Nearly all health care professionals are now using smartphones, laptops, and tablets at work. Properly implemented, these mobile devices are valuable clinical tools. As healthcare embraces mobile, hospitals and clinics need policies to ensure that devices are used safely and efficiently by management, doctors, nurses, and staff. This article offers eight areas to consider when developing your hospital or clinic’s mobile device policy.

According to a recent survey, 96 percent of healthcare IT decision makers that implemented a mobile device initiative saw a positive impact on the patient experience. Employees also benefit when health care organizations embrace mobile devices. Whether your institution provides employees with devices or operates a “Bring Your Own Device” (BYOD) policy, it’s important to be aware of any existing cellphone or mobile device guidelines.

For hospitals or clinics developing or revising their mobile device policy, here are eight topics and questions to consider, adapted from HealthIT.gov. These suggestions focus on employees, but healthcare institutions should also develop policies for patients and families. We’ve also included sample text from cellphone and mobile device policies developed by other hospitals and clinics.

How to Develop your Hospital or Clinic’s Mobile Device Policy

“Organizations should develop and implement reasonable and appropriate policies and procedures to safeguard health information, including those specific to mobile devices.” – HealthIT.gov

1. Mobile Device Management

  • Have you identified all the mobile devices being used at your institution? How will you track them?
  • Who is responsible for checking security settings on mobile devices used for remote access to your hospital or clinic?
  • Will you regularly review or audit mobile devices?

From Union Hospital’s Cell/Camera Phone Use Policy:
“Employees may use their Hospital-issued cell phone for personal use as long as the phone is used primarily for business and the usage does not exceed the monthly fee that is paid by the Hospital…. Use of Cell/Camera phone during work, for other than Hospital business should be avoided. Personal calls should be limited to break and meal breaks. All employees are required to silence their cell/camera phones while they are working.”

2. BYOD (Bring Your Own Device)

  • Should your organization let providers and professionals use their personally owned mobile devices at work?
  • Can providers and professionals connect to internal networks or systems with their personal devices?

From The University of Alabama At Birmingham’s HIPAA Core Policy: Use of Mobile Devices:
“Workforce members shall not use personally owned portable devices for work related purposes unless such use is specifically approved by senior management. If use of a personal portable device is approved by senior management, then the device must comply with all applicable policies and standards and must be made available to UAB for routine or special analyses. In addition, the device must be set-up in English.”

3. Restrictions on Mobile Device Use

  • Can employees use mobile devices to access internal networks or systems, such as an EHR?
  • Are providers and professionals restricted from using mobile devices when they are away from the organization?
  • Can employees take their mobile devices home?
  • Should your organization allow texting or emailing of health information?

From Stanford Medicine’s Policies and Resources for Encryption and Securing Devices:
“Students must take appropriate steps to protect the iPad and data against loss or theft, e.g. not leaving iPads in public places, not checking iPads in luggage, and not leaving iPads in vehicles unless the vehicle is locked and the iPad is hidden from view.”

4. Security/Configuration Settings for Mobile Devices

  • Will your organization institute standard configuration and technical controls on all mobile devices used to access internal networks or systems?

From Stanford Medicine’s Policies and Resources for Encryption and Securing Devices:
“For every School of Medicine affiliate who might use or store this type of data [Protected Health Information], every device used for Stanford work (even if only for email) must be verifiably encrypted. If you have a device that cannot meet the encryption requirements, it must not be used for Stanford work. This applies to both Stanford-owed as well as personally-owned devices.”

5. Information Storage on Mobile Devices

  • Does your organization restrict the type of information employees can store on mobile devices?
  • If so, where and for how long should the data be stored?
  • Can employees download mobile applications? If so, what types of applications are approved?

From Stanford Medicine’s Policies and Resources for Encryption and Securing Devices:
“Students may not store personal health information (PHI) on the iPad. If students choose to access EPIC or other patient record databases, they must do so in alignment with HIPAA compliance guidelines and hospital policies regarding iPad and other mobile device use. If use of the iPad should compromise the security of patient records in any way, students must be prepared to accept full responsibility for the breach, including responsibility for any financial penalties incurred.”

6. Misuse of Mobile Devices

  • What happens when someone messes up? Does your organization have written procedures for addressing misuse of mobile devices?

From Union Hospital’s Cell/Camera Phone Use Policy:
“Any employee who violates this policy or who uses a cellular telephone in an unapproved manner may be subject to discipline in accordance with the best interests of the Hospital.Generally, the type of disciplinary or corrective actions taken by the Hospital will be determined on an individual basis and will be in proportion to the nature of and circumstances surrounding the violation. Corrective actions may include oral warnings, written warnings, withdrawal of a Hospital-issued cellular telephone, and employee termination, in accordance with Performance Management Policy HR-311.“

7. Recovery/Deactivation of Mobile Devices

  • Will your organization have procedures for wiping or disabling devices that are lost or stolen?
  • What will happen to mobile devices when providers and professionals end their employment or association with the organization?

From The University of Alabama At Birmingham’s HIPAA Core Policy: Use of Mobile Devices:
“System Administrators shall maintain a log of such data destruction that lists the device, the date of destruction, the workforce personnel authorizing the destruction, general description of the ePHI or other sensitive information (if available), and the identity of the workforce personnel performing the destruction.”

8. Mobile Device Training

  • How is your organization training management, doctors, nurses, and staff on policies and procedures?
  • How does your organization hold its employees accountable for non-compliance?

Mobile devices are increasingly ubiquitous in health care work environments. While smartphones and tablets offer countless benefits, they also present new security risks, especially when used to transmit or access patient information. Any entity regulated by HIPAA should include provisions in their mobile health policy that secure protected health information while maximizing the benefits of mobile devices in health care.

Are mHealth apps covered by HIPAA?