Safeguarding Personal Health Information

The Personal Health Information Protection Act  (PHIPA) requires that, as a health information custodian (custodian), you must take reasonable steps to ensure that personal health information in your custody or control is protected against theft, loss and unauthorized use and disclosure, and that the records containing the information are protected against unauthorized copying, modification or disposal. You must also ensure that records of personal health information are retained, transferred and disposed of in a secure manner.

Mobile devices, such as smartphones, tablets, laptops and USB keys have added a new layer of complexity to this task. The great advantage of these devices–portability–is also their greatest vulnerability, making them susceptible to loss and theft.

For that reason, personal health information should only be stored on mobile devices if necessary, and even then you must take steps to minimize the risks to privacy. Before you store personal health information on a mobile device, take these steps first.

STOP.

Ask yourself: Do I really need to store any personal health information on this device?

THINK.

Consider the alternatives. For example, would de-identified information serve the same purpose? Can you access the information remotely through a secure connection or virtual private network instead?

PROTECT.

If you must store personal health information on mobile devices, make sure they are encrypted and protected with strong passwords. Additionally, you should store the least amount of information possible, for the shortest amount of time.

For more information about working with personal health information on mobile devices, please refer to our guidance documents below.