If you’ve ever left your mobile phone on an airplane, in a restaurant, or somewhere other than in your possession, you know it’s frightening enough to think of losing the device itself, which costs a premium, as well as your personal photos or information stored on the device. Now imagine if you lost your mobile phone, but it also had protected health information (PHI) associated with your health care work stored on it. The lost device suddenly presents the potential for reputational damage and legal or regulatory obligations, in addition to the inconvenience and cost of replacement.
Mobile phones are lightweight, palm sized, and cordless, which makes them convenient and easily portable. These same features make mobile phones highly susceptible to theft or loss. As such, there are serious compliance risks to consider and mitigate when allowing personal mobile device use for work purposes, or a bring your own device (BYOD) program, especially in a healthcare setting. Despite the known risks, current research shows that in some industries, up to 90% of employees are using their personal devices for work purposes whether “allowed” or not. For example, an assisted living nurse using a personal device for work purposes might send a text message to a patient’s primary care physician (PCP) to obtain guidance or to provide an update. That communication includes PHI, raising compliance obligations, such as state laws or HIPAA security requirements. In the long term care setting, it’s also a clear violation of applicable privacy laws and the Centers for Medicare and Medicaid Services will, and has been, citing such infractions on surveys. We suspect the Division of Health Service Regulation would do likewise under state law if this occurred in an adult care home.
There is no quick and easy remedy to completely eliminate all risks associated with the use of mobile phones, particularly employee-owned devices. However, there are steps that can be taken to minimize those risks while allowing the use of mobile technology to provide enhanced and continuous care to patients. One such step is implementing a mobile device management (MDM) solution. An MDM solution allows a secure connection for employees to access work networks and information resources remotely, using an application installed on their personal device. That solution keeps “work applications” such as the employer’s email program technically separated from “personal applications” like social media apps. In addition, an MDM solution allows the employer to force technical controls on the device, such as password requirements, encryption or the ability to remotely wipe all data from the device.
Recognizing that employers must relinquish ownership and technical control to make a BYOD program work, employers also must implement robust policies and procedural controls. For example:
Permissible Uses. Document the permissible uses of personal devices for work purposes, including whether employees are ever permitted to transfer PHI or other types of sensitive personal information on a personal device and the employment terms associated with such uses.
Device Security Controls. Document the policies that govern device controls (such as requiring employees to use passwords, up-to-date malware protection, device time-out, authentication or encryption on the device).
HR Policies. Review other important employment law considerations such as employee privacy rights, social media policies, and policies for removing applicable data from the devices of terminated or exiting employees.
There are many compliance considerations to keep in mind when deciding whether to implement a BYOD program. A comprehensive security framework, including technical controls, policies, procedures, and training, can reduce the high risks associated with the use of personal mobile devices for work purposes.
The U.S. Department of Labor has issued a final rule amending the regulatory definition of “spouse” under the Family and Medical Leave Act (“FMLA”). We earlier reported on the DOL’s proposed rule to this effect, which is now final and will become effective on March 27, 2015.
The amendment changes the definition of “spouse” to include individuals in same-sex marriages if the marriage was valid in the place it was entered into regardless of where they live. Before the new rule was issued, the FMLA and its accompanying regulations defined “spouse” as a husband or wife as recognized under the laws of the state in which the employee resides. The new definition of spouse instead looks to the law of the jurisdiction in which the marriage was entered into and expressly encompasses same-sex married couples. The final rule thus adopts a “place of celebration” rule rather than a “state of residence” rule for the definition of “spouse” under the FMLA.
According to the DOL, the amended regulatory definition of spouse permits “eligible employees in legal same-sex marriages [to] be able to take FMLA leave to care for their spouse or family member, regardless of where they live.” The DOL has also suggested that the new rule will reduce the administrative burden on multi-state employers, who no longer have to consider an employee’s state of residence and the laws of that state in determining the employee’s eligibility for FMLA leave.
The new rule was prompted by the United States Supreme Court decision in United States v. Windsor, which found unconstitutional those provisions of the Defense of Marriage Act that prohibited federal recognition of same-sex marriages.
Some of the other features of the new rule include:
The new rule encompasses an employee in a same-sex marriage entered into abroad as long as the marriage is valid in the place it was entered into and could have been entered into in at least one state in the United States.
The new rule encompasses employees in a common law marriage as long as the common law marriage became valid in a state that recognizes such common law marriage.
An employee in a legal same-sex marriage can now take FMLA leave to care for his or her stepchild whereas before, an employee in a legal same-sex marriage could only take FMLA leave to care for his or her stepchild for whom the employee stood in loco parentis.
Similarly, an employee can now take FMLA to care for his stepparent who is the employee’s parent’s same-sex spouse, even if the stepparent never stood in loco parentisto the employee.