Carefully Considering the Risks of a BYOD Policy in Healthcare
“My friend’s company lets her use her phone at work,” a resident tells you. “Find a way to make it work,” mutters your facility administrator while keeping his eyes glued to his iPhone. Whether they like it or not, healthcare compliance officers and CIOs are faced with a growing dilemma: seemingly everyone in their organization wants to adopt a bring your device (BYOD) mobile policy, but the benefits of empowering facility employees with greater access to company data typically drown out the significant and lingering data control concerns.
If you find yourself considering a BYOD policy, the first thing you should be thinking about assessing is your risks. In fact, as OCR/HHS and any hospital CIO who has suffered through a data breach will tell you, security risk assessments form the centerpiece to any HIPAA compliance plan. So what are the unique risks of adopting a BYOD policy in the healthcare world?
Primary Concern of HIPAA Security Rule
A primary concern that a CIO or CCO should consider is the transmission of PHI between providers via text message. Even if the purpose behind the communication is treatment related, the HIPAA Security Rule prohibits sending PHI through an unsecured channel, which is almost always the case with texting. Moreover, with intermingled work and personal contact lists, the inadvertent sending of PHI to an individual outside of the organization is ever present.
Risks to Consider for a BYOD Policy
Another risk to consider is the storage of PHI in a mobile device’s native texting application. Coordinating patient care across a team through a series of text messages can yield great benefits, but the transcript each user creates via a text dialogue presents enormous risks if not locally encrypted. A workforce member who loses his or her phone with such unsecured data saved locally just caused his HIPAA Privacy Officer to disclose a breach to OCR.
A third important risk to consider when rolling out a BYOD policy is to assess the third parties associated with the phone applications that may have access to patient PHI. As the recent HIPAA Omnibus regulations made clear, cloud-based vendors that store PHI are considered business associates under the law. If a facility neglects to enter into business associate agreements with these data-storing providers, they will face sanctions when this fact is uncovered after a reportable security incident or HIPAA audit.
Careful Risk Assessment in Crucial
At the end of the day, CIOs and CCOs need to carefully consider their risks before rolling out a full BYOD policy. However, practically speaking, mobile device data sharing between hospital workforce members is probably already going on at your facility – BYOD policy or not. Identifying and mitigating the risks associated with the mobile device movement will save hospital information administrators major headaches down the road when OCR comes knocking on the door.