AST Guideline - Use of Mobile Information Technology in the Operating Room

8 the patient’s permission is in the interests of upholding risk management best practices. 8 The policy should specify that OR personnel and/or surgeon must use mobile devices provided or approved by the HDO, and security measures must be established to prevent access to and inappropriate use of the images by outsiders. e) Establish policies that safeguard the storage of photographs and other images in the patient’s medical record since these are considered PHI. B. PHI should only be saved on HDO-approved, secure file servers or encrypted devices. OR personnel should access the information only through facility-approved methods. 16,48 HDOs have multiple options available to assist in protecting PHI, but still allow OR personnel the ability to access information that is critical to patient care. 1) HDO provides organization-owned smartphones and other mobile devices: This provides the HDO greatest control of PHI; information technology (IT) personnel can control the applications that are loaded on the devices and ensure the most current security software and malware is loaded, and kept up-to-date. 16 2) OR personnel’ personal device is cleared for use by the HDO: An HDO only allows the use of personal devices that meet the HDO’s security requirements to access the facility’s system. 8,16 3) Access information on HDO server: OR personnel use their personal device to log-in and access information stored on the facility’s server, but the information is not stored on the device. This option reduces security risks if the device is lost, stolen, or compromised by an outside source, e.g. “hacking”. 4) HDO requires a user agreement: HDO requires OR personnel to sign an agreement that their personal mobile devices must meet the same security measures as the facility’s internal devices and servers. 8 The user has access to the facility’s server, but if the device is stolen, lost or compromised agrees that the facility has the right to remotely wipe data from the device which means the user’s personal data will also be deleted. 5) Separation or segregating of data: Software is available that keeps the HDO’s data separate from the user’s personal information. This allows the facility’s information to be wiped from the device, but preserves the user’s personal information in the event the device is lost. 35 6) HDO’s should have a policy addressing if a user changes or upgrades their smartphone or other mobile device. The user should provide the old device to the IT department to scan and wipe out any PHI and facility information prior to donating or disposing the device. 8