More than 70 percent of providers currently use mobile devices to access patients' electronic medical records, according to a recent survey. In response, many hospitals have implemented bring your own device policies, guidelines under which medical staff can use personal mobile technology for clinical tasks.
However, this fall's compliance deadline for the daunting HIPAA Omnibus Final Rule and the rollout of meaningful use stage 2 and its increased requirements for data privacy elevate the risks associated with such policies.
"It's pretty clear that BYOD policies can facilitate smoother workflows and increase efficiency — characteristics that hospital systems and physicians need," says Stephen Li, CIO of Jersey City (N.J.) Medical Center.
To help hospitals design and implement a BYOD policy that will reap the benefits of device usage in the hospital while mitigating risks, Mr. Li offers five best practices for hospital administrators.
1. Choose customizable technology. As hospitals across the country develop BYOD policies, "it's becoming obvious that, while most hospitals can utilize standard mobile technology packages, each hospital system has somewhat different needs," says Mr. Li. And because a hospital's needs may also change over time, the technology chosen should be customizable to fit a hospital's needs. Mr. Li and his team were able to select features for their app, Practice Unite, that fit the needs of the hospital, including the ability to send consults, news articles and images; request procedures; survey users and message alerts.
"Other hospitals may need BYOD devices to perform other functions," says Mr. Li. "Having the ability to customize to both the hospitals' and users' needs, without having to re-credential new systems in order to add functionality, is helpful."
2. Test before launch. "In addition to vetting a BYOD policy on paper, it's important to see how a mobile application works in practice," says Mr. Li. After a BYOD policy existed on paper and was confirmed to meet the hospital's security requirement, Mr. Li and his team organized a test run. "We had in-house and outside compliance counsel actually use the app prior to approval," he says. This allowed the security safeguards to be tested before the policy was officially rolled out.
3. Set high security standards, but do not ignore usability. The communications app chosen by Mr. Li and JCMC comes preset with high security standards. The app"requires users to login with a personal PIN, logs out devices after 15 minutes of inactivity, auto-wipes devices every 24 hours, has the ability to wipe a mobile device remotely and terminate any user at any time, prohibits 'copy and paste' functionality and requires multiple levels of backend password protection," says Mr. Li.
However, during the initial stages of the BYOD rollout at JCMC, Mr. Li says administrators got pushback from physicians over a required six- to eight-variable character password to use the app.
JCMC worked with the app developer to replace that particular password feature. "We realize now that, if a mobile application is to be effective, it must integrate usability and security," says Mr. Li.
4. Ensure vendor HIPAA compliance. Not only do hospitals need to ensure all their mobile policies are HIPAA-compliant, but it also falls on the hospital to ensure mobile vendors are compliant as well. Written agreements between hospitals and vendors should "define how vendors meet the security and privacy provisions of HIPAA and the HITECH Act, as well as reporting and other responsibilities in case of a breach," says Mr. Li.
Additionally, hospitals should ensure vendors have similar written agreements with sub-vendors to ensure no gaps in compliance, says Mr. Li.
5. Embrace the inevitability of BYOD. "Mobile technologies are here to stay," says Mr. Li. He sees BYOD policies as helping to facilitate proper device usage at hospitals, rather than allowing it. Resisting staff use of mobile devices would be pointless, he says.
"Organizations cannot put their heads in the sand and believe this is a short-term fad; this is a paradigm shift throughout society and will facilitate the flow of information to people that need it, when they need it, and through an untethered medium," says Mr. Li. "The key is to provide the proper guardrails in a pragmatic manner to ensure data privacy and security."
More Articles on BYOD:
Tech Terms Cheat Sheet: The Health IT Vocabulary Non-CIOs Need to Know
Survey: Physicians Say Tablets More Useful Than Smartphones for Accessing EHRs
68% of Healthcare Providers Currently Use iPhones Professionally