Published on

Urgent message: Given the ubiquity of smartphones and other mobile devices, urgent care operators must have a strategy and policy in place to deal with the privacy implications of personal technologies in the workplace.
Mobile devices like tablets and smartphones have become ubiquitous in everyday life, and employers in every industry are increasingly seeing employees access their devices throughout the workday. While concerns over lost productivity should concern all employers, healthcare is unique in the added risks associated with patient privacy and personal health information (PHI). There are numerous ways the capabilities of a smartphone could violate a patient’s privacy if misused: capturing of audio, video, or still photographs; texting with patients or staff about medical or treatment issues; and using devices that contain PHI over open, unsecured networks, to name just a few.

So how to reconcile the reality of smartphones at work with guarding patient privacy at all costs? Nearly all experts agree that a zero-tolerance policy simply isn’t realistic in this day and age. People use their smartphones for emergency communication, and doctors wouldn’t follow such a mandate anyway. Listening to streaming music can create a “whistle while you work” environment that increases productivity. And it’s desirable to have employees engage with the center’s social media presence.

Your practice can, however, craft and enforce a detailed acceptable-use policy that addresses most of the major issues you’ll face, such as the one provided in Exhibit 1.

Acceptable Use
After you have crafted your acceptable-use policies, you must ensure that every staff member understands and agrees to abide by the policies. This can be done with a written user acknowledgment and agreement. The agreement should include:

  • Devices that are allowed in the workplace
  • Whether or not pictures, audio, or video can be captured
  • What websites and apps can be used in the office
  • Forbidden websites and apps
  • Social media etiquette
  • Which devices can connect to the secure, interoffice network
  • Which devices can connect to the open, unsecured network

The acceptable use agreement must also spell out how a violation of said agreement can result in disciplinary action, and what that disciplinary action entails. Have all staff sign and date the agreement.

 Digital Security
Your acceptable-use policy should also cover basic digital security. Digital security can entail password protocols, which devices are required to be password-protected, when encryption should be used, and methods to remotely wipe, disable, or locate a missing device.

“Digital security” will also cover which devices will be connected to which networks. Most urgent care centers have an open Wi-Fi for patients and a secured Wi-Fi for staff. If your practice does not allow devices used for business purposes to connect to the open network, the policy should clarify that.

Texting regarding PHI should also be covered in depth. Not only is the text message sent from one device to another, but it’s stored on the network service provider’s server—a potential violation of HIPAA, especially if the proper Business Associate Agreements (BAAs) are not in place.

 Social Media
Although an urgent care center can’t stop employees from mentioning their workplace on social media, they can require that nothing considered PHI is ever discussed. Clearly outline in your policy what can be posted on personal social networking pages, as well as on company social media pages. A rule of thumb is: “If you wouldn’t say it in polite company, or in a coffee shop, don’t post it.”

When it comes to physicians, our recommendation is for them to establish both a professional and personal account. This is because having patients connect with physician’s personal accounts is a breach just waiting to happen.

Additionally, be sure to get written, prior consent before using any patient photos on the company social media page. In fact, HIPAA requires written informed consent for a practice to communicate with them electronically at all.

 Conclusion
Mobile devices have proliferated in every corner of modern life, with urgent care centers being no exception. Given their strict rules regarding patient privacy, though, smartphones, tablets and their proper, professional use must be clearly defined and enforced by every practice. Nowadays, physicians are even bringing tablets directly into the exam room with patients, which underscores just how integral mobile devices have become in healthcare. Hence, today’s practices must have a clear and comprehensive understanding of HIPAA rules regarding PHI, and a detailed, straightforward policy on how employees can and should use their devices in the workplace.
 
Exhibit 1: Sample Acceptable-Use Policy

Policy Statement
This policy will outline the acceptable use of computer equipment at This Urgent Care (TUC) center. These rules are in place to protect the employee and TUC.Applicability
This policy applies to all TUC employees, consultants, and vendors accessing any location or using any equipment owned, leased, or managed by TUC. This policy should be reviewed by all employees upon hire and again annually. All vendors, contractors, or customers who access TUC networks or systems should receive a copy of this policy.

Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Policy
General Use and Ownership:
TUC employees should be aware that the data they create on the Company’s systems remains the property of TUC. Because of the need to protect the network and systems, there is no expectation of confidentiality or privacy. TUC may monitor equipment, systems, and network traffic at any time. External access to TUC networks may only occur using TUC equipment.

Equipment:
Employees are responsible for the care and safe keeping of equipment, including equipment taken off-site (laptops, cell phones, etc.). Nonmobile computer equipment owned by TUC is not to be taken off-site without authorization from the Chief Information Officer (CIO) or designee. Proper precautions should be taken to minimize all damage, especially damage that that may occur due to dropping the equipment, spilling food/drink on or in the equipment, and/or exposing the equipment to extreme heat or cold.
 
Systems and Network:
It is necessary for all employees to keep passwords secure, and sharing of accounts is prohibited. Authorized users are responsible for the security of their passwords and accounts.

Please be advised of the following:

  • Under no circumstances should a non-TUC system, computer, or device (phone, tablet, etc.) be connected to TUC’s network without inspection and approval by the CIO or designee.
  • Under no circumstances should employees connect personal devices to clinic wireless network (titled as “This Urgent Care Employee”), and Practice Managers are not to provide its password to clinic staff. This network is reserved only for employee-utilized (Company-owned) devices. However, employees may utilize the “This Urgent Care Guest” Wi-Fi network.
  • Under no circumstances is an employee of TUC authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing TUC-owned resources. The following activities are strictly prohibited with no exceptions:
    • Using a TUC computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment, hostile workplace, or any other applicable workplace policies or laws
    • Making fraudulent offers of products, items, or services
    • Introduction of malicious programs into any internal or external network or server
    • Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient, or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties
    • Port scanning, packet sniffing, packet spoofing, or any other packet-level manipulations by unauthorized personnel
    • Executing any form of network monitoring which will intercept data not intended for the employee’s host without authorization
    • Connecting or disconnecting network cables to/from networking equipment
    • Connecting storage devices into any TUC system without prior authorization from the CIO or designee

Software:
Installation of nonapproved software must be approved by the CIO or designee. Proper licensing use of all software will be determined by the CIO or designee. Employees must use standardized software packages unless alternatives are approved by the CIO or designee.

Copying copy-protected software owned by TUC is prohibited. Copying copy-protected software using equipment owned or leased by TUC is prohibited. Installation of software owned by TUC on non-TUC systems is prohibited.

Email:
Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material is prohibited. Any form of harassment via email, whether through language, frequency, or size of messages is prohibited.

Creating or forwarding “chain letters” or other “pyramid” schemes of any type is prohibited. Employees should observe proper email etiquette when representing TUC. At any time, TUC may monitor email activity to ensure compliance with this policy. Attached files should not be opened unless you were expecting the attachment; active and current virus scanning should be installed prior to opening any attachment.

Web and Other Online Usage:
TUC employee are allowed to access the internet primarily for work purposes. TUC recognizes the need for work-life balance, and that limited use of TUC equipment or networks for personal reasons may be necessary. The network will be monitored for overuse or abuse of this policy.

TUC has the right to restrict access to any and all sites or programs deemed a security or availability threat by the CIO or designee at any point; this includes, but is not limited to, personal email, streaming music/video sites, etc.

 Security:
Employees are prohibited from:

  • attempting to access systems and/or information on systems without authorization
  • allowing electronic access to TUC’s systems or network to non-TUC employees
  • attempting to circumvent security to access systems or data
  • transferring any protected or confidential data to any personal device or home computer.

Employees are required to:

  • log any device or system that will be left unattended off the network
  • immediately shut down and report any system suspected of being infected by a virus to IT
  • immediately report any loss of equipment, regardless of location, to IT
  • immediately report any breach or loss of information to IT and Compliance
  • ensure visitors, vendors, and contractors have appropriate approval prior to accessing any TUC system.

 

Alan A. Ayers, MBA, MAcc is Chief Executive Officer of Velocity Urgent Care and is Practice Management Editor of The Journal of Urgent Care Medicine.

Responding to Personal Technology in the Urgent Care Workplace

Alan A. Ayers, MBA, MAcc

President of Experity Consulting and is Practice Management Editor of The Journal of Urgent Care Medicine