Creating your practice's 'Bring your own mobile device' policy

October 21, 2014

Understand the legal issues of letting employees use their personal smartphones and other mobile devices for work purposes.

More healthcare employees are using personal smartphones and tablets for work-related purposes. There are advantages to employees being able to use a device of their choice to communicate with other employees, remain accessible, and work remotely.

But bring your own device (BYOD) also poses legal concerns and the potential for data breaches.

In particular, one concern employers must keep in mind is overtime issues under the U.S. Fair Labor Standards Act. When non-exempt employees are given access to company e-mail and other data outside on their personal devices outside of their regular working hours, employers should be aware that this time may constitute additional working hours, and thus potentially overtime, for which the employee must be compensated.

Minimizing risk

A well-drafted BYOD policy minimizes these risks by outlining preventative controls, emphasizing security, and informing employees of their responsibilities for keeping data safe. In addition to a written policy, employers are frequently employing mobile device management (MDM) service providers for security tools to protect devices and data. This software addresses many of the risks associated with personal mobile devices. For example, most MDM software has the capability to encrypt data on mobile devices and remotely lock and wipe out the devices in the event they are lost or stolen.

Accessing employing devices

Employees should be warned if there is a situation where the organization may need to access personal information on the employee’s device. In this regard, the employer should explain what information is being tracked and how that information is being used and stored. Finally, employers should remind employees of their duty to comply with legal and ethical regulations, including intellectual property laws and laws governing proprietary or trade secret information. The policy should also prohibit the use of devices for harassment or discrimination. 

The importance of training

As with any new policy or procedure, employers should consider instituting a training program to educate employees on the importance of compliance with BYOD policies and being careful with the access and transmission of confidential information. While there is certainly a temptation for employers to prohibit the use of personal devices to access company information, employers should recognize that the trend towards BYOD is likely to stay. A strong BYOD policy and an informed staff are the surest ways to prevent security breaches.

Next: Creating a device policy

 

Device policies

Employers should use tools for the greatest protection of sensitive company information and create or revise existing BYOD policies. Some important considerations to incorporate into such policies:

Acceptable use terms

Employers should indicate the business purposes for which the device may be used, and any limitations to that use.

Ownership/Control

Employers should clearly define who owns the data stored on the device. Employers should also indicate that the company is not responsible for employees’ lost or stolen personal data on the device.

Protocols for handling lost or stolen device, including remote-wipe capability

Employees should immediately notify designated personnel of theft or loss of device. The employer should also have mechanisms in place to remotely wipe either the entire device or only a folder of the device containing company information, thereby protecting the employee’s personal data. Healthcare institutions face an extra layer of concern over security and privacy associated with personal health information (PHI) being transmitted and the potential for Health Insurance Portability and Accountability Act (HIPAA) violations. In the event of a data breach containing PHI, potential HIPAA breaches must be reported to the employer.

Multiple levels of security

Employers should consider requiring two passwords as an extra layer of security.  Employers may also require antivirus or protective software on the employee’s device.

Prevent local storage of sensitive information on device

The employer should implement measures to prevent sensitive information from being stored locally and/or without password protection.

Cloud storage prohibitions/limitations

Employers should identify which cloud storage and file sharing services have known risks and are too risky to permit employees to use to  transmit confidential information.

Payment/Reimbursement

If the employer requires the employee to pay for a service plan, the employer should indicate that it is not responsible for payment.  However, if the employer is responsible for paying for certain charges, the BYOD policy should clearly spell out the payment structure.

Termination

Employers should address what happens to the cell phone number and company data in the event an employee’s employment is terminated. 

Abuse of policy

Employers should indicate the consequences for violating the BYOD policy, such as the loss of privileges to access company data remotely.

Obtain written consent

Employees should attest in writing to receiving the BYOD policy.