HIPAA Beyond the Office: Laptops, PDAs, and Home Computers

For all the complexity of HIPAA, the greatest provider liability often arises from easily correctable security lapses, such as the failure to password protect a physician’s BlackBerry.  The failure of physicians to password protect PDAs used to store or transmit patient information is a glaring HIPAA violation, but, lamentably, one that still frequently occurs.

HIPAA Security Rule requirements for protected health information in electronic format apply not just with regard to computers in the office, but also personal laptops, home-based personal computers, PDAs and smart phones.     

Remote access and use of ePHI should be strictly limited to legitimate business or medical purposes, and procedures should be put in place to mitigate identified risks.  For example, to mitigate the risk of unauthorized access via portable devices, which are highly susceptible to theft due to their size, two-factor authentication is an advisable condition of access.  To mitigate the risk of unauthorized viewing of what appears on the screen of a physician’s home desktop computer, which is susceptible to being viewed by other residents or visitors to the physician’s home, a session time-out should be set.


© 2008 Parsonage Vandenack Williams LLC


For more information, contact info@pvwlaw.com

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s