I’m sure most of you know about BYOB, but do you know about BYOD (Bring Your Own Device).  This is the term used when a company chooses to forgo issuing company-owned mobile computing devices (think smartphones and tablets), and encourages its employees to use their own personal mobile devices for business purposes.  And in the healthcare context, BYOD has important implications.

For better or for worse, many companies have opted to institute a BYOD policy for a number of reasons.  Here are just a few rationales for BYOD:

  • Employees likely already have a smartphone or tablet or both.
  • Allowing employees to use their own devices provides flexibility.
  • Companies can save money by not having to buy and troubleshoot mobile devices.
  • BYOD facilitates participation in the mHealth and telehealth movements.

Even the market trends illustrate that BYOD is here to stay as market adoption of smartphones is projected to increase to 68% by 2016, up from 12% in 2008.  Importantly, there is also rapid adoption of personal mobile devices by physicians.

However, BYOD in the healthcare context can significantly increase risks related to protecting patient information, among other problems (e.g. malware and risks to patient safety).

I have heard countless anecdotes from healthcare companies that involve breaches of health information stored on smartphones that lack passwords, unsecured SMS texting of health information by providers, and even photos being taken of patients which are promptly shared through social media websites.  These activities are shocking and can result in multiple violations of Federal (HIPAA / HITECH) and state privacy and security laws.

Even the U.S. Department of Health and Human Services, Office of Civil Rights and Office of the National Coordinator have taken notice of these issues and held a panel last April to address how to safeguard health information on mobile devices.

To avoid the liabilities arising from non-compliance with applicable privacy and security laws and regulations, healthcare entities should be proactive to implement some controls around the various devices floating around their organizations.

So what are some specific steps healthcare entities can take to address privacy and security risk in a BYOD environment?

  • Survey the workforce to get insight into the use of personal mobile devices.
  • Adopt a mobile device policy and implement related procedures.
  • Periodically train employees on appropriate use of personal mobile devices.
  • Require strong passwords.
  • Encrypt personal mobile devices.
  • Require enabling inactivity time out functions.
  • Implement role-based access controls.
  • Consider installing GPS location and remote-wipe capabilities.
  • Turn off cloud backup capabilities.
  • Sanction employees that violate the company policy.
  • Conduct a risk analysis  . . . AND MITIGATE THOSE RISKS!

Opting for BYOD does not necessarily translate to a total lack of control over your environment.  Rather, healthcare entities should leverage enterprise support provided by personal mobile device manufacturers to determine the optimal mix of safeguards to employ to manage risks to patient privacy.  Nonetheless, keep in mind that companies marketing personal mobile devices are more focused on end-user consumer needs/desires which can sometimes run counter to business needs.

Therefore, the success of BYOD hinges on a healthcare entity’s ability to assess risks in a BYOD environment, develop strategies to manage those risks, and employ reasonable tactics to carry out the risk management strategy.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.