Objective: All devices and systems that store, access, or transmit ePHI must be secured against unauthorized access, loss, or theft.
Guidelines
Device Security (Laptops, Mobile Phones, Tablets)
All devices used by providers or staff to access ePHI must be encrypted and protected by passcodes, biometrics, or MFA.
Devices must automatically lock after a defined period of inactivity.
Clinical practices must implement Mobile Device Management (MDM) policies where feasible to enforce security standards remotely.
Lost, stolen, or compromised devices must be reported immediately to the relevant support team.
Data Encryption (At Rest and In Transit)
ePHI must be encrypted when stored (at rest) and when transmitted over networks (in transit), regardless of whether access occurs in-clinic or remotely.
Only HIPAA-compliant, organization-approved platforms may be used to store or transmit ePHI.
Cloud services and data backup systems must also comply with HIPAA encryption and business associate agreement (BAA) requirements.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article