Establishing a HIPAA-Compliant Personal Device Policy for Your Practice
Mobile devices can be both boon and burden when it comes to the work environment. While employees can access emails at the tap of an app, they also can get distracted by less-than-work-appropriate things, like social media or the time-consuming Candy Crush. But there’s more than just a loss of productivity at stake—without a proper policy in place, your practice may find itself facing HIPAA non-compliance.
But how does one go about establishing a reasonable HIPAA-compliant mobile device policy?
What Falls Under HIPAA’s Regulations?
HIPAA regulations apply to any mobile device that receives, transmits, or stores patient health information (PHI). This can include tablets used during patients’ check-in process, laptops used by administrative staff, and even personal cell phones, if physicians rely on them for patient-related emails. While the benefits of having mobile devices at a practice are infinite, there’s also numerous risks that come along with having multiple devices filled with PHI. Examples include:
- Relying on public Wi-Fi or unsecured mobile networks increases the risk of PHI being intercepted
- Most mobile devices can take and store photographs, which can be a compliance concern if the pictures violate patient privacy
- Smaller mobile devices are at risk of being misplaced or stolen, resulting in the loss of PHI
- Cloud storage isn’t always HIPAA compliant, despite its popularity
Many providers require cloud storage capabilities to be turned off on practice-issued mobile devices. But what about employees’ personal mobile devices?
Guidelines for Regulating Employee Cell Phone Access
While it may be tempting for both security and productivity purposes to put a blanket ban on personal mobile devices, doing so may result in disgruntled employees. Yes, even the most diligent employee probably spends a few minutes a day on Facebook or Twitter. But cell phones are also lifelines to employees’ personal lives, including children and spouses. Every practice has differing levels of mobile device usage, and the policy should be implemented accordingly. Common provisions include:
- Cell phone use in front of patients, at the front desk, or in patient areas is not permitted
- Cell phones may only be used in the break room/outside the practice/in a designated area—some practices always have one clinical room available for this purpose
- Cell phones may not be used on the clock, except during designated breaks
State laws determine what a practice is allowed to require (or forbid) their employees during their breaks. As they’re updated frequently, it’s vital to have an employment law or HR expert create and periodically review the mobile device policy. While it may be tempting to simply borrow another practice’s policy or download one online, a practice that does so may find itself with an ineffective—or even illegal—policy.
Keeping up with HIPAA compliance and the ever-advancing mobile devices is no easy feat for providers. But understanding what information is safe-guarded by HIPAA and having guidelines in place for a simple, reasonable employee cell phone policy are two steps towards keeping PHI safe and employees satisfied.