A sound Bring Your Own Device (BYOD) policy is essential for HIPAA compliance in an environment where growing numbers of employees are using their personal electronic devices for work.
What is more, the policy needs to lay out your business’ privacy expectations, what would be monitored and not monitored and how personal uses and communications are separated from business.
That is the view of Elizabeth Johnson, partner and lead of the privacy and information security practice for law firm Poyner Spruill.
Where BYOD is concerned, there is no such thing as one size fits all. She says each BYOD policy has to be tailor made to take into account the specific attitudes and needs of the organization.
“Some want their employees to have as little expectation of privacy as possible, others want employees to embrace this program and so they’re looking to be more generous in terms of privacy protections,” she said.
Hallmarks of a good BYOD policy include on-going training and a clear set of terms of use that realistically set out the rights and responsibilities the employee is signing onto when they agree to participate in the program.
“That’s important as a legal backstop – that if you do get into some issues and have to resolve a dispute you can go back to that and say, for example, ‘you understood that we might wipe the device,’ or, ‘you understood that you had to have up to date malware protection,’” she said.
BYOD, healthcare, devices, HIPAA, protection
