Step 4: Develop, Document, and Implement

Develop, document, and implement the organization’s mobile device policies and procedures to safeguard health information.

Organizations should develop and implement reasonable and appropriate policies and procedures to safeguard health information, including those specific to mobile devices. Here are some topics and questions to consider when developing mobile device policies and procedures:

  1. Mobile Device Management
    • If the organization allows the use of mobile devices, what should the organization do about managing the use of mobile devices?
      • Has the organization identified all the mobile devices that are being used in the organization? How is the organization keeping track of them?
      • Has the organization assigned responsibility to check all mobile devices used for remote access, to find out if selected security/configuration settings are enabled?
      • Should there be a regular review and audit of the mobile devices?
  2. BYOD (Bring Your Own Device)
    • Should the organization let providers and professionals use their personally owned mobile devices within the organization?
    • Should providers and professionals be able to connect to the organization’s internal network or system with their personally owned mobile devices, either remotely or on site?
  3. Restrictions on Mobile Device Use
    • Does the organization restrict how providers and professionals can use mobile devices?
      • Can providers and professionals use mobile devices to access internal networks or systems, such as an EHR?
      • Are providers and professionals restricted from using mobile devices when they are away from the organization?
      • Can providers and professionals take their mobile devices home?
      • Should the organization allow texting or emailing of health information?
  4. Security/Configuration Settings for Mobile Devices
    • Will the organization institute standard configuration and technical controls on all mobile devices used to access internal networks or systems, such as an EHR?
      • If so, is the organization's current mobile device configuration document, including conections to other systems/applicatoins, inside and outside of the firewall.
  5. Information Storage on Mobile Devices
    • Are there restrictions on the type of information providers and professionals can store on mobile devices?
      • If so, where and for how long should the data be stored?
    • Are providers and professionals allowed to download mobile applications to mobile devices? If so, what type(s) of applications are approved?
  6. Misuse of Mobile Devices
    • Does the organization have written procedures for addressing misuse of mobile devices?
  7. Recovery/Deactivation of Mobile Devices
    • Does the organization have procedures to wipe or disable a mobile device that is lost or stolen?
    • Does the organization have standard procedures to recover mobile devices from providers and professionals when their employment or association with the organization ends?
  8. Mobile Device Training
    • How is the organization training its workforce (management, doctors, nurses, and staff) on policies and procedures?
    • How does the organization hold its workforce (management, doctors, nurses, and staff) accountable for non-compliance?