Misconceptions Companies Have About BYOD Compliance —
and 10 Best Practices for Managing Mobile Devices in the Workplace

In our latest webinar, “HIPAA-Compliant Faxing in a BYOD World,” eFax Corporate® discusses several of the act’s vaguely written guidelines governing data privacy — and how these guidelines affect electronic protected health information (ePHI) on mobile devices. (Reserve Your Seat for the Re-broadcast of the Webinar.)

We point out, for example, that many healthcare providers increasingly rely on medical apps on mobile devices to get their jobs done. But under what circumstances does storing, transmitting or displaying ePHI on a mobile device meet HIPAA’s standards? Under what circumstances does it fall short of compliance? What if a healthcare firm places encryption software on its staff’s devices (definitely a move in the right direction from a regulatory standpoint), but then a physician or nurse reviews ePHI on their mobile device in a public place in plain sight of others?

5 common misconceptions about BYOD compliance

Because components of federal acts such as HIPAA are open to interpretation, several misconceptions about them have taken hold across the IT community. Among the misconceptions are erroneous beliefs about how these regulations govern electronic patient health information (ePHI) and other confidential data on employee’s mobile devices. Here are some of the most typical misconceptions.

  1. We use leading medical apps to view ePHI on our smart phones, and those apps are probably HIPAA compliant.
  2. Our doctors are very careful about how and where they share patient data, so we’re HIPAA compliant.
  3. We ask our staff to password-protect the mobile devices they use for work purposes. We’re HIPAA compliant.
  4. We’re compliant for sure, because the vendor that handles our data storage signed a Business Associate Agreement (BAA).
  5. Our corporate policy is to protect patient information — even on mobile devices — and that puts in compliance with HIPAA.

Just because your practice or organization has completed an Attestation and Meaningful Use phase, that doesn’t mean you can just check the box — “We’re HIPAA-compliant” — and forget about HIPAA. Keeping a business in line with federal regulations governing data privacy is an ongoing, never-ending reality, not a task to complete.

10 best practices for protecting ePHI on staff’s mobile devices

Those common misconceptions might make it appear as though it’d be extremely difficult for any entity to stay on the right side of HIPAA. But, there are methods that can make regulatory compliance a much more achievable goal.

Here is a list of Best Practices for building a Mobile Device Management program that eFax Corporate has compiled from several sources — including news journals HealthITSecurity1 and Becker’s Health IT & CIO Review2, and mobile security firm SecureEdgeNetworks3.

These steps are designed to protect a business’s data, give employees a clear set of procedures and guidelines for handling this data both inside and outside of the corporate firewall — and to significantly improve a business’s overall compliance.

  1. Create clear, concise and comprehensive policies regarding ePHI —
    and disseminate company wide.
  2. Create a list of allowed devices (and/or operating systems) your organization will allow staff to use for work and to access ePHI.
  3. Make sure your ePHI data is secure “at rest” as well as in-transit.
  4. Install and regularly update virus-protection software on all of your staffs’ mobile devices that access or store ePHI.
  5. Train all healthcare providers and other staff in the secure and compliant use of ePHI on any device in any location
  6. Employ the highest levels of encryption possible for all ePHI transmitted, shared or stored anywhere, such as TLS.
  7. Demand that your staff implement password protection for all mobile devices that access ePHI.
  8. Deploy next-gen security technologies such as IDS (Intrusion Detection Systems and IPS (Intrusion Prevention Systems) and firewalls which can prevent against APTs (Advanced Persistent Threats) such as new Malware.
  9. Implement biometric authentication, such as fingerprint readers, on portable devices that access ePHI.
  10. Deploy a Mobile Device Management platform across the company — including tracking and remote wiping of any device lost or stolen, along with automatic backing up of device data.

Move to a cloud solution that supports HIPAA compliant faxing on any mobile device

One more suggestion for bringing a business into better alignment with HIPAA guidelines: Switch to a cloud faxing model that offers HIPAA compliant electronic faxing from anywhere — computers, mobile devices and even integrated with existing multifunction devices.

The best way to do this is to trust the world’s #1 online secure fax service, eFax Corporate®, often complemented by eFax Secure™. eFax Corporate, part of Consensus®, Inc., is entrusted every day to transmit millions of pages of sensitive corporate documents by businesses in the most heavily regulated industries. Our proven process helps enterprises meet the strictest federal mandates regarding secure data transfer, tracking and storage.References:
1.  HealthITSecurity:
2.  Becker’s Health IT & CIO Review:
3.  SecureEdgeNetworks: