Go to AAD Home
Donate For Public and Patients Store Search
Go to AAD Home
Main menu
Membership
Meetings & Education
Practice management
Clinical & quality
Publications & apps
Career development
Advocacy
Back
Account
Pay dues
Member ID
Join the AAD
Member benefits
Find a member
AAD governance
Support AAD
Community Programs
AAD Help Center
2026 Annual Meeting
2026 Innovation Academy
Academy meetings archive
Professional education
Claim CME & view transcript
Upcoming events
Residents & medical students
Patient education materials
DataDerm
Coding Resource Center
MIPS & fee schedule
Teledermatology
EHR & health tech
Insurance & drugs
Compliance & practice scope
Managing your practice
Contact PM staff
Clinical guidelines
Quality measures
DataDerm
Quality & patient safety
Clinical Community
Clinical care resources
Position statements
JAAD
JAAD International
JAAD Case Reports
Dermatology World
DermWorld Insights & Inquiries
Derm Coding Consult
DermWorld Meeting News
Impact Report
Other publications
Academy Apps
Career launch
Job board
Burnout & wellness
Diversity
Awards, grants, and scholarships
Leadership Institute
Volunteer opportunities
Ethics & professionalism
Take action
Advocacy priorities
State advocacy resources
Legislative Conference
Position statements
Promote the specialty
Key Contacts
Patient advocate resources
SkinPAC
Advocacy Update
Welcome!
Advertisement
Advertisement

Bring your own device: Legal risks and responses

Headshot of DermWorld Author Daniel F. Shay, Esq.

Legally Speaking

Daniel F. Shay, Esq., is a health care attorney at Alice G. Gosfield and Associates, P.C.

By Daniel F. Shay, Esq., March 1, 2023

DermWorld covers legal issues in “Legally Speaking.” This month’s author, Daniel F. Shay, Esq. is a health care attorney at Alice G. Gosfield and Associates, P.C.

Mobile device usage in the United States is ubiquitous. In February 2021, the Pew Research Center estimated that 85% of Americans owned a smartphone, while 77% owned a laptop or desktop computer, and 53% owned a tablet computer. Many physicians use mobile devices in their daily lives and in their clinical practices. Many prefer to use their own device, rather than carry both a “work phone” and a “personal phone.” For employers and owners of physician practices, allowing the use of personal devices may also offer a cost-cutting measure, whereby the employer saves the expense of purchasing company smartphones and offloads that cost to its physician employees. Although “Bring Your Own Device” (BYOD) policies may be attractive to employers and popular with physician employees, such a practice does come with legal risks. This article explores some of these risks and discusses legal and practical steps for adopting a BYOD policy.

New HIPAA resources!

Check out the Academy’s HIPAA resource center.

HIPAA risks: Overview

The HIPAA Security Rule and Breach Notification Rule are the main legal concerns raised by a BYOD approach. The Security Rule applies to “electronic Protected Health Information” (ePHI), which is PHI contained in electronic form. The Breach Notification Rule applies to “unsecured PHI” (uPHI), which is PHI that has not been encrypted in the manner required by HIPAA and which can include paper records and other PHI not contained in electronic form. Any PHI stored on or transmitted by a mobile device is ePHI, the use of which implicates the Security Rule. Whether that ePHI has been properly encrypted determines whether the Breach Notification Rule applies, and therefore whether a breach analysis is necessary in the event of an improper disclosure of uPHI.

In the BYOD context, whether ePHI is also uPHI depends on the software/apps involved. For example, if two dermatologists communicate ePHI using the standard texting software provided by most smartphone manufacturers, the next question is whether that software uses HIPAA-compliant encryption. By contrast, if the physicians are using employer-provided secure texting software that specifically includes the necessary encryption, the ePHI will not be considered unsecured, and therefore will not fall under the Breach Notification Rule.

HIPAA risks: Breach notification rule concerns

Most ePHI stored on personal devices will also be stored and accessible through multiple different apps. In expanding upon the above scenario, consider the HIPAA analysis required when one dermatologist takes a photo of a patient’s skin condition that includes a unique tattoo, and sends it to a colleague within the same practice for a consultation or to coordinate care. Even if no names, patient numbers, birthdates, etc., are included in the message, the image of the tattoo itself contains individually identifiable information, making it PHI. If the dermatologist requesting the consultation used the phone’s camera to take the picture, then the PHI now resides within at least two different programs: (1) it is stored in the texting software used to send to the consulting dermatologist, and (2) it is likely stored on the sending dermatologist’s phone as a simple image file. Depending on how the sending dermatologist uses their phone, this may mean that the patient’s photo is now part of their photo roll/gallery and may have been uploaded to Apple’s iCloud or their Google Photos or other similar software automatically. This calls into question whether those storage methods are encrypted to HIPAA standards. Even if they are while the ePHI is not being used/viewed, if the sending dermatologist uses features such as screensavers based on their cloud-stored images, they and anyone else viewing the screen may find the patient’s PHI appearing alongside the dermatologist’s vacation photos. As this scenario illustrates, the overall concern is that the software used to create, send, use, and/or store the PHI on a physician’s personal device, must at a baseline be properly encrypted to avoid implicating the Breach Notification Rule. And that does not even begin to address the risks posed by simple human error in disclosing the PHI in spite of it being encrypted while “at rest” within the various software.

HIPAA risks: Security rule concerns

When ePHI is involved, the Security Rule imposes a range of requirements upon covered entities like physician practices, including conducting a security risk assessment (SRA) and developing policies and procedures to mitigate and reduce the risks posed to ePHI. A dermatology practice may have conducted an SRA in the past, but when it decides to allow physicians to use personal devices, the practice must update the SRA to take into account the use of such devices. They must also update their inventory of ePHI to include the physicians’ personal devices. The practice will likewise need to develop policies and procedures specifically tailored to the use of personal devices that address the risks posed by their use. Without assessing those risks as part of a formal update to the practice’s SRA, any policies and procedures developed will not comply with the Security Rule requirements. This, in turn, can expose the practice in the event of improper disclosures of ePHI.

One need only peruse the Office for Civil Rights’ (OCR) list of Resolution Agreements to find instances of physicians losing or having stolen from them unencrypted laptops or thumb drives containing ePHI, which in turn prompted an audit by the OCR that determined the covered entity’s SRA was out of date or had not addressed the specific use of removable devices, or worse, had never been conducted at all!

Legal & practical guidance

There are both legal and practical steps that dermatology practices can take when considering adopting a BYOD policy. From a legal perspective, the practice will need to at least update its SRA and policies to account for the implications of physicians using personal devices. The entire SRA does not necessarily need to be re-done from the ground up, but the new factor of physician-owned devices must be analyzed from a HIPAA perspective. Once that has been done, the practice can modify its existing policies and/or adopt new policies to govern the use of personal devices.

These policies should include requirements to use encrypted software, and to take as many steps as possible to encrypt the device itself. Some smartphones now allow for facial recognition software as the method for unlocking the phone, which offers one way to help prevent unauthorized access to the device. When feasible for the practice, the policies should also require the use of HIPAA-compliant, encrypted software, and should likewise prohibit the use of non-approved software for work communications. For example, policies should require that any photos being taken with the device be taken using approved apps, rather than the phone’s pre-loaded camera app, to avoid inadvertently mixing PHI in with personal photos. Documentation should likewise be segregated so that it is only stored and maintained using approved apps. Many EHRs are now primarily web-based, and therefore store all material on secure cloud-based services, which means that the mobile devices themselves would not actually retain any ePHI on them. This would dramatically improve security in the event a device is lost or stolen.

Of course, no amount of technologic solutions can protect against simple human error. No two-factor authentication can prevent a physician from taking notes that include ePHI in an unsecured tablet’s notepad app. With that in mind, it is likely wise to re-train anyone taking advantage of the BYOD policy on what constitutes PHI in the BYOD context. Thought exercises, working with “dummy” information (which does not include actual PHI) to demonstrate how not to use the personal device, and demonstrating both why the policies exist and how they protect PHI can be important in preventing someone from misusing their personal device either because they misunderstood what counted as PHI in the moment, or simply because they failed to think through their actions. Getting individuals to stop and think twice before acting is often the best way to deter HIPAA violations.

Want more Legally Speaking?

Check out archives of the most popular Legally Speaking articles.

Conclusion

Using personal devices can be economical for employers and attractive for employees. Dermatology practices may not want to invest in a fleet of work tablets or phones, and dermatologists may resent having to carry around and account for two different items. Adopting a BYOD policy, though, should be a carefully considered step, and any such step should include review and revision of existing policies, and adoption of new policies as needed, after conducting the required SRA update. Experienced health care counsel can help with these matters.

Additional DermWorld Resources

In this issue

From the Editor
I always knew firefighting was a dangerous occupation

What’s hot
This month’s news from across the specialty

Clinical Applications
Do skin cancer rates differ by transplanted organ type and patient age?

Feature
Danger in the workplace

Derm Coding Consult
Is your practice ready for coding in 2023 and beyond?

Feature
Estate planning 101

Answers in Practice
Managing Gen Z patients

Moving the needle
Keeping dermatologists in the driver’s seat with step therapy reform

Feature
Managing formulary changes

From the President
Challenges ebb and flow, but our “why” remains the same

Asked and Answered
I have moved. How do I update my contact information with the Academy?

Facts at your Fingertips
Americans lack basic health insurance literacy
Advertisement

The American Academy of Dermatology is a non-profit professional organization and does not endorse companies or products. Advertising helps support our mission.

Opportunities

Advertising | Sponsorship

Advertisement
Advertisement
Advertisement