Urgent message: Given the ubiquity of smartphones and other mobile devices, urgent care operators must have a strategy and policy in place to deal with the privacy implications of personal technologies in the workplace.
Mobile devices like tablets and smartphones have become ubiquitous in everyday life, and employers in every industry are increasingly seeing employees access their devices throughout the workday. While concerns over lost productivity should concern all employers, healthcare is unique in the added risks associated with patient privacy and personal health information (PHI). There are numerous ways the capabilities of a smartphone could violate a patient’s privacy if misused: capturing of audio, video, or still photographs; texting with patients or staff about medical or treatment issues; and using devices that contain PHI over open, unsecured networks, to name just a few.
So how to reconcile the reality of smartphones at work with guarding patient privacy at all costs? Nearly all experts agree that a zero-tolerance policy simply isn’t realistic in this day and age. People use their smartphones for emergency communication, and doctors wouldn’t follow such a mandate anyway. Listening to streaming music can create a “whistle while you work” environment that increases productivity. And it’s desirable to have employees engage with the center’s social media presence.
Your practice can, however, craft and enforce a detailed acceptable-use policy that addresses most of the major issues you’ll face, such as the one provided in Exhibit 1.
After you have crafted your acceptable-use policies, you must ensure that every staff member understands and agrees to abide by the policies. This can be done with a written user acknowledgment and agreement. The agreement should include:
- Devices that are allowed in the workplace
- Whether or not pictures, audio, or video can be captured
- What websites and apps can be used in the office
- Forbidden websites and apps
- Social media etiquette
- Which devices can connect to the secure, interoffice network
- Which devices can connect to the open, unsecured network
The acceptable use agreement must also spell out how a violation of said agreement can result in disciplinary action, and what that disciplinary action entails. Have all staff sign and date the agreement.
Your acceptable-use policy should also cover basic digital security. Digital security can entail password protocols, which devices are required to be password-protected, when encryption should be used, and methods to remotely wipe, disable, or locate a missing device.
“Digital security” will also cover which devices will be connected to which networks. Most urgent care centers have an open Wi-Fi for patients and a secured Wi-Fi for staff. If your practice does not allow devices used for business purposes to connect to the open network, the policy should clarify that.
Texting regarding PHI should also be covered in depth. Not only is the text message sent from one device to another, but it’s stored on the network service provider’s server—a potential violation of HIPAA, especially if the proper Business Associate Agreements (BAAs) are not in place.
Although an urgent care center can’t stop employees from mentioning their workplace on social media, they can require that nothing considered PHI is ever discussed. Clearly outline in your policy what can be posted on personal social networking pages, as well as on company social media pages. A rule of thumb is: “If you wouldn’t say it in polite company, or in a coffee shop, don’t post it.”
When it comes to physicians, our recommendation is for them to establish both a professional and personal account. This is because having patients connect with physician’s personal accounts is a breach just waiting to happen. Additionally, be sure to get written, prior consent before using any patient photos on the company social media page. In fact, HIPAA requires written informed consent for a practice to communicate with them electronically at all.
Mobile devices have proliferated in every corner of modern life, with urgent care centers being no exception. Given their strict rules regarding patient privacy, though, smartphones, tablets and their proper, professional use must be clearly defined and enforced by every practice. Nowadays, physicians are even bringing tablets directly into the exam room with patients, which underscores just how integral mobile devices have become in healthcare. Hence, today’s practices must have a clear and comprehensive understanding of HIPAA rules regarding PHI, and a detailed, straightforward policy on how employees can and should use their devices in the workplace.
Exhibit 1: Sample Acceptable-Use Policy
This policy will outline the acceptable use of computer equipment at This Urgent Care (TUC) center. These rules are in place to protect the employee and TUC.
This policy applies to all TUC employees, consultants, and vendors accessing any location or using any equipment owned, leased, or managed by TUC. This policy should be reviewed by all employees upon hire and again annually. All vendors, contractors, or customers who access TUC networks or systems should receive a copy of this policy.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
General Use and Ownership:
TUC employees should be aware that the data they create on the Company’s systems remains the property of TUC. Because of the need to protect the network and systems, there is no expectation of confidentiality or privacy. TUC may monitor equipment, systems, and network traffic at any time. External access to TUC networks may only occur using TUC equipment.
Employees are responsible for the care and safe keeping of equipment, including equipment taken off-site (laptops, cell phones, etc.). Nonmobile computer equipment owned by TUC is not to be taken off-site without authorization from the Chief Information Officer (CIO) or designee. Proper precautions should be taken to minimize all damage, especially damage that that may occur due to dropping the equipment, spilling food/drink on or in the equipment, and/or exposing the equipment to extreme heat or cold.
Systems and Network:
It is necessary for all employees to keep passwords secure, and sharing of accounts is prohibited. Authorized users are responsible for the security of their passwords and accounts.
Please be advised of the following:
Employees are required to:
Alan A. Ayers, MBA, MAcc is Chief Executive Officer of Velocity Urgent Care and is Practice Management Editor of The Journal of Urgent Care Medicine.