Recognize that members of the work force may use personal mobile devices to handle protected health information, even if contrary to policy. – Adam H. Greene, partner, Davis Wright Tremaine LLP
Health care organizations should consider documenting this risk in their risk assessments, identifying the safeguards in place to limit the inappropriate use of personal devices (such as strong policies, training, and sanctions for noncompliance). To further reduce the risk, consider the root cause of the problem — what benefits are personal devices offering to employees that the organization's systems are lacking. For example, if clinicians are texting PHI from personal devices because a hospital does not offer a similarly convenient means of communicating, then the hospital may want to consider whether it can offer a secure alternative to texting.