"The investigation outlines the following steps that must be taken to protect health information stored on a mobile device in order to meet requirements of the HIA:
- There must be policies and procedures that users are aware of and educated on that guide proper use of the device,
- Reasonable steps must be taken to physically secure the device,
- There must be a business need to store health information on the device,
- The device must be password protected, and
- Health information stored on the device must be protected by properly implemented encryption."