As smartphones and other mobile devices become more accessible, employees in every profession are spending more of their time using their devices in the workplace. That can be particularly problematic in a medical practice setting where personal health information (PHI) is regularly being discussed.
If your practice doesn’t already have a policy about the use of smartphones and other technology in the office, it needs one, says Eric Christensen, director of client services, Healthcare Compliance Pros, Salt Lake City. Christensen led a session at the MGMA 2016 Annual Conference called, “BYOD — It’s a Party and You’re Invited! Personal Device Compliance in Your Medical Practice.”
“There’s no way to establish a no-tolerance policy; many people use their cellphones for emergency communication,” Christensen explains. “It’s naïve to think that a zero-tolerance policy will work.” A no-tolerance policy can be exceedingly difficult to enforce, and “your doctors probably won’t follow it, so why should your other employees,” he says.
But Christensen does recommend having a detailed acceptable use policy that clearly outlines when devices may be used in the office, what kinds of applications and websites can be used in the office, which applications are explicitly not allowed and proper social media etiquette. Pay specific attention to the way your providers use technology — the way they use their devices likely will dictate your policy for the entire staff to a certain extent, he says.
Security
Device and information security is an important topic to cover in your policy. Christensen recommends setting up explicit protocols for password-protecting devices and having other types of encryption, as well as setting up a system to
remotely wipe, disable or locate a missing device that may contain PHI.
When thinking about your practice’s digital security, consider your office’s internet connections, says Christensen. For example, if you have a secured network that all the organization’s computers are connected to and an open Wi-Fi network for your patients to use, you need to decide which network your employees should use for their personal devices. If they use the open guest network, you risk sharing PHI insecurely, he explains.
“You also want to be clear about your text message policies,” Christensen says. Text messages are not just saved on the devices used to send or receive them. They also reside on a service provider’s servers. Your policy should be explicit about what kind of text messaging is acceptable.
As more practices use tablets and other portable devices in the exam room with patients, Christensen says, don’t forget about managing security and use policies for those devices as well.
Social media
When it comes to social media, a practice can’t necessarily restrict employees from talking about their work environment in general, Christensen says, but you can restrict the discussion of PHI. Clearly determine staff internal and external use of personal social networking pages in your policies. “It is essential for all staff to understand the dos and don’ts of using and posting to personal social networking pages,” he explains. One of the rules he recommends: “Don’t post anything you wouldn’t say in an elevator or coffee shop.”
When it comes to physicians using social media, Christensen recommends that providers establish separate personal and professional accounts. “Allowing patients to connect on a personal social networking page could lead to a breach or other incidents,” he says. And having professional accounts can help a practice control its social presences as well.
When you are establishing a relationship with a patient, be sure to get written informed consent about what photos or patient information may be used by the practice for purposes other than treatment, payment or operations — including social media — as required by HIPAA. “You should also ask the patient for written informed consent to communicate with them electronically,” Christensen explains.
And don’t forget about patients’ use of mobile devices and social media within the confines of your practice and their care. Be clear with patients about what is acceptable and what providers are allowed to discuss electronically.
Staff training
Once you have your policies in place, make sure your staff understands the policies. If you aren’t including these policies in your training, you should not expect that employees will know and follow the rules.
Christensen recommends a user acknowledgement and agreement with the policy: Outline the policy explicitly, including what kinds of devices and software are allowed, and how a violation of the rules could be grounds for disciplinary action. Make sure that all employees read and understand the policy and then sign and date it.
By doing this, you are assured that staff have been presented with and understand the policy. If an employee does not follow the rules, you have documented grounds to take disciplinary action.
Planning for the future
It’s important to set up policies and procedures that address current issues with mobile devices and social media use, but technology changes rapidly and it can be difficult to plan for things that don’t yet exist. So how do you future-proof your technology policy? It can be a complicated dance, Christensen says.
“You don’t want to be so generic with your policies as to be unenforceable, but you want to make sure your policy holds up over time.” To address this issue, he recommends using phrases such as “emerging technologies” and broad terms for common applications and devices, such as “social network” instead of “Facebook” and “mobile device” instead of “iPhone.” Doing that will make your policy relevant even after everyone has moved on to the next big thing.
Regardless of whether you mind the insurgence of personal technology in the workplace, it’s something that every organization needs to deal with because it is not going away anytime soon. “Don’t put your head in the sand,” Christensen says. “Start this conversation within your practice.”
Explore Related Content
More Insight Articles
