HICs Handheld Device Policy
1. PURPOSE:
To establish a new security policy for HIC employees use of personal handheld devices in
healthcare environments in order to protect the confidentiality of sensitive date, mainly PHI,
belonging to employees and patients of HIC.
For the purpose of this policy the following definition will be applied to handheld devices.
A handheld device is a communication device small enough to be carried in the hand or
pocket and variously known as a personal digital assistant or personal communication
device. Handheld devices considered in this document provide a broad range of services
beyond simple telephony, and are closer to mobile computers than legacy mobile phones.
2. SCOPE:
This Policy applies to all personnel currently working for HIC, and covers all mobile telephones
and wireless handheld devices owned by HIC and handheld devices personally owned by HIC
personnel.
Willful or negligent violation of the policies risks the patients and interests of HIC and will result
in disciplinary, employment, and/or legal sanctions. In the case of the latter the relevant senior
managers and where applicable legal services shall accept responsibility.
3. POLICY:
3.1. Workforce member responsibilities:
3.1.1. All PHI or other sensitive information must be stored in secure server environments
only, as in a directory on a secure network file server. In addition, analysis and research work
shall be conducted in the secure server environment.
3.1.2. Employees will not use personally owned handheld devices for work related
purposes, unless the use of the device is specifically approved by senior management (i.e.
checking of HIC e-mails). If senior management approves use of a personal handheld device,
then the device must comply with all applicable policies and standards and must be made
available to HIC for routine or special analyses.
3.1.2.1. Handheld devices storing emails locally within the device will have mechanisms
that encrypt the email stored on the device, encryption of the email during transport, and the
ability to erase the device after a number of failed login attempts.
3.1.3. PHI or other sensitive information stored on portable devices is strictly prohibited.
Employees caught utilizing their handheld devices for storing of PHI or other sensitive
information will face disciplinary actions.
3.1.4. Prior to disposal or transfer to a new owner if the handheld device is owned by HIC,
all PHI and other sensitive information on that device must be destroyed.
3.1.5. Handheld devices owned by HIC shall not be shared among family members or
outside parties.
3.2. System administrator responsibilities:
3.2.1. System Administrators shall ensure that no PHI or other sensitive information is
saved on handheld devices.
3.2.1.1 If PHI or sensitive information is found on a handheld device it is to be disposed of
by using a method that ensures the PHI or other sensitive information cannot be recovered or
reconstructed.
3.2.1.1.1. System Administrators will maintain a log of each data destruction: that lists
the device, the date of destruction, the personnel authorizing the destruction, general description
of the PHI or other sensitive information (if available), and the identity of the personnel
performing the destruction.
3.3. Senior Management Responsibilities:
3.3.1. Senior management will be responsible for making sure all policies regarding
handheld devices and PHI are strictly enforced.
3.3.2. Senior management will be responsible for handling any disciplinary actions
regarding violations of the handheld device policy.
3.4. Employee responsibilities:
3.4.1. Employees will make sure that they abide by the policies laid out by HIC leadership.
If an employee suspects someone of violating policy they are to report said person to their
immediate supervisor so and investigation can be launched.
3.4.1.1. Employees who report another employee for violation of policies are not to face
reprisals from other employees. HIC is invested in the integrity of its employees and expect
employees to report suspicious behavior.
4: EFFECTIVE DATE
4.1. This policy is to go into effect immediately.
4.1.1. The first 30 days of the policy will count as an adjustment period, no disciplinary
actions will be taken against employees in this time frame. Employees who are currently using
handheld devices for PHI will need to begin migrating all information to HIC owned computers.
Employees who require access to e-mails on handheld devices will need to sit down with senior
management to verify a legitimate requirement.
4.1.2. After the initial 30 days all incidents of PHI being located on handheld devices will
have to be taken to senior management for disciplinary action.
References
Government of Western Australia Department of Health. (2009, May 21). Mobile Telephone and
Wireless Handheld Devices Policy & Guideline . Retrieved from Government of Western
Australia Department of Health:
http://www.health.wa.gov.au/CircularsNew/attachments/396.pdf
Gurin, N. R. (2008, May 29). Security Policy for the use of handheld devices in corporate
environments. Retrieved from SANS Institute InfoSec Reading Room:
https://www.sans.org/reading-room/whitepapers/pda/security-policy-handheld-devices-
corporate-environments-32823
The University of Alabama at Biringham - Provost. (2016, March 23). HIPAA Core Policy: Use
of Portable Devices. Retrieved from The University of Alabama at Biringham - Policies &
Procedures Library: http://www.uab.edu/policies/content/Pages/UAB-AD-POL-0000728.aspx