July 26, 2014

Bring Your Own Device Programs and Health Care: Too Risky to Work?

Recent workplace surveys report that as many as 87% of employees use personal electronic devices for work, raising compliance, data loss, and security risks for their employers. As a result, designing a workable “bring-your-own-device” (BYOD) program is probably overdue.

The immediate reaction of a health care organization is to ban the practice rather than risk compliance problems.  BYOD is a tricky issue, without question, but it’s important to consider the realities of the situation rather than getting tied up in an unrealistic policy: 48% of companies claim they would never authorize employees to use personal devices for work, but 57% acknowledge that employees do it anyway. The wave of mobile devices has already flooded your offices. It’s time to figure out what to do about it.

Even if you permit BYOD only in limited circumstances, it’s still important to lay the ground rules that will help maximize compliance and minimize risk. We can cover only a few key considerations in this article, but here are some of the major issues.

Information Security and Compliance

HIPAA compliance will be the first concern of any health care organization implementing BYOD, and rightly so. HIPAA is heavy on policy and security requirements, so unless PHI will not be accessed or stored using personal devices, then at least part of that compliance program will need to be revisited.  The risk of a reportable security breach also may increase, although that risk is likely already present based on the substantial percentages of employees admitting that they use their own device for work regardless of employer restrictions. Enterprise-managed BYOD may improve the odds by providing malware protection, better access controls, remote wiping, and transmission security.

Social Media

If you enable BYOD, social media use may go up, but temper your zeal to prohibit or monitor that use. In recent years, employers have been repeatedly dinged by the National Labor Relations Board for overly broad social media policies, were found liable for accessing employees’ social media communication in unauthorized ways, and scaled back reviews of social network sites due to Fair Credit Reporting Act liability. Employers should revisit their social media policies to make sure they are not already running afoul of this rapidly evolving list of pitfalls. You can read more about any of these issues in publications available on our website.

Employee Privacy

Like it or not, employees have some privacy rights not impacted by your warnings that they have no expectation of privacy when using your equipment. Although you can revise applicable policies for BYOD, your employee owns the device and is clearly entitled to make personal use of it. Similarly, that device essentially tracks their whereabouts 24/7 and reflects all manner of activities, such as websites visited, items purchased, books read, games played, photos taken, apps used, and calls and messages sent and received. Your organization must decide the extent to which it needs to know such information and plan accordingly.

e-Discovery and Departing Employees

Inevitably, if employees store work-related information locally, device retrieval may be necessary in legal discovery or when an employee leaves the company. For litigation, strict protocols providing for immediate preservation before employees modify or delete files are crucial. BYOD will add expense and delay to discovery and to the employee-departure process.

Building an Effective BYOD Program

The first step in building an effective BYOD program is to identify your security framework. At minimum, policies and/or terms of use should require device-level security such as strong passwords, malware protection, encryption, time-outs following inactivity, and remote wiping capabilities.  Mobile device management (MDM) provides a more advanced option; most will provide employees with a secure tether to the office to access resources remotely using an application on the device. MDM solutions improve upon device-level security by minimizing the risk of data loss and preserving data integrity and access control with containerized solutions.  For the command-and-control set, a virtual-desktop infrastructure (VDI) may hold appeal. With VDI, applications and data are stored centrally, unlike the MDM, where some data and apps live locally on the device. Maintaining secure access credentials and effective user authentication are paramount, but the device itself contains no work-related data to be lost or breached. To determine which approach is best, inventory your business units, their activities, and their use or proposed use of mobile devices.

The next major step is to provide a program framework through documentation.  A written program policy is needed to establish privacy boundaries and set security expectations. You also should review existing social media, security, and compliance policies to ensure you have not set contradictory requirements or limitations. The last piece of documentation should be terms of use that employees commit to (including remote wiping of all content) in exchange for the privilege of using BYOD.

Last, support your security and policy framework with training, reminders, and program reviews to help employees remember the requirements and to help your organization establish legal compliance.

© 2014 Poyner Spruill LLP. All rights reserved.

About the Author

Tara N. Cho, Poyner Spruill Law Firm, Privacy Attorney

Tara’s practice focuses on privacy and information security.  She advises on privacy issuesand identification of potential risks and the development of associated policies and procedures to maintain compliance.  She is also experienced with privacy compliance auditing, regulatory requirements in clinical research, European data protection requirements and Safe Harbor certifications, data transfer agreements and contract negotiation.


About the Author

Elizabeth Johnson, Privacy, Information Security Attorney, Poyner Spruill, law

Elizabeth’s practice focuses on privacy, information security, and records management. Her comprehensive, practical approach to privacy law is reflected by the diversity of her clients, which hail from a variety of industries including health care, financial services, insurance, retail, telecom, utility, technology, consumer goods and client services. Elizabeth has also worked with organizations of various size and scope, ranging from Fortune 100 companies with international reach to local charities.  She was listed among the top privacy professionals in Computerworld’s...


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.