x Lock-out features and specifications
x Appropriate use of texting
x Appropriate use of camera and video
x Appropriate use of sensitive information
x Alteration of factory defaults and operating systems (i.e.,
x Appropriate use of applications and conditions of down-
loading soft ware
x Reservation of rights by the healthcare facility to examine
the system for compliance and investigation of incidents
x Procedures during employee or contractor termination
A clear definition of data ownership. Organizational policies must clearly define data that belong to the organization
and data that may belong to the individual user. Clinicians and
organizations may sometimes differ in their respective viewpoints regarding what patient data belong to the organization
and which may belong to the clinician. Such issues must be resolved and appropriate controls established to safeguard ePHI
Required written authorization by the HIM director or the
privacy and security officers when mobile devices are to be used
to collect or maintain patient health information; for example,
the requirement for each user to sign a “rules of behavior”
Conditions under which it is appropriate to use a mobile
device. Mobile device users should refrain from transporting
sensitive patient information on a mobile device unless an approved workflow is in place for the specific use in question. For
instance, it may be appropriate to configure some devices for
direct access to a patient care system. This does not mean it is
appropriate for all mobile devices to access the system.
Rules of behavior and expectations for acceptable use of
mobile devices. Such rules may cover specific expectations
such as not using mobile devices to photograph patients, visitors, staff, and facilities. The rules of behavior should also specifically communicate expectations regarding the use of mobile
devices by physicians (including outside physicians), contractors, and other non-employees.
Organizations should be sure to cover policy expectations related to the use of social media and social networking on mobile
devices. Organizations often have such policies for use inside
the facility and often forget to address them in the mobile environment.
Appropriate technologies and techniques for the destruction of sensitive information after use on the device. This
should include a time period for destroying the information and
the use of a safeguard that can verify the status of the information on a device (specifically mobile device management software).
Appropriate identification of what constitutes sensitive information. Sensitive information is any information that may
identify a patient and a particular treatment or diagnosis. Often
clinicians will think in terms of an entire medical record being
sensitive, while small components are not. It is important to
define the term within the organization’s policy as a method to
establish a common definition as to what constitutes sensitive
For example, a text file containing only a name and medical record number may not be considered sensitive if it is labeled “
Today’s List.” It may take on a different level of sensitivity should it
be identified as “Today’s Cancer Treatment Appointments.”
Specific procedures for the reporting of device loss or theft.
Each organization should educate its workforce members on
how to report loss or theft of a mobile device. Users should note
and store the serial numbers for all electronic devices they may
possess and store them in a secure location. Such numbers increase the likelihood of finding a device if it is stolen.
In the event of a loss or theft, users should immediately make
notes regarding the incident and what took place. These notes
will come in handy during the ensuing investigations.
Organizational procedures should detail who to call, what
hours to call, and the expected details needed to properly document the incident. A police report should always be made in the
event of incident and forwarded to the incident investigation
Organizations should consider tools that allow mobile devices
to be inventoried for sensitive data. Such inventories will aid investigators when attempting to determine if a breach occurred.
Appropriate data management techniques involving the use
of sensitive information on a mobile device. Healthcare organizations should determine and distribute information governing
such things as creation of “sole source or unique data,” back-up
expectations and procedures, transfer of information to and
from the device, and how to securely erase traces of sensitive
information from the device. Additional considerations should
include roles, responsibilities, and expectations regarding access to corporate resources such as e-mail, calendars, and distribution and contact lists.
In addition organizations must set clear workforce accountability and expectations regarding the use of mobile devices.
x Require that employees be familiar with the organiza-
tion’s policies and procedures relative to the appropri-
ate use of mobile devices prior to being assigned mobile
x Require that employees be familiar with the facility’s poli-
cies and procedures relative to confidentiality of patient
x Educate employees about the potential risks caused by
computer or information theft or loss.
x Require all users sign a copy of the policy statement or
guidelines for mobile devices prior to being allowed to use
or synchronize a device.
x Educate the employee on how and when to appropriately
back up the data on the device. Data should not be backed
up to personal workstations, cloud technologies, or other