Are Your Employees’ Personal Mobile Devices Secure?

In today’s technological world, employees are more and more likely to access their work accounts remotely – including by personal smartphones or tablets (“personal mobile devices”). This provides convenience and flexibility to your employees, but it can potentially put your information at risk if steps aren’t taken to protect it.

Under HIPAA, a breach occurs when unencrypted Protected Health Information (PHI) is lost or stolen (or is otherwise disclosed to or accessed by an unauthorized person). Employees may use their personal mobile devices to access company email or systems that contain PHI. Therefore, appropriate safeguards must be put in place for such mobile devices in order to ensure that only the device’s owner has access to such information, and that at a lost or stolen device does not constitute a reportable breach.

Here are three concrete steps (and a few sub-steps) an employer might take to make sure any PHI related to its group health plans remains secure when accessed via personal mobile devices:

  1. Make sure there are role-based access controls in place to ensure that only those employees who need access to PHI have it.
  2. Require as a condition of enabling access to the company’s email or other systems, that employees register such devices with the IT Department. As part of the registration process, the IT Department should:
    • Log and track the mobile device;
    • Enable any built-in encryption or otherwise ensure that the device is properly encrypted; and
    • Enable a required login passcode that meets the organization’s password complexity standards. (Employees should not have the option to bypass the passcode requirement.)
  3. Incorporate into any existing Acceptable Use Policy or Bring Your Own Device (BYOD) Policy procedures specific to personal mobile devices. Include provisions that:
    • Prohibit employees from storing PHI locally on any mobile device;
    • Prohibit employees from sharing passcodes or otherwise enabling or promoting unauthorized access to a mobile device;
    • Prohibit employees from installing or using unapproved file-sharing software; and
    • Communicate a process for notifying IT when a device is lost or stolen.

Remember that if a lost or stolen personal mobile device is properly encrypted, then there is no breach risk. However, unencrypted devices that have access to ePHI do need to be treated as a potential breach if lost or stolen. Ensuring that such devices are encrypted, password protected, and centrally tracked/managed, as well as training your employees on appropriate use of such devices, will greatly reduce your risk of unwanted exposure.