HIPAA Mobile Devices Policy – Open Source

Mobile devices – smartphones and their relatives – are becoming ubiquitous in healthcare. Mobile device-powered healthcare, or “mhealth,” really does hold promise of improving care and some administration and other services, I think. (Don’t ask me about ROI, though; after all this time I refuse to have an opinion on the ROI of any HIT.) Anyway, I learned a long time ago that if a powerful healthcare user base – doctors in an academic medical center, say – wants to use mobile devices, IT and IS can’t say no. Sometimes they can’t even say no to really questionable practices, like “bring your own device” (“BYOD”). Even if the device creates new risks unrecognized by pontificating pundits.

At the same time, healthcare organizations which allow mobile devices are still responsible for their use, and in particular for their compliance with HIPAA and its state law and other correlates – which don’t, as it happens, say anything specific about them. (Not that we really want them to – technology-agnostic rules are in the long run a better idea.) So we have to figure it out for ourselves.

In the spirit of advancing the cause of compliant mhealth, then, I am sharing the Mobile Devices Policy I developed and use on an open-source basis. The basic legalities for your use of this form, should you choose to do so, are:

  1. This blog is not legal advice. If you want legal advice, I have to accept the engagement, and you probably have to pay me.  The following document, on the other hand, is provided for informational and educational purposes only, and you use or adapt it at your own risk.
  2. If you do use or adapt it, please do me the favor of providing attribution to me. In fact, that’s legally required under the Attribution/Share Alike open source license under which such use and adaptation is permitted, as follows: Copyright 2012 © John R. Christiansen/Christiansen IT Law – Attribution/Share-Alike 3.0 LicenseRedistribution, use and derivative works permitted provided that attribution to John R. Christiansen is included.

So, here’s the form:

_________________________________________________________________________________________

COVERED ENTITY

Mobile Devices Policy 

A.        Purpose.

The purpose of this Mobile Devices Policy is to allow for the authorized use of smartphones and other portable computing and communications devices (“Mobile Devices”) at COVERED ENTITY Facilities by authorized members of the COVERED ENTITY Workforce (“Users”).

B.        General Introduction.

Mobile Devices can support better health care and more efficient administration in health care organizations. At the same time the use of such devices creates new risks to patient privacy, Protected Health Information (“PHI”) and employee and organizational confidentiality, and intellectual property. This Policy is therefore intended to permit the use of such devices while managing the risks they present.

The use of Mobile Devices under this Policy is a privilege which may be terminated at any time for violation of this Policy, or as a sanction for violation of other COVERED ENTITY policies. Violation of this Policy may be grounds for other sanctions as well.

C.        Individuals Subject to this Policy.

This Policy applies to all members of the COVERED ENTITY Workforce, including all employees, volunteers, trainees and any other person whose conduct is under the direct control of COVERED ENTITY in the performance of work for or on behalf of COVERED ENTITY.

D.        Information Subject to this Policy.

This Policy applies to all information owned by COVERED ENTITY, as well as all private, sensitive or confidential information which COVERED ENTITY is obliged by law or contract to protect against unauthorized use, disclosure, copying or alteration. This includes, without limitation:

  • Protected Health Information, as defined under HIPAA.
  • Intellectual property such as copyrighted text or graphics.
  • Confidential personal or organizational information, such as employee records and financial information.
  • Sensitive visual information, such as patient faces or physical security safeguards, which may be subject to photographing or video capture.
  • Metadata pertaining to events and activities occurring in or by use of a Mobile Device, or any other electronic computing or communication device.

E.        Devices Subject to this Policy.

This Policy applies to all electronic computing and communications devices which may be readily carried by an individual and is capable of receiving, processing, or transmitting digital information, whether directly through download or upload, text entry, photograph or video, from any data source, whether through wireless, network or direct connection to a computer, other Portable Device, or any equipment capable of recording, storing or transmitting digital information (such as copiers or medical devices). Mobile Devices therefore include but are not limited to smartphones, digital music players, hand-held computers, laptop computers, tablet computers, and personal digital assistants (PDAs).

Digital storage devices such as portable hard drives and USB (thumb) drives, as well as office and medical equipment capable of recording, storing or transmitting digital information, such as imaging equipment or copiers, are not Mobile Devices subject to this Policy. Please see <applicable COVERED ENTITY policies> for information on such devices.

This Policy applies to personally-owned Mobile Devices as well as Mobile Devices owned or leased and provided by COVERED ENTITY.

F.         Prohibited Mobile Devices.

Mobile Devices which may produce electromagnetic interference with medical devices or equipment, or which cannot be or have not been configured to comply with this Policy, are prohibited.

G.        Authorization to Use Mobile Devices.

No Mobile Device may be used for any purpose or activity involving information subject to this Policy without prior registration of the device and written authorization by <the IT Department/Security Office/etc.>. Authorization will be given only for use of Mobile Devices which <the IT Department/Security Office/etc.> has confirmed have been configured so that it complies with this Policy. Authorization must be requested in writing by the <supervisor or head of the department in which the User works>.

Access to, obtaining, use and disclosure of information subject to this Policy by a Mobile Device, and any use of a Mobile Device in any COVERED ENTITY facility or office, including an authorized home office or remote site, must be in compliance with all COVERED ENTITY policies at all times.

Authorization to use a Mobile Device may be suspended at any time:

  • If the User fails or refuses to comply with this Policy;
  • In order to avoid, prevent or mitigate the consequences of a violation of this Policy;
  • In connection with the investigation of a possible or proven security breach, security incident, or violation of COVERED ENTITY’ policies;
  • In order  to protect individual life, health, privacy, reputational or financial interests; to protect any assets, information, reputational or financial interests of COVERED ENTITY;
  • Upon request of the <supervisor or head of the department in which the User works>; or
  • Upon the direction of <the CISO, CIO, General Counsel, CFO, COO, CEO, CRO?>.

Authorization to use a Mobile Device terminates:

  • Automatically upon the termination of a User’s status as a member of the COVERED ENTITY Workforce;
  • Upon a change in the User’s role as a member of the COVERED ENTITY Workforce, unless continued authorization is requested by the <supervisor or head of the department in which the User works>.
  • If it is determined that the User violated this or any other COVERED ENTITY policy, in accordance with COVERED ENTITY’ policies.

The use of a Mobile Device without authorization, while authorization is suspended, or after authorization has been terminated is a violation of this Policy.

H.        Audit of Mobile Devices.

Upon request by the <the IT Department/Security Office/etc.>, at its sole discretion at any time, any Mobile Device may be subject to audit to ensure compliance with this and other COVERED ENTITY policies. Any User receiving such a request shall transfer possession of the Mobile Device to <the IT Department/Security Office/etc.> at once, unless a later transfer date and time is indicated in the request, and shall not delete or modify any information subject to this Policy which is stored on the Mobile Device after receiving the request.

I.          Evidentiary Access to Mobile Devices.

Upon notice of a litigation hold by the <the IT Department/Security Office/etc.> or <Legal Department>, at their sole discretion at any time, any Mobile Device may be subject to transfer to the possession of the <the IT Department/Security Office/etc.> to ensure compliance with the litigation hold. Any User receiving such a notification shall transfer possession of the Mobile Device to <the IT Department/Security Office/etc.> at once, unless a later transfer date and time is indicated in the notification, and shall not delete or modify any information subject to this Policy which is stored on the Mobile Device after receiving the request.

J.         Mobile Device User Responsibilities.

In addition to other requirements and prohibitions of this and other COVERED ENTITY policies, Mobile Device Users have the following responsibilities:

  • Information subject to this Policy which is stored on the Mobile Device must be      encrypted as provided in COVERED ENTITY policy. Information subject to      this Policy should not be stored on the Mobile Device for any period      longer than necessary for the purpose for which it is stored.
  • A Mobile Device may not be shared at any time when unencrypted information subject to this Policy is stored on the device.
  • A Mobile Device which does not have unencrypted information subject to this Policy stored on it may be shared temporarily, provided that:
    • The User may not share the password or PIN number used to access the Mobile Device,  but must open access for shared use him- or herself.
    • The  configuration of the device to comply with this Policy must not be changed.
    • The individual using the device must not further share it; must protect it against being misplaced, lost or stolen, and must immediately report to the User if it is; and must return it promptly to the authorized user when finished with the temporary use.
    • The individual using the device must not use it to obtain, process, use or disclose information subject to this Policy.
  • Access to each Mobile Device must be controlled by a password or PIN number consistent with COVERED ENTITY policy. Password or PINs must be changed periodically as provided in COVERED ENTITY policy. The Mobile Device must provide for a maximum of __ attempts to enter the password or PIN correctly.
  • The timeout for  access to the Mobile Devices must be a maximum of __ minutes.
  • Information subject to this Policy which is transmitted wirelessly by the Mobile Device must be encrypted unless an exception is authorized. Exceptions must be authorized by <the IT Department/Security Office/etc.>.
  • If possible, Mobile Devices must have antivirus software. Mobile Devices which cannot support antivirus software may be subject to limitations on use at the  discretion of <the IT Department/Security Office/etc.>, as specified in writing by the <the IT Department/Security Office/etc.>.
  • Physical protection for Mobile Devices  must be provided as required by COVERED ENTITY policy.
  • If the Mobile Device is misplaced, stolen or believed to be compromised this must be  immediately reported to <the IT Department/Security Office/etc.>.
  • Applications and services installed on the Mobile Device must be approved by <the IT Department/Security      Office/etc.>.
  • Bluetooth and infrared (IR) services must be configured as approved by <the IT Department/Security Office/etc.> or turned off.
  • Mobile Devices must be disposed of according to COVERED ENTITY policy.

K.        Personal Use of Mobile Devices.

Personal Use of Mobile Devices owned or leased and provided by COVERED ENTITY is subject to the COVERED ENTITY Acceptable Use Policy.

Personal use of personally-owned Mobile Devices is not subject to the Acceptable Use Policy, but must at all times be consistent with this Policy.

All information on a Mobile Device, including personal information about or entered by the User, may be subject to audit or evidentiary review as provided in this Policy. Any such personal information may be used or disclosed by COVERED ENTITY to the extent it deems reasonably necessary:

  • In order to avoid, prevent or mitigate the consequences of a violation of this Policy;
  • In connection with the investigation of a possible or proven security breach, security incident, or violation of COVERED ENTITY policies;
  • In order to protect the life, health, privacy, reputational or financial interests of any individual;
  • To protect any assets, information, reputational or financial interests of COVERED ENTITY;
  • For purposes of determining sanctions against the User or any other member of the COVERED ENTITY Workforce;
  • For purposes of litigation involving the User;
  • If Required by Law.

L.        Prohibited Uses of Mobile Devices.

The following uses of Mobile Devices are prohibited:

  • The storage of information subject to this Policy, including voice messages, voice notes, email, instant messages, web pages and electronic documents, photographs, images and videos, unless they are encrypted.
  • The Internet or wireless transmission or upload of information subject to this Policy, including voice messages, voice notes, email, instant messages, web pages and electronic documents, photographs, images and videos, without encryption, unless previously authorized in writing by <the IT Department/Security Office/etc.>.
  • The creation of any photograph, image, video, voice or other recording of any individual who is a patient or member of the Workforce of COVERED ENTITY, except in compliance with COVERED ENTITY policy.
  • The creation of any photograph, image, video, voice or other recording of any document, record, computer or device screen which includes information subject to this Policy, except in compliance with COVERED ENTITY policy.

3 Responses to HIPAA Mobile Devices Policy – Open Source

  • By http://tinyurl.com/jknwmayo52843 February 5, 2013 - 5:02 am

    I actually tend to go along with every little thing that was in fact authored inside “HIPAA Mobile Devices Policy – Open
    Source

  • By root_taker February 14, 2013 - 1:35 pm

    Should this policy define any of the more specific technical requirements as well? For instance what systems are involved, etc?

    • By John R. Christiansen February 14, 2013 - 3:42 pm

      I wouldn’t ordinarily put technical requirements in a policy. This is more of a governance document, with the idea that the CIO/CISO or whoever the responsible officer is should be delegated the authority and obligation to establish and manage technical requirements through lower-level documentation. This allows more rapid adaptation as devices, threats and circumstances change.

Categories

Tags

bill gates cert christiansen it blog cobiT coco contract law do it yourself ehr issues ehrs electronic health records electronic health recores electronic medical records eula hackers healthcare system healthy information networks hipaa hitech information security information security duty information security theory infosec integrated information security standard of care integreated information security it law it risk it security legal counsel medical records nasa dod hacker network security newbie lawyers opering system risk acceptance risk assessment risk management risk theory secuirty rule security incident response poilicy security legislation self help strategic information security ufo hacking vista windows vista

Worthwhile Links