Managing Mobile Devices In Today’s Private Practice World
By Paul J. Welk, PT, JD*
A recently published article estimates that 81 percent of adults in the United States own a smartphone, with only 6 percent of this population not owning a mobile phone.1
Given these statistics and the realities of today, everyone reading this article has presumably experienced, or will experience, the need to consider the appropriate use of mobile and other electronic devices (hereinafter “devices”) in the workplace. This article will highlight a number of issues for private practices to consider as they seek to manage the use of devices in the clinic.
Although employees have been bringing personal items such as laptop computers to the clinic for years, the proliferation of the types of devices has heightened the need for practices to consider how to manage employees and their devices. One way to help manage devices is through the development and implementation of a “bring your own device” policy, a policy which allows employees to bring their personal devices to the workplace subject to specific requirements. (Despite the common name “bring your own device” policy, these policies often also address an employee’s use of employer-issued devices.) While some practices elect to prohibit the use of any personal devices for work-related functions, other employers consider issues such as employee productivity, cost benefit analysis, risk, and employee satisfaction and elect to allow employees to use personal devices for work-related functions and connect these devices to the practice’s network.
Initially, it should come as no surprise that the Health Insurance Portability and Accountability Act (HIPAA) is an important issue to consider when discussing the use of devices in clinical practice. In short, HIPAA does not prohibit the use of personal devices. However, HIPAA does apply to protected health information transmitted through devices; for example, transmission via email, text, or other forms, as well as information stored on these devices. In part, HIPAA requires covered entities, which would include the vast majority of physical therapy private practices, to implement appropriate physical, technical, and administrative safeguards to protect the privacy of protected health information. While a detailed review of HIPAA is outside the scope of this article, the U.S. Department of Health and Human Services provides fairly extensive resources and guidance on HIPAA compliance related to the security of protected health information, including guidance related to devices and data transmission.2
Given the diversity of how physical therapy practices operate, it is difficult to provide specific detailed guidance as to the necessary contents of a “bring your own device” policy for a particular practice. Therefore, the purpose of this article in large part is to highlight issues to consider in developing such a policy for a practice. Although this is a fairly extensive list, practices should consider:
- Starting with an audit. An audit of employees’ devices currently in use can serve as a good initial step in policy development. What devices will be supported by the practice? Phones? A particular brand of phone? Tablets? Etc.
- Who is allowed to access the practice’s Wi-Fi network? All employees? Only clinical providers? Some other subset of employees?
- Will patients in the waiting room be permitted to utilize the same Wi-Fi network as clinical providers?
- Who will retain ownership of the practice’s data? How will this data be handled when an employee terminates employment or a device is lost or stolen?
- From an employment law perspective, if employees work on evenings and weekends on their devices, how are they compensated for this work?
- Will employees be permitted to use cameras and video recording on devices as part of the workday? If yes, are these recordings treated as part of the medical record?
- How will the practice control the use of devices for personal reasons or recreation during the workday? It is easy to imagine an employee who spends the majority of his or her workday sending text messages to friends and family or watching sporting events on a personal device.
- Who is responsible for charges incurred on the employee’s data plan that relate to work-related activities?
- How will the practice assure that the employee is appropriately updating the phone with manufacturer and network updates?
- Will the policy include a requirement that devices lock after a set period of time?
- Will a password or PIN code be required? What are the complexity requirements of the password? How often must the password be reset?
- Does the practice have the ability to wipe a device remotely, and if so, under what circumstances?
- Which groups of employees will be permitted to use devices as part of the scope of their employment? Clinical providers? Others?
- Who should participate in establishing a practice’s “bring your own device” policy? The practice’s IT provider? Human resources? Others?
- What type of ongoing audits are needed to assess compliance with the practice’s policy?
Once these issues and any other practice-specific concerns are considered and a policy is established, it is important to train staff on the policy requirements and maintain records documenting staff training. In certain cases, a practice may also wish to consider Mobile Device Management software, which assists the employer in managing applicable devices.
While this article may contain more questions than answers, that is in large part its point. Each practice will have unique circumstances that it must consider in establishing a “bring your own device” policy. Regardless of the particular terms, establishing a “bring your own device” policy allows a practice to effectively allow the use of personal devices while mitigating the risks that a device leads to a privacy or other claim against the practice.
1Smartphone ownership is growing rapidly around the world, but not always equally. Available at www.pewresearch.org/global/2019/02/05/smartphone-ownership-is-growing-rapidly-around-the-world-but-not-always-equally. Accessed October 9, 2019.
2ee by way of example: Security 101 for Covered Entities, www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/security101.pdf?language=es, and a number of Frequently Asked Questions available at www.hhs.gov/hipaa/for-professionals/faq/index.html. Accessed October 9, 2019.
Paul J. Welk, PT, JD, is a PPS member and an attorney with Tucker Arensberg, P.C., where he frequently advises physical therapy private practices in the areas of corporate and health care law. Questions and comments can be directed to firstname.lastname@example.org or (412) 594-5536.
Please note that this article is not intended to, and does not, serve as legal advice to the reader but is for general information purposes only.
*The author has a professional affiliation with this subject.