Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) | Yale University

Smartphones

HIPAA Security Policy & Guidelines

Three criteria must be met to ensure ePHI data are secure on a smartphone, and apply regardless of whether they are Yale provided or personally-owned:

  1. The phone must have password protection
  2. Data on the phone must be encrypted
  3. It must limit the number of messages stored on the device

Yale University recommends that individuals who use personal smartphones to store, send or receive ePHI enroll in one of the free remote wipe applications described at http://www.yale.edu/its/mobile-technology/erase.html

The following information summarizes the ePHI security requirements, and the capabilities of the three most popular Smartphones at Yale – the Blackberry, iPhone and Droid – and should guide your decision-making process.

Older versions of the iPhone do not meet security standards for ePHI. By policy, you are prohibited from accessing, storing, receiving or transmitting ePHI data including email from devices that do not meet these criteria. If you have a device that isn’t supported and need to access ePHI, you will need to replace it with a conforming device.

The Droid phone is not currently supported at the University due to inconsistencies among different versions of the Droid OS.

Information about the use of ePHI on Smartphones is summarized in the chart below:

Device

PHI Data Encryption

Password required to unlock device?

Remote purge capability?

Blackberry

Yes (if configured on the Blackberry Enterprise Server with Microsoft Exchange email)

Yes

Yes (if configured on Blackberry Enterprise Server with Microsoft Exchange email)

iPhone*

Yes (with 3GS or newer models configured with Microsoft Exchange email)

Yes

Yes (if on YaleConnect Server with Microsoft Exchange email)

iPad*

Yes (with software version 4.2 or higher)

Yes

Yes (if on YaleConnect Server with Microsoft Exchange email)

Droid (not currently supported by ITS)

Not Currently Supported for ePHI

Not Currently Supported for ePHI

Not Currently Supported for ePHI

* Please be aware that individuals who have both an iPhone and an iPad with encryption enabled must encrypt both devices since it is not possible to encrypt one and not the other.

Devices other than those listed above won’t meet the requirements and should not be used to access, store, receive or transmit ePHI. ITS will continue to evaluate options and provide updated information when additional configurations are available.
Personally-owned Smartphones used to access, store, transmit or receive ePHI (typically email messages) must also meet these security standards. Please verify encryption and purge capabilities with your service provider and set up a password and email limits in compliance with Yale policy.

If you utilize a personally-owned smartphone to send or receive ePHI, visit the ITS website for an explain on how to confirm it is secured.

We hope this information proves helpful when deciding on procuring a Smartphone that protects ePHI. Note: Individuals who have Smartphones that meet security standards will receive further information about secure configurations as part of the security upgrade underway this fall. If you have questions or need assistance, please contact your local support provider or call the ITS Help Desk at 203-432-9000.

You are also advised to apply additional safeguards: