1. Purpose

This policy governs the use of the hospital mobile application (“HMIS App”) by employees and Consultants. It ensures the protection of patient privacy, hospital data, and employee responsibilities regarding mobile access.

2. Scope

This policy applies to:

  • All hospital employees, conultants, and authorized users.
  • All devices (hospital-issued or personal) used to access the app.
  • All data accessed, stored, or transmitted via the app.

3. Acceptable Use

Employees may only use the app:

  • For legitimate hospital business purposes.
  • Within the scope of their job responsibilities.
  • In compliance with hospital policies and applicable healthcare laws.

4. Data Access and Collection

The app may collect and access:

  • User identification data (e.g., employee ID, login credentials).
  • Device information (e.g., device ID, OS, app version).
  • Location data (if necessary for functionality, e.g., for on-call scheduling).
  • Activity logs (for security monitoring and auditing).

All access to patient data must comply with HIPAA and hospital confidentiality rules.

5. Patient Information and Confidentiality

  • Employees must not screenshot, download, or share any patient information outside the app.
  • All patient data accessed via the app is considered Protected Health Information (PHI) and must be treated confidentially.
  • Personal devices must use secure authentication (PIN, biometrics, etc.) and encryption.

6. Security Measures

  • Enable device encryption and use strong authentication.
  • Immediately report lost or stolen devices to IT/security.
  • Refrain from jailbreaking/rooting their devices.
  • Allow IT to enforce mobile device management (MDM) policies (e.g., remote wipe, device lock).

7. Monitoring and Auditing

  • The hospital may monitor app usage to ensure compliance.
  • All access to PHI is logged and auditable.
  • Unauthorized access or misuse may lead to disciplinary action, including termination.

8. Data Retention and Deletion

  • No PHI should be stored permanently on employee devices.
  • App data may be remotely wiped upon employee separation or device loss.
  • Employees must not back up hospital app data to personal cloud services.

9. Third-Party Services

If the app uses third-party services (e.g., push notifications, analytics), data sharing is strictly controlled under business associate agreements (BAAs).

10. Employee Responsibilities

  • Read and acknowledge this policy before using the app.
  • Complete training on HIPAA and mobile security.
  • Cooperate with audits and investigations related to app use.

11. Policy Violations

  • Loss of app access.
  • Disciplinary action.
  • Legal liability for breaches of PHI.

12. Policy Updates

This policy may be updated. Employees will be notified of significant changes and may be required to re-acknowledge the policy.