HIPAA defines a mobile device as any device that allows storage of data on itself by using it's on-board memory or within the SIM card of a memory chip. Mobile devices can be used to send and transmit data, which may include Protected Health Information (PHI or ePHI) under HIPAA. Sending and transmitting PHI or ePHI through these devices has proven to be risky because of the unique security risks involved.
Popular handheld devices include stand alone PDAs like Palm and Apple's iPod touch, iPhone, Android phones, Blackberry, etc. Also included are tablets such as Apple’s iPad and Microsoft’s Surface. HIPAA requires that PHI be safeguarded against threats to security, integrity and unauthorized use.
According to HHS.gov, Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.