These days with our health care clients, the question seems to be “to use or not to use your own device? What the heck does that mean?
Well as patient and service technologies continue to grow, the need for “devices” grows as well. This can represent a very large financial burden on the company or practice. As a result, more are facing a financial and security based decision as to which path to choose for their employees.
Absolutely the most secure method for management is through company owned devices, i.e. tablets, laptops, telephones etc. When company issued, the security is greater, the management ability of the device is easier and you are able to protect against more things HIPPA related. On the other hand, allowing your employees to utilize their personal device is far less expensive and can provide for a successful environment.
It is very important to establish a documented policy in either respect. This policy should certainly include employee executed agreements on the how, where and what to do segments relating to the information being accessed and or maintained on those devices. As we have stated many times, the courts really pretty much “expect” a breach or data issue to happen to you at some point. What they then want to see is how prepared and regimented you had been in the control and protection of private health information (PHI). In either path, you should have very clear documentation of how to manage and protect data, how applications are monitored and managed, how your data is stored, and ultimately what the responsibilities are relative to these factors between employees and the company.
What we are trying to say is that if you show well documented process, thoughtful policies around data security and device management, but still have an unexpected issue/breech or situation such as a lost device. Then the courts tend to be more understanding, if not however, they can be very narrow in what they ultimately see as your failures in preparation for the inevitable.
Start small and build your procedures. What if a device gets lost, did it contain PHI? How will you respond, who need to know, how can you evidence what was or was not on the device? All of these things are much easier controlled and understood when the company provides the device.
Here is a real world example: an employee of an in home physical therapist, using their own telephone for work assignments, patient information access etc. This employee accidentally left their phone at a local coffee shop while killing some time between patients. Now you have an employee unable to communicate back to the office or their patients right? Well you also have much larger things to consider; what information was on the device, how complicated were the passwords to gain access to the device, where was the device being backed up? Still not following?
Think about it this way, if that field clinician has perhaps jotted down some thought regarding patient care in their notepad, maybe taken pictures of improvements in range of motion as a result of physical therapy, anything pertaining to a patient. Well you now perhaps have a data issue that could require specific reporting and disclosure. How would you know what that data was? What if this is a personal device tied to a personal cloud account that the patient information has been backed up to? Remember a picture is a picture on the device, if that employee is backing up their photos to the cloud, ALL pictures including those of the patient are now being retained in a third party environment of which you as a company/practice have no access whatsoever.
Now think of that same scenario as described, this time though, it is just an irate employee who quits your practice. What patient info, did they just take with them that you don’t know about?
While a lot of those issues can be addressed through particular executed agreements with staff utilizing their own devices, it does still create a higher level of documentation and performance than perhaps company issued devices. Bottom line, you’re going to spend your time and money to address and manage either environment.
Here are some comparative items to consider:
BYOD (bring your own device)
- Employee satisfaction – employees tend to like what they are comfortable with, their own device
- Less expensive to the company
- Sometimes actually a better device, people tend to buy nicer devices than they need personally, especially when they are buying only one device versus several hundred.
- Sometime easier for business continuity following an unexpected outage or work from home scenario
- Device care – people just simply see to take better care of things they have purchased versus being provided
CPD (company provided devices)
- Security – easier to control and administer if company owned
- Capability to monitor and control how data is being viewed, stored and sought
- Control of environmental issues, i.e. which networks can be connected to, what devices may be linked or have data shared between them
- Ensure patches and updates are being administered properly and consistently
- Consistency in devices being utilized, i.e. Apple and Microsoft don’t always play well together. You can run the same software on different operating system, but they most usually have some functional difference.
If you would like to talk more about how to manage these issues, or simply like a new set of perspectives on what you’re currently doing to manage these issues. Please give us a call, we will gladly provide a free consultation.