Co-written with: Lee Neagle of Certa Scientia, LLC & Kevin Baxter of Advanced Network Service, LLC

One of the unintended consequences of working from home during the pandemic is that employees often use their own personal electronic devices—cell phones, laptops, tablets, and so on—for work. While using personal devices for work is convenient for both employees and employers (employees get to use equipment they’re familiar with and employers aren’t on the hook for the costs of new equipment), using personal devices for work raises concerns about security and privacy. These concerns are particularly strong in fields subject to HIPAA rules for protected health information (PHI), but they arise in workplaces of all kinds.

The concerns are both personal and professional:

  • Practitioners and employees are concerned about their own privacy and about the overlap between their personal and professional lives. For example, therapists and other health professionals might not feel comfortable giving clients their personal phone numbers.
  • Employers, particularly those in health fields, must address the compliance risks associated with the access and storage of protected health information (PHI) and personally identifiable Information (PII) on personal devices.

We come at this issue from three angles: HIPAA compliance, network security, and human resources.

What Are the Risks to PHI When Employees Use Personal Devices?

No matter how you slice it, accessing PHI from a personal device significantly increases the risk of privacy breaches. The more devices used, the greater the risk, even if the devices are secured. Indeed, cybercriminals see remote devices as the path of least resistance to larger healthcare networks.[i] Because employers have limited control over personal devices, such devices typically lack the robust security protocols of facility-connected systems.

The 2019 Verizon Mobile Security Index found that 62% of the organizations that responded had experienced compromised data security, with 41% stating the breach caused significant repercussions.[ii] Further, in 2015, the HIPAA Journal noted that 270,000 records were exposed in mobile data breaches over the first six months of the year alone.[iii] These breaches can significantly impact clients’ trust in providers and might result in large financial penalties, such as a 2019 mobile data breach that resulted in a large hospital system agreeing to a $3 million settlement with the Office of Civil Rights (OCR).[iv]

Human users are consistently the weakest link in the security chain. The Verizon study found that 80% of respondents admitted to using public Wi-Fi even when doing so was explicitly prohibited by the company. It is important to note that, when investigating breaches, HIPAA typically examines the technological, administrative, and physical safeguards implemented by the organization itself very closely, but in some cases, they extend the investigations to the individual, whether an employee or outside contractor, who caused the breach in the first place.

Risk Mitigation for Personal Devices

What can be done to mitigate the risks of using personal devices for work, especially in a HIPAA regulated field?

First and foremost, organizations should conduct a risk assessment. This is not only a good idea, but also required under the HIPAA Privacy Rule. Fortunately, the federal government has developed a free tool for covered entities to use to assess their risk. This assessment enables administrators to identify potential vulnerabilities and implement safeguards to prevent breaches.

Second, organizations must develop policies and procedures governing personal device use and access to PHI and PII. These policies should determine access based on employees’ job descriptions by applying the “minimum necessary” standard—individuals should only have access to the minimum amount of information necessary to do their jobs. Your receptionist should not have the same access as your clinical director, for example. Security systems developed in support of your policies should include technological safeguards for PHI access, storage, and encryption. Such safeguards should include strong passwords and multi-factor authentication on all externally accessible data sources such as email, company cloud drives (I Drives), file storage systems such as Drop Box and ShareFile, and so on. (Multi-factor authentication requires a user to provide two or more methods of authentication to access a website or application.)

To further enhance security, organizations should also institute and—this is critical—enforce a mobile device management (MDM) policy for all personal devices used for work (as well as organization-provided devices, for that matter). A strong MDM policy gives the company a level of control over the data stored on the personal device, for example by requiring a password or PIN to access all devices with access to or storage of company information. This way, if the device is stolen or lost, the data is less likely to be compromised. In addition, a strong MDM solution ought to provide the company the capability of wiping their data from these devices remotely, further safeguarding the information.

Third, the organization should provide extensive training with regular refreshers regarding policies and expectations for personal device use, including data privacy, the use of passwords, email and text message use, and breach notification, as well as a structure for enforcing these policies. Enforcement can include regular monitoring and spot checks, and managers should lead by example.

Finally, the organization must keep accurate records of both company-owned and personal devices that have access to PHI and PII and should always have the ability to cut off such access on a moment’s notice. If access control measures are not in place, the system becomes extremely vulnerable, particularly when staff members leave the organization or devices are lost or stolen.

Human Resources and the Use of Personal Devices for Work

Even before the COVID-19 pandemic, many employers relied on bring-your-own-device (BYOD) policies for their workforce. These BYOD policies were generally ad hoc in nature and were often created specifically for Millennials, who prefer their own equipment for maximum personal efficiency.

Now that employers are trying to keep everyone safe during the pandemic and state lockdowns while maintaining some degree of productivity, many are instituting expansive work-from-home measures. Once they do so, however, they are finding that their BYOD, telecommuting, and work from home (WFH) policies, if they even had any in place, aren’t up to par. These legacy policies were typically for exceptions and one-offs and not meant to apply to the whole workforce. Indeed, many lack even basic security and protections. In the current environment, employers have had to reconstruct their policies to apply to the bulk of their workforce.

The following points should be included in any strong personal device policy.

  • Establish the employer’s Right to Monitor. If your employees are expected to use their personal cell phones or computers for work, communicate very clearly that they have no expectation of privacy regarding company information—that all company information may be reviewed, intercepted, copied, deleted, and disclosed without notice to the employee, and fully at the employer’s discretion. Keep in mind that the Electric Communications Privacy Act of 1986 does prohibit “unauthorized interception” or access to electronic communications. Employers need to establish permission before they can monitor texts on a personal device.
  • Enforce security protocols on the employee’s devices in all the ways described above and ensure that the company’s confidentiality policies (regarding client names, PII such as social security numbers, PHI, and so on) are effective. Remind employees that they may be required to register their cell phones and laptops with the HR and/or tech team. Secure data management procedures (including passwords and encryption) should be enforced on all devices, especially the employee’s personal devices. Further, the employee should be required to notify their employer if their personal devices are stolen or lost.
  • Create an open dialogue between your employee and the IT team, whether the team is internal or outsourced. This will eliminate the need for the business owner or manager to assist the employee with things like the setup of their home office, Wi-Fi issues, and so on. If you give employees direct access to IT experts, everyone will benefit in increased efficiency and decreased frustration.

Who should bear the costs of employees using personal devices?

Currently, the Federal Fair Labor Standards Act (FLSA) does not require employers to reimburse employees for the use of personal cell phones for work except in the case in which the expenses incurred by the employees put them below the federal minimum wage standard. However, many states, including California, Illinois, and Montana, have more stringent regulations, requiring employers “to reimburse employees for all ‘necessary expenditures or losses’ or ‘business expenses’ incurred by the employee in direct consequence or discharge of his or her duties.”[v] [vi] [vii] Such expenses include those incurred by phone use. In these cases, it is recommended that the employer reimburse the employee a “reasonable percentage” of his or her phone bill. This policy should be clear and fair for all employees based on their job duties and position in the company.

To protect the privacy of workers using their personal devices, it is recommended that employers set up a dial-through phone service whereby the clients call the employee’s office number and extension and the call is forwarded seamlessly to the employee’s cell phone. In this way, the client never has the employee’s personal number. Most voice over internet protocol (VOIP) systems offer this function.

For PCs or laptops, the simplest solution is often the easiest – allow the employees to take their workstations home. This way, the employees are set up for success with the necessary monitors, security equipment, VPN access, and software without having the complications of adapting their personal laptop or computer, which may not be as robust as the one at the office.

As with all of the other ad hoc COVID-19 policies, be sure to communicate with your employees that this is only a temporary solution and once the work-from-home pandemic rules are lifted, they must return to the office, and return all the equipment. (We have found, however, that many organizations have come to see the advantage of work-from-home arrangements in increasing productivity and worker satisfaction and plan to continue some form of it in the future.)

Leaders Must Lead and Communicate

We are all living in the new world of work, one that is unprecedented and chaotic, and requires leaders to summon every last ounce of their skills for improvisation and problem solving. Just as we are trying to protect ourselves and our families from a world pandemic, we also must protect the electronic security of our business networks, employees, and clients. To do so, it is critical that we all let go of preconceived notions of what is “normal.” Nothing is normal about these times, except maybe this –clear communication among all parties is more essential now than ever.

Lee Neagle, MA, LPC, is the Co-Founder and COO of Certa Scientia Consulting, a behavioral health consulting firm that assist organizations develop their quality assurance and performance improvement (QAPI) programming. Certa Scientia focuses on integrating the organization’s values into its compliance and regulatory standards. www.certascientia.com

Wendy McClellan is the Founder and CEO of Structure for Success, an HR consulting firm that puts the human back in Human Resources. Structure for Success works with businesses to assist with hiring and employee support. Wendy’s forte is working with leaders who want to elevate their company’s profitability and efficiency.  www.structure4success.com

Kevin Baxter is the Owner and Founder of Advance Network Service, an information technology firm that focuses on provide technological safeguards, data storage, and infrastructure development. ANS has worked with behavioral health treatment providers to ensure electronic systems met state and federal compliance standards. www.advnetservice.com


[i] https://www.zdnet.com/article/cybersecurity-warning-hackers-are-targeting-your-smartphone-as-way-into-the-company-network/

[ii] https://enterprise.verizon.com/en-nl/resources/reports/mobile-security-index/2019/executive-summary/

[iii] HIPAA Journal, “Mobile Data Security and HIPAA Compliance,” 2015. [Online]. Available: https://www.hipaajournal.com/mobile-data-security-and-hipaa-compliance. [Accessed 4 September 2020].

[iv] https://www.hhs.gov/about/news/2019/11/05/failure-to-encrypt-mobile-devices-leads-to-3-million-dollar-hipaa-settlement.html

[v] https://stormoenlaw.com/blog/2019/9/9/employers-must-reimburse-employees-for-work-related-cell-phone-use#:~:text=Yes.,Phone%20For%20Work%20Related%20Duties.

[vi] https://www.lexology.com/library/detail.aspx?g=4f55a3c6-96c5-44ea-8fc8-25384680c882

[vii] https://www.shrm.org/resourcesandtools/legal-and-compliance/employment-law/pages/tips-for-managing-worker-after-hours-use-of-mobile-devices.aspx