HR Management & Compliance

Can We Wipe Employee’s Personal Phones Containing Protected Health Information?

We want to draft a policy that allows us to install a monitoring app on employee’s personal phones that can contain private HIPAA data and gives us the option to remotely wipe the phone if stolen. The hurdle is that we do not provide any reimbursement for personal phones. Are we allowed to do this by law?

Because the availability and sophistication of mobile technology has advanced more quickly than the law, employees’ privacy and property rights with regard to their personal mobile devices (and the data stored on them) is an area of law that is still developing. This is particularly true when considered in tandem with employers’ expectations and duties to maintain data security within the workplace.

Therefore, there is currently no state or federal law that specifically prohibits employers from remotely wiping employee-owned phones. (However, employers should note that this is a controversial area that may eventually be tested in the courts or restricted by statute – particularly in states such as California).

If a remote wipe provision is adopted as part of a larger BYOD (‘bring your own device’) policy, employers should be sure that the risks and requirements are clearly explained in understandable, plain-English terms.
Preferably employees should have a choice of whether or not to use their personal devices within the workplace (and, in other words, of whether to assume the risk of losing their personal data by using a personal device on the company network). Additionally, you will need to consider how sensitive data (or access to that data) will be removed from personal devices in the event that the employee leaves the organization.

If certain employees are required to use mobile devices within the workplace in order to perform their job requirements, then an alternative, better practice would be to either provide corporate-issued devices for these employees to use to perform these tasks or to prevent these employees from using their personal devices to access or transmit sensitive data. This is especially true when the sensitive data in question is PHI (protected health information) protected by HIPAA.

Further, if your company is a covered entity required to comply with HIPAA’s Security Rule, then it may be more appropriate to prevent personal devices from accessing – and certainly from storing – PHI in the first place. Even if the devices are not lost or stolen, the device may be vulnerable to data breach and other unauthorized access.

The HIPAA Security Rule is a corollary to the Privacy Rule and specifies a series of administrative, technical, and physical security procedures for covered entities and business associates to use to ensure the confidentiality, integrity, and availability of PHI in electronic format. More information on the HIPAA Security Rule is available from HR.BLR.com.