create an accountability plan, clean devices before reusing them, and safely dispose of unwanted devices. Staff members may also have questions about their own personal devices, so be sure you know the HIPAA security rule about device and media control.

Need More Guidance? Grab Our PHI Decision Tree!

This simple cheat sheet makes it easy to recognize every time you’re interacting with protected health information.

Decision Tree Preview

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »

Cybersecurity During COVID-19

Watch out for COVID-19 cyber scams Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek Bethany Baty, Digital Marketing Director, HIPAAtrek Margaret Scavotto, JD, CHC, President, MPA The Department

Read More »