Smartphones are an increasing presence in the healthcare environment. They can be used to enhance communications among caregivers, provide quick access to clinical guidance materials and tools, and otherwise facilitate patient care in a rapidly growing number of ways. For patients and visitors, the ability to use smartphones—or even traditional cell phones—during a hospital stay can be both a source of comfort and a convenience, helping them stay in contact with loved ones and allowing continued participation in their normal lives, factors that can promote patient satisfaction.
So what are the downsides of these powerful devices? Unfortunately, in the hospital environment there are many—and chief information officers (CIOs), IT directors, clinical engineers, and risk managers must institute policies to address the dangers.
Ready or Not, Here They Come
With great power comes great responsibility. The very characteristics that make smartphones such a powerful tool for users—their portability, computing power, and ability to access information—make them a source of great concern for the healthcare enterprise. If they aren’t used with care, private patient information can be exposed; computer viruses or other malware can be introduced; clinical decisions can be affected by alerts or other pertinent details that are missed or overlooked (e.g., because of display limitations); or caregivers can simply become distracted. Additionally, both the nonstandardized nature of these devices and the rapid generational changes in devices and platforms present significant challenges for those responsible for managing their use.
Ideally, a healthcare facility would be able to research and develop the best approaches to smartphone use before the devices make their way into the hospital environment. But, as the Healthcare Information and Management Systems Society (HIMSS) points out in a white paper issued by its Mobile Security Work Group, “Employees are not waiting for guidance to be provided. Instead, they are starting to use mobile computing devices for work, whether or not their employers know or approve of the use” (HIMSS 2011).
Of course, many patients and visitors will also want to use their smartphones while at the healthcare facility. Plus, the use of smartphones by independent physicians is continuing to increase. A 2012 survey conducted by a market research and services firm found that 85% of U.S. physicians currently own or professionally use a smartphone (Manhattan Research 2012).
Given that the technology has become ubiquitous, an outright ban on smartphone use would likely be impractical—and possibly even counterproductive, as these devices offer many legitimate benefits. But effective policies regarding smartphone use are essential to protect the healthcare facility’s systems, to safeguard patient privacy, and to ensure the delivery of quality care. Put simply, smartphone users need to know how to apply the technology responsibly in the healthcare setting, and technology managers need to develop and implement policies to minimize the risks. The success of such policies will depend on support from key leadership and cooperation from mobile device users, including clinical and nonclinical staff, independent physicians, patients, and visitors.
In this article, we discuss some of the benefits and risks associated with smartphones in the hospital setting and describe strategies for managing this technology. We focus on the use of smartphones (1) by clinicians or other staff for work-related purposes, whether within the healthcare facility or connected to its systems from outside the facility, and (2) by patients and visitors while on the premises. And below, we update our guidance on policies addressing the use of all cell phones, including smartphones, in the clinical environment.
While we focus on smartphones, much of our guidance applies to a variety of mobile communications or computing devices, including traditional cell phones and in some cases tablet computers. We discuss the pros and cons associated with the use of such devices within the healthcare environment or in connection with a healthcare facility’s systems.
The Potential Benefits
Mobile technologies like smartphones bring tremendous possibilities to healthcare, increasing the speed and convenience of accessing caregivers, clinical resources, patient data, and healthcare IT systems. Below, we describe a few of the benefits that may be realized when smartphones are used in the healthcare environment—though some of them come with problems and other complications as well.
Smartphones can facilitate communication between individuals in ways that are not possible with pagers or even traditional cell phones. In the healthcare literature, a variety of articles describe the communication benefits that caregivers can derive when smartphones are used as an alternative to pagers or other communication methods. An article published in the April 2012 issue of the Journal of Interprofessional Care, for example, noted that healthcare professionals valued the additional communications functions that smartphones offer, such as the ability to use e-mail to communicate nonurgent issues, while having the phone function available for accessing clinicians in urgent situations (Lo et al. 2012).
While the use of smartphones can help improve communications, it’s worth noting that researchers have identified negative communications issues as well. These include increased interruptions, weakened interprofessional relationships (because of reduced opportunities for face-to-face interactions), and disagreements between personnel with respect to which communications should be deemed urgent (Lo et al. 2012, Wu et al. 2011).
In addition, the use of smartphones for communication opens up a whole new world of privacy protection concerns. The ease with which patient information—both data and images—can be stored, transmitted, or posted introduces new risks that didn’t exist when pagers were the height of technology. We discuss some of the risks later in this article.
Handy Access to Reference Materials
The speed with which physicians have adopted smartphone use is largely attributed to the value these devices offer in providing access to reference materials (Chavis 2011). Rather than carrying around a collection of pocket handbooks, physicians can access the entire Physicians’ Desk Reference, for example, or a whole host of other reference materials or clinical decision support resources online or through a mobile app.
Faster Access to Patient Data
At some facilities, clinicians are using smartphones to look up lab results, prescribe medications (e-prescribing), interact with an electronic health record (EHR) or computerized provider order-entry (CPOE) system, or even view radiology images or patient waveforms. We’ve described a few such applications in previous issues of Health Devices:
- In our March 2012 issue, we describe the Mobile MIM app, which brings diagnostic-quality images to mobile devices, allowing some radiology images to be viewed on the iPhone, iPad, and iPod Touch. The Mobile MIM software was cleared by FDA in 2011 for displaying MR, CT, single photon emission CT, and positron emission tomography images for diagnosis. A newer version has since been cleared for diagnostic x-ray and ultrasound viewing, as well as for radiation treatment plan review and approval.
- Our October 2011 Guidance Article on physiologic monitoring networking describes several solutions incorporating smartphones into the patient care workflow. Available functionality includes near-real-time viewing of patient data on smartphones and the transmission of alarm messages to smartphones and other communication devices.
More Effective Patient Education
An article in the American Journal of Nursing described an instance in which a patient’s mobile phone was used to reinforce wound-care discharge instructions for a severe arm injury. Upon seeing that the patient was having difficulty following the written instructions for changing the wound dressing using his nondominant hand, the nurse used the patient’s mobile phone to photograph each step of the process and to record a voice memo describing the various steps. With the discharge instructions in this form, the patient, who was proficient with his phone and was more comfortable with this style of learning, was able to better care for the wound on his own (Holt et al. 2011).
As discussed below, the use of a phone’s camera function can raise concerns about patient privacy violations, and thus requires careful consideration of federal and state health information privacy and security laws and regulations. In the instance described here, the authors stress that the phone belonged to the patient, the photographs were taken with the patient’s knowledge, and the images were never copied to any other device, so that the patient retained full control of his personal health information and was able to delete it when it was no longer needed.
Increased Patient Satisfaction
Whether it’s to stay connected with friends and family, to communicate important details about a loved one’s condition, or simply to pass the time during a hospital stay, patients and visitors will want to be able to use their mobile devices within the healthcare facility. While certain restrictions may be warranted—such as prohibitions against device use in highly instrumented areas and limitations on the use of camera functions—smartphone use can be allowed in many instances.
In the U.K. Department of Health’s most recent (2009) policy statement on the use of mobile phones in National Health Service (NHS) hospitals, the department loosened its restrictions on phone use, noting that “communication with family and friends becomes an essential element of support and comfort.” The Department specified that its new policy was intended to “reflect the rapidly developing principles of patient choice in the matter of mobile phone usage.”
The new policy states that “the working presumption should be that patients will be allowed the widest possible use of mobile phones in hospitals, including on wards.” However, such use is still contingent on local risk assessments determining that mobile phone use “would not represent a threat to patients’ own safety or that of others, the operation of electrically sensitive medical devices in critical care situations, [and] the levels of privacy and dignity that must be the hallmark of all NHS care.” Thus, NHS facilities are expected to restrict mobile phone use when circumstances dictate (U.K. Department of Health 2009).
While the benefits of using a smartphone are often readily observed, the risks are not always apparent. Users may not be aware that their smartphone use is creating problems, or the risks may seem disconnected from the act of using the smartphone. Following are descriptions of some of the kinds of problems that can occur and that should be addressed in policies governing smartphone use in the hospital setting.
The growing use of smartphones to access patient data has led to concern among CIOs and other technology managers that such uses could increase the likelihood of security breaches in which protected health information (PHI)—for example, patient data that resides on or is accessed using a smartphone—is inappropriately disclosed. Such breaches are no trivial matter. In the United States, breaches that violate health information privacy and security regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) can lead to costly fines or settlements, or even criminal penalties. Furthermore, in some states, health information privacy laws and regulations are even more extensive than the federal HIPAA regulations.
The HIPAA Privacy Rule mandates that covered entities “reasonably safeguard” PHI from any intentional or unintentional use or disclosure that is in violation of the rule’s standards. (Note that “covered entities” include not only healthcare organizations as corporate entities, but also individual providers.) Additionally, the HIPAA Security Rule outlines provisions for ensuring the confidentiality, integrity, and availability of PHI that is transferred or held in electronic form.
HIPAA defines PHI as individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral (45 CFR Sec. 160.103). Thus, concerns include:
- Theft or loss of a smartphone that has PHI on it.
- Staff or volunteers taking and distributing unauthorized photos. (For discussion about the use of smartphone cameras, see below.)
- Staff revealing PHI on social network pages—for example, by posting text or photos that could be classified as individually identifiable health information.
- Unauthorized individuals accessing the healthcare facility’s systems.
- Staff or physicians forwarding unencrypted e-mail that contains PHI from their organizational account to a personal account that does not have reasonable safeguards to protect PHI.
Under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, breaches of unsecured PHI must be reported to the affected individual, to the U.S. Secretary of Health and Human Services, and in certain cases to the media. In addition to the reputational damage that such breaches can cause, they can result in significant direct costs in terms of actions the facility takes to mitigate harm to the affected individuals (e.g., paying for credit check services) or settlements or fines.
In one example illustrating the potential financial implications of a failure to safeguard PHI stored on electronic devices, Blue Cross Blue Shield of Tennessee (BCBST) agreed in March 2012 to pay $1.5 million to settle potential violations of the Privacy and Security Rules of HIPAA. The breach occurred when 57 unencrypted computer hard drives containing PHI of over 1 million individuals were stolen. The enforcement action against BCBST was the first resulting from the HITECH Act’s Breach Notification Rule (HHS 2012 “HHS Settles”).
Although the ability to use a highly portable device like a smartphone for a wide range of data-access and data-entry functions is desirable in theory, the smartphone’s small display will, in practice, limit the utility of the device for interacting with many systems currently in use in a healthcare enterprise. For example, an EHR or CPOE system that is designed for use on desktop or laptop computers may not display information well on the smaller screen of a smartphone, or even a tablet computer. As a result, users may need to scroll to view information that would have been readily visible on a larger screen. More than just an ease-of-use issue, this can have patient safety implications—for example, if a clinician misses an allergy alert that is initially hidden from view on the smaller display (Cerrato 2012).
Digital Distractions Affecting Patient Care
A case study written by Dr. John Halamka, CIO at Harvard Medical School, illustrates how distractions facilitated by smartphone use can adversely affect patient care. A resident physician (at an unnamed facility) was using her smartphone to enter an order in the facility’s CPOE system. The order, as requested by the attending physician, was to stop anticoagulation therapy for a patient. Before completing the order, however, the resident received a personal text message about an upcoming party. The resident responded to the personal message by text, but never went back to complete the order in the CPOE system. As a result, anticoagulation therapy continued unnoticed for several days, and the patient developed conditions that necessitated emergency open-heart surgery (Halamka 2011).
While the need for clinicians to multitask is nothing new—interruptions from pagers and other communication devices have long been a part of the job—smartphones and other mobile devices now make it easier for clinicians to be interrupted for non-work-related reasons, as occurred in the above example.
In addition, these devices make it easier for clinicians to create their own interruptions—succumbing, for example, to the temptation to conduct personal business during patient care. For instance, half of the respondents to a 2010 survey of perfusionists acknowledged texting during heart-lung bypass procedures, with 15% further acknowledging that they accessed the Internet and 3% reporting that they visited social networking sites during procedures (Smith et al. 2011). Additional instances of digital distractions cited in a December 2011 New York Times article include a nurse checking airfares during surgery and a neurosurgeon using a wireless headset to make personal calls during surgery. In the latter case, the lawyer for a patient who was left partly paralyzed contends that cell phone use distracted the neurosurgeon during the procedure. The case was settled before the formal filing of a lawsuit (Richtel 2011).
Smartphone-related distractions in the healthcare setting may, in fact, be commonplace, if the results of a 2012 survey conducted by OR Manager are representative. More than half of the 112 survey respondents noted that they had received reports of an OR clinician being distracted by a mobile device during patient care. In addition, 41% reported that they “have personally witnessed distracted behavior,” and six of the respondents indicated that personal use of a mobile device was possibly linked to an adverse event during surgery at their facility. Of the events that were described, one was a wrong-site surgery, and another was a near miss in which a “specimen” was almost left in the patient (Patterson 2012 “Smartphones”).
The potential to make mistakes is not the only concern. Caregivers who are focusing on a device’s screen, rather than looking at the patient, may miss clues about the patient’s condition. In addition, focusing on the device rather than the patient can lead patients to question the quality of their care. Patients may wonder whether they are getting appropriate attention from the caregiver or whether the caregiver is instead engaged in some unrelated activity.
Increased Traffic on the Wi-Fi Network
Today’s smartphones can be configured to preferentially access the Internet through a Wi-Fi network when one is available, rather than using the cellular service; this can speed information access and reduce data charges for the user (Arthur 2011, Shaw 2011). For the healthcare facility, however, the impact that increased smartphone use can have on the facility’s wireless infrastructure must be considered. At some facilities, increased traffic on the Wi-Fi network may stress an already overburdened system. Meeting the increased demand for Wi-Fi resources without affecting critical network applications (e.g., real-time telemetry monitoring operating on Wi-Fi-based frequencies) could require costly upgrades to the facility’s infrastructure.
One health system we spoke with, which is taking the approach of fully supporting guest access to wireless resources, noted the burden that its chosen approach creates, including the fact that Wi-Fi traffic on the guest network alone increased threefold over a 12-month period; as a result, one year after doubling the capacity for inbound Internet traffic, the health system is already looking to further increase the capability of the wireless infrastructure to handle additional traffic. (Patient and visitor use of Netflix, YouTube, and Pandora accounted for much of the traffic.)
Instances of electromagnetic interference (EMI) from cell phones affecting medical devices have been documented in the literature, and ECRI Institute is not aware of any evidence to suggest that smartphones pose less of a risk than traditional cell phones. Although the risk of EMI affecting critical medical devices is likely small—the number of incidents reported is low—healthcare facilities must nevertheless consider the possibility of EMI when deciding how to manage the use of smartphones. See below for our recommendations.
It’s worth noting that the ability to configure a smartphone to access the Internet using an available Wi-Fi network, rather than the cellular service, alters the EMI equation but does not eliminate the risks. A Wi-Fi connection is much lower power than a cellular connection and thus less likely to cause EMI. (Generally, the higher the output power of the cell phone or other radio-frequency transmitting device, the higher the EMI risk.) Wi-Fi connections are used safely all the time in hospitals, including by medical devices. Thus, configuring the phone in this manner should reduce the risk of EMI while the phone is being used to access the Internet, at least compared with using the cellular service for this function. However, even when configured to access the Internet through a Wi-Fi network, a smartphone would likely still be using the cellular service for incoming and outgoing phone calls. Thus the potential for EMI will not be eliminated.
We discussed some alternatives that can help reduce the EMI risk in our December 2006 issue. Installation of a distributed antenna system (DAS), for example, can substantially lower the output power of cell phones and similar devices, thereby reducing the risk of EMI. A DAS, also called a microcell system, is a network of interconnected antennas positioned to provide cellular service to the areas of a building where signals are otherwise weak. With such a system in place, compatible phones (i.e., phones that operate using the cellular service of one of the supported providers) will send and receive transmissions only to these nearby antennas, not to far-off external cellular towers, requiring less cell phone output power.
Threats from Computer Viruses or Malware
In its white paper “Security of Mobile Computing Devices in the Healthcare Environment,” the HIMSS Mobile Security Work Group warns that “as the popularity of mobile computing devices increases, so too does the possibility that someone will create malware that is intended to impact its use or compromise patient data” (2011). Device-related issues that the Working Group currently labels as “moderate” security threats include
- software vulnerabilities, such as “weaknesses in the platform and [operating system] which would allow for malicious attackers to access the device”;
- “viruses and other malicious software which can steal data, capture keystrokes or perform other negative actions”; and
- the mishandling of updates, specifically the failure to routinely and correctly apply security patches, antivirus software updates, and other protective software changes.
Ensuring that smartphones include effective security controls and are routinely updated with the latest antivirus software and malware protection can be a challenging task, especially if users are allowed to use their own mobile devices for work-related applications. Also, because users themselves are typically the last line of defense, it may be useful to educate staff about potentially unsafe practices, such as opening suspicious attachments or clicking on questionable links.
Speaking of viruses: When staff think of mobile communication devices and viruses, they don’t necessarily think about handwashing. But several studies have demonstrated the presence of infection-causing pathogens on the surfaces of cell phones: A bacteriological analysis of 75 mobile communication devices (cell phones, pagers, and personal digital assistants) being carried by clinicians entering the OR revealed that 90% were contaminated with bacteria, with 10 of the devices demonstrating bacteria known to cause nosocomial infections (Brady et al. 2007). Additionally, a 2012 study by Ustun and Cihangiroglu isolated a total of 179 culture-positive specimens from a sample of 183 mobile phones owned by nurses, laboratory workers, and other healthcare staff at a secondary referral hospital. Among other pathogens, the authors identified 17 methicillin-resistant Staphylococcus aureus (MRSA) specimens and 20 expanded-spectrum beta-lactamase (ESBL)-producing Escherichia coli specimens, which can cause nosocomial infections. Other studies have shown bacterial contamination of anesthetists’ hands following the use of a mobile phone in the OR (Rodrigues 2011, Visvanathan et al. 2011).
Brady et al. note that “strict attention is paid to changing clothes” and other measures to reduce the transfer of pathogens from the external environment to the OR, but the failure to use similar precautions with communication devices can “frustrate aims to reduce levels of healthcare-associated infection” (2007).
To reduce the risk of infection, researchers recommend that staff be educated about the ways in which mobile phones and other portable devices can carry pathogens, and that infection control committees prepare guidelines such as preventive measures for the decontamination of mobile phones. Additionally, they note that restricting or banning the use of mobile phones in the clinical setting, regularly cleaning the devices with wipes containing antiseptics, and strict hand hygiene before and after the use of mobile phones may offer other solutions (Ustun and Cihangiroglu 2012).
But disinfecting a smartphone may not be as simple as wiping it down. While some literature suggests using alcohol or alcohol wipes to disinfect traditional cell phones (Visvanathan et al.  list several studies), smartphone users need to be careful not to use products that could degrade the display screen. Apple, for example, recommends against using alcohol, ammonia, and a variety of other cleaning products on iPhones or iPads (see http://support.apple.com/kb/ht3226).
The Limitations of Text Messages
A survey conducted by a software solutions vendor showed that, of the respondents who use smartphones to send job-related messages to clinicians, more than 75% send these notifications by text message (Amcom Software 2011). While texting can be a quick and easy way to communicate, this method does have limitations that make it inappropriate for certain healthcare-related communications. In an FAQ response to a question about the acceptability of texting physician orders, the Joint Commission states:
[It] is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record. (Joint Commission 2011)
Not all of the potential risks associated with smartphone use have high-tech causes. In its 2009 guidance document “Using Mobile Phones in NHS Hospitals,” the U.K. Department of Health notes the risk that an essential medical device could be inappropriately unplugged in order to charge a mobile device.
Tripping hazards are another possibility that must be considered when power cords are present. We offer detailed guidance on the use of patient-supplied equipment, including devices that use power adapters for charging, in the May 2007 Health Devices (see “Patient-Supplied Equipment: What to Allow, What Not to Allow, and Why”).
Managing the Technology
The lack of a clear connection between the cause of a problem (i.e., the use of a smartphone) and the effect (e.g., patient harm, a security breach) can increase the complexity of the job for those charged with managing smartphone use in the hospital. For one thing, it can increase the difficulty of troubleshooting any problems that occur. For another, it may prompt users to ignore policies, since often they can’t easily “see” a problem caused by smartphone use. This underscores the need for user education about the risks—and about the practical consequences of not following policies.
Issues of when and where the personal use of smartphones is appropriate will likely be dictated by the healthcare facility’s cell phone policy, which should address the use of such devices by staff as well as by patients and visitors. (We describe our recommendations for such policies below.) Below, we focus on the additional management considerations associated with the use of such devices by staff members, including independent physicians, for work-related applications.
A number of factors must be considered with regard to managing work-related smartphone use within the healthcare enterprise. These factors include who owns the phones, how much control the healthcare facility exercises over how the phones are used, and what, if any, network resources the phones can access. Familiarity with such issues is necessary regardless of whether you engage with a mobile device management firm for assistance or opt to manage the technology internally.
BYOD, or Not BYOD?
That is the question. Or one of them, at least. “Bring your own device,” or BYOD, describes the practice of allowing staff and physicians to use their own smartphones within the healthcare facility for work-related activities. Alternatively, some facilities opt to supply organization-owned smartphones; this approach affords the facility greater control, as IT staff can limit the applications that are available on the device and also ensure that appropriate security software is installed and up to date. Of course, hybrid approaches are also used—for example, a facility may standardize on a particular brand of phone for employees, but allow independent physicians to use their own devices.
All of these approaches can be employed successfully, but each requires thoughtful planning. A facility’s choice will reflect its preferred balance of cost, management effort, level of control, and the level of flexibility the user is afforded.
Within a BYOD structure, facilities can choose a variety of implementation schemes. Following are a few examples of practices that facilities could choose to implement, either alone or in combination:
- Providing access to only supported devices. A facility may insist that only devices that meet its security requirements—for example, those that support an appropriate level of encryption—are allowed access to the facility’s systems. This requirement provides a prudent measure of control, but it also may mean that certain smartphones won’t be supported and thus won’t be able to be used to gain access to the facility’s systems.
- Implementing a thin-client configuration. A facility may not allow patient data to be stored locally on a smartphone or other mobile device. Instead, the device would operate as a terminal, allowing authorized users to log in and access information that is stored centrally on a server. For example, an application may allow remote viewing of radiologic images from the facility’s picture archiving and communication system. This thin-client approach reduces security risks—if, for example, the device is lost or stolen—because no sensitive data is stored on the device.
- Requiring user agreements. A facility may require users to sign an agreement specifying that their personal devices will be subject to the same security measures as the facility’s internal devices. For example, in exchange for access to the facility’s systems, users must allow the facility to remotely wipe data from the device if it is lost or stolen. This could mean that the user’s personal data will be deleted along with any of the organization’s data. (However, see the next item.)
- Segregating data. Some software solution companies offer tools to control which applications mobile users can access or to otherwise segregate healthcare facility data from the user’s personal information. Such approaches are promoted as allowing business and personal applications to coexist securely on the same device. These tools may allow the selective wiping of only the facility data, sparing the user’s personal data in the event that the device is lost (Cerrato 2012).
Another consideration is what happens to the device when the user upgrades to a new smartphone. Organizations may need to verify that they are notified of such changes and that the old devices are adequately secured and checked before the user donates or otherwise disposes of the phone (McNickle 2012).
Following are some of the practices that can—and in some cases should—be implemented to improve the security of staff or physician smartphone use, regardless of which mobile devices are permitted or how their use is managed:
- Data encryption. The purpose of data encryption is to protect sensitive information like PHI from being accessed and viewed by unauthorized users (CMS 2007). In its interim final rule “Breach Notification for Unsecured Protected Health Information,” the U.S. Department of Health and Human Services (HHS) specifies that encryption is one of the “methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals” (HHS 2009). As such, because encrypted data is not considered “unsecured” protected health information, the loss of such data—or, for example, the loss of a smartphone that contained such data—would not need to be reported to HHS as a security breach.
- Passcode protection, which requires that a passcode (e.g., a four-digit string) be entered to unlock the device. While certainly not foolproof, even simple measures like this can prevent a lost or stolen phone from causing a security breach—for example, if a curious finder of the phone attempts to take a peek at its contents. Such a scenario is not uncommon, according to the results of a “lost phone” experiment conducted by the Internet security software firm Symantec. In the company’s experiment, employees intentionally “lost” 50 phones so that the company could observe access attempts by the individuals who found the devices. The experiment showed that most of the individuals who found and returned the phones first tried to access sensitive files on the phones (Dolan 2012).
- Password-protected access to applications or files that could include or provide access to patient information or other sensitive data.
- Automatic logoff if the device has been idle for a specified period of time.
- The locking of the device or the wiping of data after a specified number of failed log-on attempts (e.g., incorrect password or passcode).
- Remote wipe capability, so that data can be deleted remotely in the event that the device is lost or stolen or an employee is terminated. As mentioned above, some mobile security vendors offer tools that segregate healthcare facility data from the user’s personal information, allowing the selective wiping of only the facility data.
- Auto-location technology, which can help organizations locate lost or stolen devices (Cerrato 2012).
In addition, the facility should establish clear policies regarding the use of smartphone cameras. (See below.)
One hurdle for technology managers in implementing the above policies is that non-Windows mobile platforms used on some smartphones may not be compatible with some of the standard healthcare applications that are already in use. Another challenge relates to the rapid generational change of smartphone devices and platforms—the introduction of new products can easily outpace and frustrate a facility’s efforts to support the devices in a standardized fashion. In short, managing smartphone use and deployment within the healthcare enterprise may require a different skill set and new techniques compared with existing medical or information technologies. .
Policies for Smartphone Camera Use in the Healthcare Facility
In the past, most personal photography in the healthcare environment was limited to the labor and delivery unit. But now, thanks to mobile devices, personal cameras are everywhere—in the hands of not only patients and visitors, but also physicians, staff, and volunteers. One troubling aspect of this development is that individuals with smartphones can instantly transmit the images they take to the Internet and social networking websites, where there are no privacy or security protections for images containing individually identifiable health information. A patient at a California psychiatric hospital, for example, posted photos of groups of patients on a social networking website; that incident prompted the facility to ban cell phones and laptops (Ornstein 2008).
Because of the ease with which mobile device cameras can be used to infringe on an individual’s privacy, healthcare facilities, as covered entities under the HIPAA Privacy Rule, must establish limits for picture taking on their premises. ECRI Institute’s March 2012 report “Photography, Filming, and Other Imaging of Patients,” published in Healthcare Risk Control, describes various instances of the inappropriate use of cell phone cameras in the healthcare environment and provides guidance for developing picture-taking policies that help protect the privacy of patients and staff and safeguard confidential health information. Below, we summarize some of the key points that apply to the use of cell phone cameras and similar devices.
Reducing the risk of HIPAA violations, lawsuits charging invasion of privacy, and unwanted media attention related to security breaches requires a well-thought-out approach to picture taking in healthcare facilities, covering not only the acquisition of images (film, video, or digital), but also their use and storage.
We recommend that healthcare facilities develop and periodically review policies addressing circumstances when photography, filming, and other types of imaging are permitted or prohibited. Policies should address camera use by patients, visitors, volunteers, employees, and medical staff. This includes all instances when cameras are used, from a patient or visitor taking personal photographs to a staff member, student, or contractor documenting treatment- or business-related activities (e.g., patient care, research, education, telemedicine, marketing). Policies should also address all possible camera types, including cameras on wireless handheld devices and webcams on laptop computers.
Additionally, healthcare facilities should ensure that policies are compliant with applicable accreditation standards, state laws or regulations, and HIPAA privacy requirements related to individuals’ authorization or consent for the use and release of images with individually identifiable health information. This will require, for example, determining the circumstances in which the patient’s or the surrogate’s authorization or consent should be obtained to take photographs and other images. Note that the Joint Commission requires that facilities obtain a patient’s consent to make or use images for purposes other than the patient’s care. Situations that would require the patient’s consent include making recordings for the organization’s internal use, such as for performance improvement activities and education. The standard also applies to recordings made for external use, such as for commercial filming, television programs, and marketing materials.
At the federal level, HIPAA regulations will largely guide a healthcare organization’s approach to photography. The HIPAA Privacy Rule prohibits healthcare facilities and other covered entities (including healthcare workers) from using or disclosing PHI for purposes other than treatment, payment, and healthcare operations without obtaining the individual’s written authorization. (A few specific exceptions exist, such as when reporting a case of suspected abuse or neglect to an investigating agency.) Under HIPAA, images are considered PHI if information from the image, such as the patient’s face or an identifying mark, can be used to identify an individual. The HIPAA Security Rule addresses the need for safeguards to protect the security of images that are stored and maintained electronically—for example, to protect the integrity of the data and to prevent the inappropriate disclosure of PHI. Practices that may need to be addressed include the transmission of images—for collaboration, for example—via e-mail services or web-based cloud storage services that lack safeguards to protect PHI. Note that some states have even more stringent privacy requirements that come into play when considering whether an individual’s consent is required for taking or using patient images.
Facilities should also educate employees, medical staff, and volunteers about the facility’s policies for photography, filming, and other types of imaging. Similarly, facilities should make patients and visitors aware of the organization’s picture-taking policies in admission packets, on signage in the facility, and through the facility’s HIPAA privacy notice. If a facility’s HIPAA notice of privacy practices does not contain specific information about how photographs and other recordings of patient care may be used or disclosed, good risk management principles suggest that a separate form or notice be prepared that specifically addresses photographs and recordings of patient care.
Note that a facility may need to educate patients and visitors about the special privacy considerations that exist in the healthcare environment. These individuals may not be sensitive to the fact that other patients may not wish to be photographed or have information about their health condition widely known. To protect the privacy of others, individuals taking photos should take care to avoid including unintended individuals (e.g., people who happen to be in the background) or medical devices displaying patient names or data.
Specific Policies to Consider
Having clear policies in place—and educating staff, patients, and visitors about the policies—can help to mitigate the legal and regulatory risks associated with photography in healthcare facilities. When establishing or reviewing such policies, we recommend that facilities consider the particular provisions outlined below.
Provisions for a policy on staff camera use might include:
- Prohibiting employees, medical staff, and volunteers from using either their own device or a facility-supplied device for taking photographs or video of patients and visitors for personal reasons—that is, for reasons unrelated to the patient’s care or healthcare operations. (If a facility chooses to allow exceptions, its policy should specify that a written HIPAA authorization be obtained from the individual to be photographed.)
- Specifying that when images of a patient are needed for purposes related to treatment (e.g., in the care of pressure ulcers), payment, or healthcare operations, the images must be taken by authorized personnel using equipment supplied by or otherwise approved by the facility. Particular care must be exercised if staff are allowed to use their personal phones for work-related purposes (e.g., in a BYOD arrangement). Because care-related images are considered PHI, appropriate security measures must be in place to prevent unauthorized access to, inappropriate use or disclosure of, or interference with the integrity of the images. Note that HIPAA authorization is not required for taking images for these purposes; nevertheless, obtaining the patient’s (or surrogate’s) permission is considered good risk management practice—and in certain circumstances, state law may require patient consent.
- Establishing policies for storage and retention of photographs and other images in the patient’s medical record. Safeguards must be in place to protect individually identifiable health information from unauthorized access, loss, theft, or damage. Images collected in an electronic format must be managed in a manner to ensure compliance with HIPAA’s Security Rule for the electronic storage and transmission of individually identifiable health information.
As derived from Markus and Zuiker (2009) and Stanford Hospital and Clinics (2008), provisions for a policy on camera use by patients and visitors might include:
- Requiring that the individual taking pictures obtain the permission of any other patient, physician, staff member, volunteer, or other individual who will appear in the photo, unless state law specifies more stringent requirements. While personal photographs taken by the family and friends of the patient do not require the patient’s HIPAA authorization, the privacy rights of other individuals who might appear in the photo should be respected.
- Enforcing individuals’ right to revoke their permission or consent immediately after a picture is taken.
- Prohibiting individuals from taking pictures that would include medical devices (e.g., physiologic monitors) and other equipment that displays patient information.
- Requesting patients to sign (e.g., at admission) a statement acknowledging that they have been informed about the facility’s policy on personal photography and cell phone camera use.
- Communicating the facility’s right to delete or otherwise destroy images that were obtained without proper consent or permission. .
Cell Phones and EMI: Integrating Smartphones into Your Cell Phone Policies
All radio-frequency (RF) transmitting devices, including smartphones and other cell phones, generate electromagnetic fields. Under certain circumstances, these fields can cause EMI—essentially disruptions in the operation of other electronic devices. In the healthcare environment, concern exists that such disruptions could affect the operation of medical devices. Whether EMI occurs in the presence of an RF transmitting device depends on a number of factors, including the susceptibility of the medical device to EMI, the frequency and power of the signal from the transmitting device (e.g., the cell phone), and the distance between the two devices. Generally, the risk of EMI increases at higher transmitter powers, lower transmitter frequencies, and shorter distances between the two devices.
Published reports show that medical devices have been affected by EMI, both under test conditions and during clinical use. Reported incidents involving ventilator malfunctions and overdelivery of medication from an infusion pump, for example, illustrate that serious patient health consequences are possible.
In addition, as shown in the chart below, 3 of the first 16 respondents to our ongoing cell phone survey indicated that the operation of a medical device has been affected by EMI from a cell phone or smartphone at their facility within the past three years. (Details about the events are not available.)
However, the literature includes few examples of incidents in which EMI from cell phones has actually adversely affected patient care. The scarcity of such reports suggests that clinical problems from EMI are highly unlikely. Also, strong arguments can be made that cell phones—and smartphones in particular—offer benefits in the healthcare environment, including clinical benefits for caregivers and practical advantages for patients and visitors. In addition, certain realities must be recognized: Cell phones are everywhere, and overly restrictive policies, such as complete bans on cell phone use within a healthcare facility, would be impractical to enforce.
Hospital policies regarding the use of cell phones and similar devices, therefore, must balance the potential risks of EMI, the apparent low incidence of effects on patient care, and the potential benefits associated with the use of cell phones and smartphones. (In terms of potential interference effects, we do not distinguish between smartphones and other cell phones. Furthermore, tablet computers or other mobile devices with cell-phone-like capabilities should be treated similarly.)
ECRI Institute continues to recommend that prudent measures be taken to minimize the risks of EMI from cell phones and similar devices. We don’t believe, however, that a one-size-fits-all policy is feasible because of the many local factors that can affect the risk of EMI. Factors such as the layout of the building, the location of nearby cell towers (which affects the output power required to communicate with the tower), whether or not a distributed antenna system has been installed, and the types of phones and cellular service providers that are in use are just a few of the variables that can affect the risk of EMI in a given instance. (For discussion of the technical issues, refer to our earlier articles on this topic, published in the November 2001, March 2003, and December 2006 issues of Health Devices.)
Thus, while we encourage healthcare facilities to consider our recommendations, we believe they should ultimately establish policies that suit their particular circumstances, balancing the needs of clinicians, nonclinical staff, the public, and the institution as a whole. (The preliminary survey results below illustrate facilities’ current policies with regard to the use of cell phones and similar devices in various locations within the facility.)
For Clinicians and Nonclinical Staff
Facilities should work with clinicians and other staff to develop a reasonable and thoughtful approach to the use of smartphones and other mobile devices with cell phone capabilities. We recommend the following:
- Instruct all staff, including independent physicians, to maintain a distance of at least 1 m—approximately 3 ft, or about an arm’s length—from medical equipment when using a cell phone or similar device. Staff should be aware that the use of such devices could adversely affect nearby medical equipment and should be alert to any suspicious behaviors in that equipment. Suspected instances of medical device interference should be reported to designated personnel, as well as to ECRI Institute and, as appropriate, to organizations such as FDA or Health Canada.
As previously discussed, setting smartphones and similar devices to preferentially use the facility’s Wi-Fi network for data transfer can help reduce the risks of EMI when the devices are being used for certain functions, since a Wi-Fi connection has a much lower power output than a cellular connection and is thus less likely to cause EMI. However, this configuration will not avoid higher power outputs from the smartphone for incoming and outgoing phone calls using the cellular network; therefore, it does not eliminate the potential for EMI.
- Ensure that staff members are aware of the other, non-EMI-related risks associated with the use of smartphones and similar devices and that policies are in place to minimize those risks. As described in this article, problems to consider include information security breaches, inappropriate use of cell phone cameras, threats from computer viruses or other malware, distractions affecting patient care, and infection control concerns.
As a general policy, facilities may consider restrictions on personal uses of smartphones and similar devices during patient care activities. In addition to being a productivity measure, such a policy would help reduce the likelihood that mobile device use will adversely affect patient care—whether through EMI or some other cause.
Cell Phones and EMI
Preliminary survey results. We have received 16 responses to date (representing 13 user locations). Details about the events are not available. We encourage members who have not yet completed the survey to do so. The survey can be accessed here.
For Patients and Visitors
The ability to use mobile devices during a hospital visit can contribute to making it a more positive experience for patients and visitors. However, a healthcare facility must balance the need to satisfy its “customers” (i.e., patients and visitors) with its obligation to minimize the risks of patient harm. We recommend the following:
- Inform patients and visitors that the use of cell phones, smartphones, and similar devices in close proximity to certain medical devices can affect the operation of those devices, potentially jeopardizing the patient’s care. Thus, the use of personal mobile devices is restricted in certain areas; in such areas, cell phones and similar devices may be used only by staff for clinical purposes. As a result:
— Patients and visitors should be prohibited from using mobile devices in highly instrumented areas, such as critical care units, except in specific locations within such areas that have been designated for cell phone use. In determining areas that can be designated for cell phone use, the facility should be sensitive to visitors’ needs to communicate with individuals outside the hospital from areas such as the emergency department and surgical waiting rooms. In areas where potentially sensitive medical devices may be in use, patients and visitors should be instructed to maintain a distance of at least 1 m—and preferably more—from medical equipment when using a smartphone or other cell phone.
— Areas where mobile device use is not permitted should be clearly marked. Any such device should be powered off when carried in areas that have not been designated for cell phone use.
— The use of cell phones and similar devices may generally be allowed in other areas, where concerns about the effects of interference are negligible.
— For some patients, however, special concerns may exist because of the nature of the medical devices being used and the level of physiologic support that the patient is receiving (e.g., life-critical support, infusion of high-alert medications). If it is not possible for the patient to maintain a 1 m separation from medical devices, the patient should be instructed not to use the cell phone or similar device while the medical device is in use.
- Educate patients and visitors about the healthcare facility's picture-taking policies (i.e., the use of a mobile device's camera function). (See above for additional discussion.)
Hospital Policies on Cell Phones and Smartphones
Preliminary survey results. For years, concerns that EMI from cell phones could disrupt the operation of medical devices have shaped policies addressing cell phone use in the healthcare environment. Some facilities, for example, prohibit the use of cell phones in certain areas, or they allow their use only with certain restrictions, such as keeping the cell phone a specified distance away from potentially sensitive devices. Now, with smartphones and other mobile devices offering functionality that far exceeds the capabilities of traditional cell phones, new sets of benefits and risks must be considered when developing a policy. We asked respondents to specify how their facility is currently managing the use of cell phones and smartphones—both by clinicians and by patients and visitors. We have received 22 responses to date (representing 19 user locations).
Smartphones vs. Mobile Phones
What distinguishes a smartphone from a traditional mobile phone? Boulos et al. offer the following description, which captures the distinction nicely:
Smartphones . . . are mobile phones that offer not only the standard facilities such as voice and text communication, but also advanced computing and communication capability, including, for example, Internet access and geo-positioning systems. In comparison to earlier mobile phones, smartphones generally also have larger, higher resolution display screens. Most of the newer generation of smartphones also incorporate other features such as on-board personal management tools, high quality cameras and recording devices.
On Smartphone Apps
Note that a discussion of healthcare-related smartphone apps is beyond the scope of this article. Thousands of such apps are currently available (Boulos et al. 2011)—many providing no guarantee that they meet the same quality assurance standards that are applied to healthcare technologies. In draft guidance issued in July 2011, FDA defined “a small subset of mobile medical apps” that will require FDA oversight based on their potential to affect “the performance or functionality of currently regulated medical devices.” For more information on healthcare-related apps, see "Health Apps and Safety: Views from Recent Sources" in this month’s Safety Matters section.
Walkie-Talkies and Other Two-Way Radios
Two-way radios like walkie-talkies operate at higher output powers than cell phones and thus create a greater risk of EMI, requiring more stringent policies. Refer to this box in the December 2006 Health Devices for our recommendations for these devices.
 The language covering media notification is: “For breaches involving more than 500 residents of a State or jurisdiction, a covered entity must notify prominent media outlets serving the State or jurisdiction.” This statement appears in the “Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2009 and 2010, As Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act,” which was developed by the U.S. Department of Health and Human Services, Office for Civil Rights. For details, see https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/breachnotificationrule/breachrept.pdf. Additional information about the Breach Notification Rule is also available online at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html.
 Our December 2006 Guidance Article “Cell Phones and Electromagnetic Interference Revisited” describes some incidents involving EMI. Also see, for example, Carranza et al. (2011), Fernandez-Chimeno and Silva (2010), Hietanen and Sibakov (2007), Lota (2011), Misiri et al. (2012), and U.K. Department of Health (2009).
 Additional studies addressing infection control issues with cell phones and other communication devices are cited in reviews by Visvanathan et al. (2011) and by Singh and Purohit (2012).
 For a discussion of the distinction between “consent” and “authorization” under the HIPAA Privacy Rule, as well as a listing of the elements necessary in a written authorization, refer to https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html.
 Our December 2006 Guidance Article “Cell Phones and Electromagnetic Interference Revisited” describes some incidents involving EMI. Also see, for example, Carranza et al. (2011), Fernandez-Chimeno and Silva (2010), Hietanen and Sibakov (2007), Lota (2011), Misiri et al. (2012), and U.K. Department of Health (2009).
 Boulos MN, Wheeler S, Tavares C, et al. How smartphones are changing the face of mobile and participatory healthcare: an overview, with example from eCAALYX [online]. Biomed Eng Online 2011 Apr 5 [cited 2012 May 25]. Available from: www.biomedical-engineering-online.com/content/10/1/24.