Medical providers have access to, and use of, sensitive patient data that is protected by the Health Insurance Portability and Accountability Act (HIPAA) via mobile computing devices such as laptops, smartphones and tablets. According to the ECU Data Classification standard, HIPAA data is classified as Level 4 (Highly Restricted) data.
Follow these guidelines when accessing and using HIPAA data on mobile devices:
- Data Storage – Store data only on approved university storage and devices. While mobile computing devices such as laptops, smartphones and tablets are used for accessing such data, the devices themselves are not approved for storing sensitive/HIPAA data. Exception requests must be made to the Office of Institutional Integrity.
- EHR Access – When accessing the university’s various EHRs, use the appropriate VPN/Citrix application.
- Data should only be exported from the EHR to approved university storage.
- When accessing Epic, use the apps Haiku (Android or iPhone) or Canto (iPad).
- Patient Communication – Use a secure and encrypted network.
- Patient Portal – Primary means of communication as part of EHR (ex. MyChart).
- Email – Only when email is patient preference, encrypted and recorded in the EHR. See NOTE below.
- Telemedicine Visits – Use a university, HIPAA-approved application such as Caregility, Webex or Microsoft Teams. Adhere to all departmental procedures for telemedicine visits.
- Non-Patient Communication – Use a secure and encrypted network.
- Email – encrypt, verify the correct recipients, minimum necessary standard.
- Secure messaging – Utilize Cortext or encrypted pagers.
- Medical photography – Follow ECU’s HIPAA Medical Photography rule within the HIPAA Privacy Manual.
- For any exceptions to these guidelines, contact the Office of Institutional Integrity.
NOTE: Personal devices used to check ECU email that may contain sensitive data must be encrypted. Please see the Related Articles section on this page for specific ECU guidelines on encrypting personal mobile devices, or follow the manufacturer's instructions to ensure encryption of your personal device: