With thanks to HIFA member Margaret Winker for alerting us to this article. Extracts and a comment from me below.
==
Cell Phone Usage at Work & HIPAA Compliance: Uncovering the Risks
https://www.compassitc.com/blog/cell-phone-usage-at-work-hipaa-complianc...
Numerous medical institutions, aiming to reduce expenses, have implemented policies that permit their staff, such as doctors and nurses, to utilize their personal electronic devices for work-related purposes. Alternatively, some organizations choose to provide staff with specialized healthcare mobile devices, finding it a more effective way to control network security.
Integrating smartphones in healthcare involves complying with HIPAA's mandates for covered entities to enforce technical policies and procedures. These strategies are vital to guarantee that Protected Health Information (PHI) is accessible only to authorized personnel. This is particularly important when smartphones and other mobile devices are employed to handle, store, or share electronic PHI (ePHI). These devices need solid security, like user logins and several protective measures, to keep data breaches at bay.
The Office for Civil Rights (OCR) mentions that it is okay to use mobile devices in healthcare, as per HIPAA, but you need to have proper physical, administrative, and tech safeguards. These steps are crucial to keep ePHI (electronic Protected Health Information) safe, whether it is on the devices or stored in the cloud...
“Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.”
Should the organization let providers and professionals use their personally owned mobile devices within the organization?
Should providers and professionals be able to connect to the organization’s internal network or system with their personally owned mobile devices, either remotely or on site?
Should the organization allow texting or emailing of health information?
Does the organization have written procedures for addressing misuse of mobile devices?
Does the organization have procedures to wipe or disable a mobile device that is lost or stolen?
==
COMMENT (NPW): Again the main issue is patient privacy and confidentiality. It seems likely that any guidance on the use of personal mobile phones for work purposes will have this issue first and foremost. The technical aspects of (for example) HIPAA compliance are quite complex and it does seem that guidance needs to be highly context-specific. It is likely that much can be done to reduce risk, simply by guiding health workers on whether/how they should use their phone for work purposes. It would be helpful to have case studies of breaches of confidentiality and how these might have been avoided. The above article suggests 'numerous medical institutions' have policies on the use of personal mobile phones for work purposes, and yet the only statement we have identified in this discussion so far is the RCN statement for nurses in the UK. Can anyone locate any other expamples of policy in this area?
HIFA profile: Neil Pakenham-Walsh is coordinator of HIFA (Healthcare Information For All), a global health community that brings all stakeholders together around the shared goal of universal access to reliable healthcare information. HIFA has 20,000 members in 180 countries, interacting in four languages and representing all parts of the global evidence ecosystem. HIFA is administered by Global Healthcare Information Network, a UK-based nonprofit in official relations with the World Health Organization. Email: neil@hifa.org