Inviting Legal BYOD Party - MoHIMA · 2016-04-18 · 4/18/2016 3 Staff Members Allowed to...

4/18/2016

1

Inviting Legal to the BYOD PartyLaura Clark Fey, Esq., Principal, Fey LLC

Agenda

O i f O i l h• Overview of BYOD in Healthcare

• Legal Risks Associated with BYOD

• Recommendations to Address Legal Risks

24/21/2016© 2016 Fey|LLC

content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity

4/18/2016

2

OVERVIEW OF BYOD IN HEALTHCARE

3© 2016 Fey|LLC

content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016

Healthcare BYOD Adoption

73% of surveyed healthcare

organizations gsupport some form

of BYOD

4© 2016 Fey|LLC


Source: Spok “BYOD Trends in Healthcare: An Industry Snapshot” (2015 Survey Results)

4/18/2016

3

Staff Members Allowed to Participate in Healthcare BYOD

5© 2016 Fey|LLC



Top Drivers for Permitting Healthcare BYOD

6© 2016 Fey|LLC



4/18/2016

4

Top Healthcare BYOD Challenges

7© 2016 Fey|LLC



Primary Reasons for Disallowing Healthcare BYOD

8© 2016 Fey|LLC



4/18/2016

5

Types of Information That May be Breached

9© 2016 Fey|LLC


Protected Heath Information (Diagnosis, Treatment, Medical Conditions)

Social Security InformationFinancial Records (Credit Card, Bank Account)

Key Healthcare BYOD Security Risks

S l di l d l bl h bl k• Stolen medical records are valuable on the black market

• Stolen medical records may be used to illegally obtain prescription drugs

• Stolen medical records may be used to commit insurance fraud

104/21/2016© 2016 Fey|LLC


4/18/2016

6

Special Challenges for Protecting PHI on Personal Devices

l d i l l l• Personal devices are commonly lost or stolen

• Difficult to protect the confidentiality of PHI on personal devices of users who are affiliated with multiple medical hospitals/facilities

• Challenging to enforce security requirements on personal devices

114/21/2016© 2016 Fey|LLC


LEGAL RISKS ASSOCIATED WITH BYOD

12© 2016 Fey|LLC


4/18/2016

7

Legal Risk: Failure to Protect Against Breach of Confidential Information (Including PHI and PII)

Data breach notification obligations

Regulatory or state attorney general investigations

13© 2016 Fey|LLC


Civil lawsuits

Legal Risk: Failure to Comply with HIPAA Obligations

i l li i d di l f• Privacy Rule limits uses and disclosures of PHI without patient authorization, and sets forth broad requirements to protect PHI in all forms

• Security Rule requires reasonable and appropriate administrative, technical, and physical safeguards foradministrative, technical, and physical safeguards for protecting e‐PHI

• HIPAA violations are expensive

144/21/2016© 2016 Fey|LLC


4/18/2016

8

Legal Risk: Failure to Comply with Legal Hold Obligations

l h ld bli i d l d i• Legal hold obligations extend to personal devices when used for business purposes

• General Rule: Unique legal hold‐related information on personal devices must be preserved

• Failure to preserve can result in significant sanctionsp g

154/21/2016© 2016 Fey|LLC


Legal Risk: Failure to Comply with Privacy Obligations to Employees

S j i di i i i i• Some jurisdictions require notice prior to any employee monitoring

• Intrusion on employee privacy may result in litigation

• Loss of employee‐owned data on a personal device p y pmay result in litigation

164/21/2016© 2016 Fey|LLC


4/18/2016

9

Other Legal Risks

f i f i b h• Loss of necessary access to information by other medical professionals

• Failure to compensate for overtime work performed remotely

• Liability from texting while driving accidentsy g g

• Breach of confidential entity data

• Payment disputes with employees

174/21/2016© 2016 Fey|LLC


RECOMMENDATIONS TO ADDRESS LEGAL RISKS

18© 2016 Fey|LLC


4/18/2016

10

Ten Recommendations to Protect Data (Including PHI and PII) on Personal Devices

E i k dd l d i• Ensure risk assessments address personal devices

• Implement appropriate technology solutions

• Enforce prohibition on usage of banned apps

• Enforce screen locks, encryption, strong passwords, andEnforce screen locks, encryption, strong passwords, and anti‐malware protection

• Require employees to keep personal devices up‐to‐date

194/21/2016© 2016 Fey|LLC


Ten Recommendations to Protect Data (Including PHI and PII) on Personal Devices

P hibit j ilb ki d ti• Prohibit jailbreaking and rooting

• Secure your network against rogue devices

• Ensure ability to wipe company data from device

• Implement and train on procedures for selling, p p g,replacing, or discarding personal devices

• Define security incident procedures for personal devices

204/21/2016© 2016 Fey|LLC


4/18/2016

11

Bonus Recommendation: Implement and Train on Strong BYOD Policy

C id ll ti• Consider all perspectives

• Develop comprehensive BYOD Policy clearly setting forth both entity’s and employees’ rights

• Implement BYOD Policy through training, FAQs, and other educational resources

• Monitor compliance and periodically review and update• Monitor compliance, and periodically review and update BYOD Policy

• Review and update related policies and procedures touching on BYOD

214/21/2016© 2016 Fey|LLC


Five Recommendations to Address Employee Privacy Risks

• Require employees to segregate personal data• Require employees to segregate personal data

• Retain record of unambiguous, written employee consent to BYOD Policy

• Ensure BYOD Policy clearly sets out rights to monitor, access, review, and disclose company or other data on personal devices, as well as employees’ obligations

• Address privacy concerns while planning for preservation of information on personal devices

• If possible, provide notice and obtain consent before wiping or destroying data on personal devices

224/21/2016© 2016 Fey|LLC


4/18/2016

12

Five Recommendations to Address Legal Hold Risks

• Ensure policy language addressing legal hold compliance is• Ensure policy language addressing legal hold compliance is broad enough to cover legal hold‐related information on mobile devices

• Update legal hold procedures to cover preservation of information on personal devices

• Promptly identify and preserve legal hold‐related information on personal devices

• Provide clear instructions to employees to suspend auto deletion and take other steps to guard against changing or deleting data

• Update offboarding processes to address preservation of legal hold‐related information

234/21/2016© 2016 Fey|LLC


Five Recommendations to Address Other Legal Risks

• Access to Information: Prohibit storage of unique patient• Access to Information: Prohibit storage of unique patient information on personal devices

• Overtime Disputes:Where appropriate, prohibit non‐exempt employees from working after hours; if not prohibited, require employees to account for time

• Texting/Driving Risks: Prohibit texting while driving by policypolicy

• Breach of Confidential Entity Data: Implement DLP systems and offboarding processes

• Payment Disputes with Employees: Clearly address who pays for the device, as well as voice and data access

244/21/2016© 2016 Fey|LLC


4/18/2016

13

Any questions?

25© 2016 Fey|LLC


Thank you for attending!

Laura Clark Fey, Esq., CIPP/US, CIPP/E, CIPMPrincipal, Fey|LLC

26© 2016 Fey|LLC


E ‐Mail : l fey@feyl lc .com

Direct : 913.948.6301

Mobi le : 816.518.6554

Date post:	17-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Inviting Legal BYOD Party - MoHIMA · 2016-04-18 · 4/18/2016 3 Staff Members Allowed to...

Documents