Whether at home, on the road, or in the exam room with a patient, family medicine physician Saroj Misra is almost always armed with two or three devices: his Apple iPhone, iPad, and Macbook Pro laptop.
As a result, the lines between personal and professional sometimes intermingle. A personal text can come from the same unit in which Misra retrieves and updates patient data.
Ordinarily, such frequent use of personal devices to swap patient information with colleagues and access patient records would raise HIPAA red flags.
But a few years ago Misra's employer, St. John Providence Health System in Detroit, which oversees five hospitals and more than 125 medical facilities in southeast Michigan, put into place a "bring your own device" or "BYOD" policy to lessen the likelihood that protected health information (PHI) would ever leak out.
As part of the policy, physicians are required to "attest" in writing that they understand HIPAA and will use their devices in a way to protect their practice — which means implementing a security password and username on the interface — and install a remote-tracking app that allows doctors to erase data should a device get lost or stolen.
"If you don't do these things, you're not allowed to access the EHR system," says Misra.
Today, more physicians like Misra bring their own smartphones, tablets, and other personal devices to work. According to our 2013 Technology Survey, Sponsored by ZirMed, 35 percent of physician respondents said they are using tablets for work purposes. And 51 percent are using smartphones for work purposes. A growing number of organizations are expecting doctors will use their mobile devices to do their jobs, but not all are totally comfortable with this.
"About one-third of [healthcare] organizations embrace clinicians bringing their own devices, about a third are still holding back on that, and there's a middle third that are still actively figuring out how to address it," says Kenneth Kleinberg, managing director of research and insights for The Advisory Board Company.
But while many healthcare organizations embrace doctors using their own gear, not having BYOD policies can be risky and lead to data breach (and HHS financial penalties). Here's how to better manage BYOD at your medical practice.
The rise and risks of BYOD
Today, more physicians than ever use EHRs to document patient data — 76 percent of physicians according to our survey — and most all major EHR vendors now have versions of their flagship products compatible with smartphones and tablets (50 percent of physicians said their EHRs are mobile accessible, according to our survey). Couple the rise of health IT with the growing sophistication of mobile technology, and it's easy to see how most clinicians are tethered to their smartphones and tablets — and why they can't work without them.
"There are advantages to bringing your own device for the organization," says Lee Kim, director of privacy and security for the Health Information Management and Systems Society. "The plus side is the corporation does not have to spend the money to buy the device because it's employee owned. The other advantage is that … your smartphone is with you 24/7 so the employee might be more accessible or responsive. They'll be on that device a lot more than an employer-provided device."
However, data suggest that security is still taking a backseat to convenience.
A March 2013 study of 1,000 full-time American workers on BYOD from Cisco IT channel firms, which resell and service Cisco products in the United States, reveals 89 percent of healthcare workers use their personal smartphones for work purposes. However, 41 percent of healthcare employees' personal mobile devices are not password protected, and 53 percent of healthcare employees access unsecured Wi-Fi networks with their smartphones.