HIMSS: Mobile devices raise thorny legal issues in healthcare

NEW ORLEANS - The use of mobile devices in healthcare environments offers unique security challenges, and institutions must implement and -- most importantly -- enforce policies regarding their use to mitigate legal risk, according to a Wednesday presentation at the Healthcare Information and Management Systems Society (HIMSS) meeting.

Organizations will need to develop a mobile devices policy that applies to their particular circumstances, however, as there isn't a one-size-fits-all policy that works for everyone, said Brian Balow, an attorney with law firm Dickinson Wright.

"Enterprises and entities might think it's OK to reach out to the Web, find a sample policy, and put it in the drawer and say we're compliant," he said. "I can tell you right now it's not going to work. If you get audited or something comes up, it's not going to work for you."

Balow discussed the legal issues associated with the use of mobile devices during a HIMSS Knowledge Center session.

In terms of security challenges, mobile devices are more likely to be lost compared to other devices, he said. In addition, the practice of "bring your own device" (BYOD) -- in which staff members use their own mobile devices to connect to the corporate network -- increases risk, as these devices may be shared with others. Users may not be technically sophisticated and may be more likely to pick up a virus.

If multiple devices are used, that's a lot for IT teams to manage, as security measures must be employed to protect the various platforms, Balow said. He noted that institutions must also consider the ways employees use devices and the kinds of issues that could arise, such as the use of social media, random websites, and even the texting of patient protected health information (PHI).

"I don't know why they would do it, but healthcare personnel have used their mobile devices to text PHI about patients," he said. "And related to that, there have been numerous cases where healthcare personnel have used their iPads or other tablet devices to access social media sites like Facebook to post protected health information, including photos of patients."

Institutions should also keep an eye out for employee use of jailbroken devices that allow them to get around security safeguards for those particular devices, he said.

Healthcare organizations need to be concerned about the use of mobile devices due to compliance concerns for PHI and to comply with internal controls for protecting confidential business information about your own company.

Laws that may apply to mobile devices include breach notification laws, data destruction laws, litigation holds over the location of data, and wage and hour laws that lead to paying overtime for use of devices for business purposes after hours, he said. Malpractice issues may also come into play.

Increased scrutiny

Legislators are raising concerns about the use of mobile devices in healthcare regarding the safety, security, and reliability of the network infrastructure, he said. In addition, a number of agencies are evaluating this issue, including the U.S. Food and Drug Administration (FDA), the Federal Communications Commission (FCC), the U.S. Department of Commerce's National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and the U.S. Department of Health and Human Services' Office for Civil Rights (OCR).

Regulatory activity regarding mobile devices is also picking up on the state level, particularly in California. In February 2012, California launched the Mobile App Privacy Program, which has signed on companies such as Amazon, Apple, Google, Hewlett-Packard, Microsoft, Research in Motion, and Facebook, Balow said. A Privacy Enforcement and Protection Unit was created in July.

U.S. enforcement bodies include the OCR, which monitors HIPAA violations. The FTC focuses on protecting consumers, so no industry is off-limits, according to Balow. State attorneys general also enforce HIPAA penalties.

With the HIPAA final rule released in January, covered entities, business associates, and subcontractors must adopt appropriate data security safeguards for PHI, he said.

"There are no more excuses," he said.

Unauthorized PHI disclosures or other failures to comply with HIPAA Privacy and Security rules may result in civil penalties and potential criminal liability.


Healthcare institutions should draft a BYOD policy to protect their patients' rights, to instill professionalism throughout the enterprise, and to protect both the organization and employees from liability, according to Balow.

Before developing such a policy, organizations should understand their IT enterprise and weigh the economic pros and cons of BYOD to the enterprise, he said. They should also perform a formal risk assessment to understand the risks to the enterprise from BYOD.

"Then determine, based on these considerations, whether to adopt BYOD," he said.

Stakeholders who should be involved in this process include senior management, the chief medical information officer/chief privacy officer, the chief IT officer, IT staff, and the legal/regulatory and human resources departments, Balow said.

Many separate policies affect the use of BYOD, including acceptable use policies, security policies, social media policy, remote access policy, remote working policy, incident response policy, breach notification policy, privacy policies, and a litigation hold policy, he said.

A discrete BYOD policy should cover issues such as those in this document from the SANS Institute, he said. It should also incorporate other related policies such as privacy, acceptable use, and social media by referring to them.

In addition to stating why the policy was created, it should delineate its scope, including supported devices, the state of supported devices (such as if they are jailbroken), reimbursement of costs, approved applications, and other limitations such as the use of cameras.

The policy should also spell out who it covers, Balow said. Roles and responsibilities for implementation should be included, and the policy needs to be enforced.

"This policy should have been created yesterday if you are already allowing BYOD, and today if you have decided to allow BYOD," he said.

Balow also suggested some other resources on this topic, including a federal government BYOD toolkit and a HIMSS white paper on the consumerization of mobile devices.

Page 1 of 775
Next Page