HIPAA highlight: Bring your own device

© MclittleStock - stock.adobe.com

Mobile devices are integral to life – both personally and professionally. While some companies issue devices specifically for company business or deploy software that bifurcates personal and business phone numbers on one device, others permit workforce members to bring your own device (“BYOD”). Regardless of the choices just mentioned, there are still cybersecurity and legal considerations, which range from inadequate technical, physical, and administrative safeguards to discovery issues, legal hold issues, and regulatory issues, which include but are not limited to the Health Information Portability and Accountability Act of 1996 (“HIPAA”), as well as the related laws and regulations, and other industry requirements such as the Financial Industry Regulatory Authority (“FINRA”) requirements.

As the Office of the National Coordinator for Health Information Technology (“ONC”), which falls under the U.S. Department of Health and Human Services (“HHS”), asserts, “[i]f you use a mobile device to access an organization’s internal network or system, the owner of that network or system’s policies and procedures apply to your use of the mobile device to gain such access. It is your responsibility to understand and follow the organization’s policies and procedures.” This leads to fundamental questions, which should be part of every HIPAA risk analysis (45 CFR § 164.308) or other similar audit/assessment/analysis. Select questions are as follows:

• Does your organization have a BYOD policy and procedure?
• Does the employee handbook reference the BYOD policy?
• Is there an attestation that an employee signs indicating that they agree to adhere to the BYOD policies and employee handbook, as well as the specific items outlined in the attestation document?
• Is it clear that the BYOD policy is not optional?
• Are there centralized security management considerations including the following:
  • Inventory log of the employee, device type and device number
  • Configuration requirements, such as installing remote disabling on all mobile devices
  • Management practices, such as setting policy
  • Encryption of the device
  • Updating patches
  • Having remote monitoring software that collects data for back-up purposes but is able to select what apps are included, so that personal banking, healthcare and other apps are not included
  • Explaining that personal contacts and text messages are subject to the remote monitoring but that privacy will be respected but in the event that a legal hold is triggered, the company, government entity, or opposing party may have access to the relevant information.
• Registering an employee’smobile device with the organization will allow the organization to control who has access to its network or system and will keep unauthorized persons from accessing its network or systems. Registering your mobile device with your organization may also help the organization or police find your mobile device if it is lost or stolen. Contact your organization’s Privacy Officer or Security Officer to register your mobile device. You may need to provide the serial number of your mobile device.
• How is the data backed up?

To sum up the importance of BYOD policies, procedures, and safeguards, an ONC statement is apropos.

Due to their small size and portability, mobile devices have a higher risk of being lost or stolen than desktop computers. If you store unsecured health information on a mobile device and the device is lost or stolen, the confidentiality and privacy of health information may be compromised.

If you are allowed to store data on your mobile device, you should know whether the organization has any limits to data storage. For example, does the organization require you to delete information after it has been backed up to a secure server? Does your organization require you to delete information after a set period of time? Does your organization require you to backup health information from your mobile device to a secure server?

The Securities and Exchange Commission, Commodities Futures Trading Commission, and FINRA have taken enforcement actions and issued significant monetary penalties for not having text messages backed up and/or utilizing personal devices that were not registered and did not adhere to BYOD policies.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.