Inviting Legal BYOD Party - MoHIMA · 2016-04-18 · 4/18/2016 3 Staff Members Allowed to...
Transcript of Inviting Legal BYOD Party - MoHIMA · 2016-04-18 · 4/18/2016 3 Staff Members Allowed to...
4/18/2016
1
Inviting Legal to the BYOD PartyLaura Clark Fey, Esq., Principal, Fey LLC
Agenda
O i f O i l h• Overview of BYOD in Healthcare
• Legal Risks Associated with BYOD
• Recommendations to Address Legal Risks
24/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
4/18/2016
2
OVERVIEW OF BYOD IN HEALTHCARE
3© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
Healthcare BYOD Adoption
73% of surveyed healthcare
organizations gsupport some form
of BYOD
4© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
Source: Spok “BYOD Trends in Healthcare: An Industry Snapshot” (2015 Survey Results)
4/18/2016
3
Staff Members Allowed to Participate in Healthcare BYOD
5© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
Source: Spok “BYOD Trends in Healthcare: An Industry Snapshot” (2015 Survey Results)
Top Drivers for Permitting Healthcare BYOD
6© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
Source: Spok “BYOD Trends in Healthcare: An Industry Snapshot” (2015 Survey Results)
4/18/2016
4
Top Healthcare BYOD Challenges
7© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
Source: Spok “BYOD Trends in Healthcare: An Industry Snapshot” (2015 Survey Results)
Primary Reasons for Disallowing Healthcare BYOD
8© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
Source: Spok “BYOD Trends in Healthcare: An Industry Snapshot” (2015 Survey Results)
4/18/2016
5
Types of Information That May be Breached
9© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
Protected Heath Information (Diagnosis, Treatment, Medical Conditions)
Social Security InformationFinancial Records (Credit Card, Bank Account)
Key Healthcare BYOD Security Risks
S l di l d l bl h bl k• Stolen medical records are valuable on the black market
• Stolen medical records may be used to illegally obtain prescription drugs
• Stolen medical records may be used to commit insurance fraud
104/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
4/18/2016
6
Special Challenges for Protecting PHI on Personal Devices
l d i l l l• Personal devices are commonly lost or stolen
• Difficult to protect the confidentiality of PHI on personal devices of users who are affiliated with multiple medical hospitals/facilities
• Challenging to enforce security requirements on personal devices
114/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
LEGAL RISKS ASSOCIATED WITH BYOD
12© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
4/18/2016
7
Legal Risk: Failure to Protect Against Breach of Confidential Information (Including PHI and PII)
Data breach notification obligations
Regulatory or state attorney general investigations
13© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
Civil lawsuits
Legal Risk: Failure to Comply with HIPAA Obligations
i l li i d di l f• Privacy Rule limits uses and disclosures of PHI without patient authorization, and sets forth broad requirements to protect PHI in all forms
• Security Rule requires reasonable and appropriate administrative, technical, and physical safeguards foradministrative, technical, and physical safeguards for protecting e‐PHI
• HIPAA violations are expensive
144/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
4/18/2016
8
Legal Risk: Failure to Comply with Legal Hold Obligations
l h ld bli i d l d i• Legal hold obligations extend to personal devices when used for business purposes
• General Rule: Unique legal hold‐related information on personal devices must be preserved
• Failure to preserve can result in significant sanctionsp g
154/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
Legal Risk: Failure to Comply with Privacy Obligations to Employees
S j i di i i i i• Some jurisdictions require notice prior to any employee monitoring
• Intrusion on employee privacy may result in litigation
• Loss of employee‐owned data on a personal device p y pmay result in litigation
164/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
4/18/2016
9
Other Legal Risks
f i f i b h• Loss of necessary access to information by other medical professionals
• Failure to compensate for overtime work performed remotely
• Liability from texting while driving accidentsy g g
• Breach of confidential entity data
• Payment disputes with employees
174/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
RECOMMENDATIONS TO ADDRESS LEGAL RISKS
18© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
4/18/2016
10
Ten Recommendations to Protect Data (Including PHI and PII) on Personal Devices
E i k dd l d i• Ensure risk assessments address personal devices
• Implement appropriate technology solutions
• Enforce prohibition on usage of banned apps
• Enforce screen locks, encryption, strong passwords, andEnforce screen locks, encryption, strong passwords, and anti‐malware protection
• Require employees to keep personal devices up‐to‐date
194/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
Ten Recommendations to Protect Data (Including PHI and PII) on Personal Devices
P hibit j ilb ki d ti• Prohibit jailbreaking and rooting
• Secure your network against rogue devices
• Ensure ability to wipe company data from device
• Implement and train on procedures for selling, p p g,replacing, or discarding personal devices
• Define security incident procedures for personal devices
204/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
4/18/2016
11
Bonus Recommendation: Implement and Train on Strong BYOD Policy
C id ll ti• Consider all perspectives
• Develop comprehensive BYOD Policy clearly setting forth both entity’s and employees’ rights
• Implement BYOD Policy through training, FAQs, and other educational resources
• Monitor compliance and periodically review and update• Monitor compliance, and periodically review and update BYOD Policy
• Review and update related policies and procedures touching on BYOD
214/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
Five Recommendations to Address Employee Privacy Risks
• Require employees to segregate personal data• Require employees to segregate personal data
• Retain record of unambiguous, written employee consent to BYOD Policy
• Ensure BYOD Policy clearly sets out rights to monitor, access, review, and disclose company or other data on personal devices, as well as employees’ obligations
• Address privacy concerns while planning for preservation of information on personal devices
• If possible, provide notice and obtain consent before wiping or destroying data on personal devices
224/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
4/18/2016
12
Five Recommendations to Address Legal Hold Risks
• Ensure policy language addressing legal hold compliance is• Ensure policy language addressing legal hold compliance is broad enough to cover legal hold‐related information on mobile devices
• Update legal hold procedures to cover preservation of information on personal devices
• Promptly identify and preserve legal hold‐related information on personal devices
• Provide clear instructions to employees to suspend auto deletion and take other steps to guard against changing or deleting data
• Update offboarding processes to address preservation of legal hold‐related information
234/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
Five Recommendations to Address Other Legal Risks
• Access to Information: Prohibit storage of unique patient• Access to Information: Prohibit storage of unique patient information on personal devices
• Overtime Disputes:Where appropriate, prohibit non‐exempt employees from working after hours; if not prohibited, require employees to account for time
• Texting/Driving Risks: Prohibit texting while driving by policypolicy
• Breach of Confidential Entity Data: Implement DLP systems and offboarding processes
• Payment Disputes with Employees: Clearly address who pays for the device, as well as voice and data access
244/21/2016© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity
4/18/2016
13
Any questions?
25© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
Thank you for attending!
Laura Clark Fey, Esq., CIPP/US, CIPP/E, CIPMPrincipal, Fey|LLC
26© 2016 Fey|LLC
content management & defensible disposition regulatory compliance eDiscovery & legal holds data privacy & cybersecurity4/21/2016
E ‐Mail : l fey@feyl lc .com
Direct : 913.948.6301
Mobi le : 816.518.6554