Workplaces everywhere are finding they need to deal with employees’ use of personal devices for company business, whether it’s accessing company email and intranets, using customer relationship management apps to plan customer calls, or accessing files on the company network. Some organizations outright prohibit the practice, commonly known as “bring your own device” (BYOD), and some grudgingly tolerate it. Others see productivity and cost-saving benefits and actively encourage it.
The trend is taking hold in the healthcare industry as well. BYOD in the world of healthcare, however, presents special challenges, specifically around the issue of patient privacy laws, such as HIPAA in the United States and similar laws in other countries. The use of personal devices on the job by doctors, nurses, and other healthcare professionals, however well-intentioned, may put them at risk for investigations and penalties and could expose private patient health information to misuse.
The purpose of this article is to describe the patient privacy provisions of the U.S. HIPAA law and the specific risks associated with BYOD, and how to mitigate those risks through implementation of solid policies and the application of technological solutions. HIPAA has been informally adopted by other countries, such as New Zealand and Australia.
HIPAA: A Refresher
HIPAA, or more formally the Health Insurance Portability and Accountability Act, is U.S. federal legislation signed into law by President Bill Clinton in 1996. The overarching purpose of the law is to enable employees who lose their jobs or move from one job to another to maintain health insurance coverage by prohibiting employer health insurance plans from denying coverage because of certain pre-existing conditions.
Better known these days are the provisions of the law intended to protect the privacy of patient healthcare records. Among other things, these provisions establish the following:
- Privacy requirements: The law defines what patient information is considered private and therefore must be protected, regardless of its form—electronic, paper, or even oral. Protected healthcare information includes any information that can be associated with a particular person.
- Security requirements: The law sets standards for the protection of electronic records that contain private patient information.
- Enforcement guidelines: The law establishes guidelines for auditing healthcare entities and penalties for nonconformance.
The law applies to individual doctors, clinics, hospitals, pharmacies, labs, health insurance companies, and plan administrators, as well as organizations, called “business associates,” that are not specifically healthcare entities but have access to electronic healthcare records. The U.S. federal Department of Health and Human Services (HHS) recently clarified that business associates can include cloud service providers and, in certain circumstances, developers of mobile apps that handle patient health information.
The law does not specify how to protect electronic patient healthcare information. According to HHS, the law does require entities to take reasonable measures to ensure the “confidentiality of patient healthcare data” they create, receive, or transmit, and identify and protect against “reasonably anticipated threats to the security and integrity of the information” through physical, technical, and administrative safeguards.
BYOD in the Healthcare Workplace
Whether healthcare entities (and their IT departments and compliance officers) like it or not, the use, official or otherwise, of personal devices in the healthcare workplace is a growing trend. The reason is simple: These devices, smartphones in particular, can make many healthcare workers’ jobs easier. Even simple, standard smartphone features, such as texting and photos, can be useful in a healthcare setting. For example, a nurse might find that taking a photo of the readings on a patient’s monitoring equipment and texting it to a doctor might get faster results than having the doctor paged.
Some healthcare entities may encourage employees to use their personal devices to access company email, intranets, and other resources. And then there are other smartphone apps that might find their way into the healthcare workplace, whether or not they were designed as “healthcare apps” or officially approved by the organization.
The problem is that using personal devices in a healthcare setting makes it extremely easy to run afoul of the HIPAA security provisions. In the example from the previous section, that photo and accompanying text can be considered electronic patient healthcare information, especially if the photo is tagged with the patient’s name or the patient’s name appears in the photo or the nurse’s text. In this scenario, the nurse’s employer has patient healthcare information going home with the nurse, rather than staying within the confines of the workplace where it belongs. That by itself is a serious issue; should that information make its way, deliberately or inadvertently, to social media or some other public forum, it could mean big trouble for the hospital or clinic, the nurse who sent the text, and the doctor who received it.
Even officially approved uses of personal devices could be HIPAA violations. An administrator who accesses company email on a personal device could be in trouble if any of her emails contain patient healthcare information, because a thief or hacker could access the information with the device.
These are the types of scenarios that keep compliance officers awake at night. Fortunately, there are ways to bring this situation under control: some are administrative, and others technical.
The Solution: Policies
The administrative solution involves setting and enforcing clear, comprehensive, and unambiguous policies around the use of personal devices in the healthcare workplace. Such policies should leave no doubt as to what does and does not constitute HIPAA-compliant use of personal devices for business purposes.
The exact content of these policies will vary from entity to entity, and may be vastly different for small, single-doctor offices and large, multi-facility hospitals. But all BYOD policies for healthcare entities should have the following characteristics:
- Explain the purpose of the policy
- Clearly define permissible and prohibited uses of personal devices and accounts for company business, including multiple examples of each
- Clearly indicate the penalties for non-compliance
- Include provisions for regular (annual or biennial) review and updating of each policy document to keep up with changes in technology and the law
BYOD policies should remind staff of what constitutes personal healthcare information and why it must be controlled and protected.
In keeping with the provisions of the HIPAA law, staff should be trained on these policies—and not just at new-hire orientation or when the policies are first published. Over time, people tend to forget both the content of the policies and the importance of following them, especially in an era when it’s second nature for people to use their smartphones for many different purposes. Healthcare staff might, for example, take photos or write emails and texts with their smartphones out of habit, without considering whether what they’re doing involves personal healthcare information. Thus, mandatory refresher training should be scheduled annually and whenever the policies are updated.
The Rest of the Solution: Enterprise Mobility Management Systems
The other part of the solution involves technology. Technical solutions that exist today can help prevent the inadvertent (or deliberate) data security lapses that invite trouble. Among the most common solutions are enterprise mobility management (EMM) systems.
EMM systems can be used to both manage company-owned devices and regulate the use of personal devices for business purposes. EMM systems typically consist of a central server and an app that is installed on each device. The app provides a security-enhanced, password-protected “walled garden” in which users can access the company network and conduct company business, and can prevent mixing business and personal photos, files, emails, texts, and other data. The central server registers each device in the EMM system and enforces company-defined security rules (such as password complexity and password change frequency) and user permissions (such as who can access what network resources).
Perhaps best of all, EMM system administrators can remotely disable a user’s company network access and erase any company data on the device, all without affecting the user’s personal apps and data. This feature is useful when a device is lost or stolen or when a user’s employment is terminated.
With an EMM, part of the user’s device becomes a controlled endpoint on the company network, just like a desktop computer in the office, and therefore meets the HIPAA data security standards.
Recently, Apple and Google have released updates to their popular iOS and Android operating systems that simplify and streamline devices’ interoperability with EMM systems, thereby making separation of personal and company data on a single device even more robust and easier to monitor and manage.
The bottom line is that for large organizations, an EMM is the best way to ensure that their mobile device environment, including both company-owned and personal devices, continues to comply with the HIPAA data security standards.
A complete, effective solution must involve both the policy and technology components. Neither one of them works well without the other: Policies alone are difficult to implement without some kind of automated monitoring and enforcement, and technology solutions are nearly useless without policies to guide their configuration.
Together, however, good policies and well-designed technology can ensure healthcare professionals’ ability to use their personal devices in the course of their work while remaining on the right side of the law. The result can be lower costs for the organization, greater productivity for staff, and best of all, better care for patients.