Mobile devices, such as smartphones and tablets are powerful tools. When used in appropriate ways, these devices may generally help nurses communicate with colleagues and patients, as well as keep notes, research medications, monitor patient’s medical devices and aid in virtual care. While there are significant benefits that come with the integration of smartphones and tablets into the web of healthcare technologies, there are also some potential issues that need to be considered. Understanding the legal considerations involved in using these devices may prevent potential adverse personal and professional consequences. This InfoLAW addresses some of those concerns.
Risk Management Considerations
Today, smartphones and tablets generally default to being protected through things like lock screen passcodes, biometric locks, and two-factor authentication. This makes physical access to device data much more difficult to obtain for anyone but the device owner. Nevertheless, it would be prudent for a nurse to keep up to date on their organization’s privacy and information management policies and procedures, as vigilance is key. For instance, an unencrypted, non-password protected external hard drive that had the personal health information of around 650 patients was stolen from an outpatient clinical procedure lab in 2019. This information, which included test results, names, gender, dates of birth, and medical record numbers, was unencrypted and unprotected despite organizational policies requiring encryption and password protection.1 A similar incident occurred at a university, where a thumb drive containing the personnel records of 12,000 current and former staff members was stolen out of administrative offices on campus.2
Like the external hard drive or thumb drive in these cases, smartphones and tablets still store and retain data on the device itself. This means that there is always a risk of unauthorized access to your device’s data.
While it can be difficult for someone to physically access the data stored on a smartphone or tablet, most external privacy breaches now happen through cyberattacks. Healthcare organizations have become one of the main targets for cyberattacks in Canada, and these can occur just as easily on smartphones and tablets as they can on personal computers.3 Smartphones and tablets store data not just physically on the device, but may also store data outside of the phone, and sometimes outside of Canada through cloud-based storage systems. This may potentially lead to unauthorized disclosure of personal health information if that information is stored on or accessed through your device.4
Smartphones and tablets have all become integrated into the provision of care. While some employers may prohibit the use of personal mobile devices at work, or provide employees with employer-owned devices, many employers have implemented bring-your-own-device (BYOD) programs. In these programs, personal devices are connected to and integrated with the organizational enterprise and healthcare management systems. Despite the benefits of BYOD, there remain legal considerations. A study on bring-your-own-device programs in healthcare found that while hospitals may implement security measures on devices that are configured to their enterprise management system, several challenges remain, such as poor device security, network security, and app security management.5
To avoid or mitigate as best as possible the challenges and issues raised in this section and the section above, it would be prudent to:
- Work with your employer’s information technology department, if you are using your own device, to ensure that your device has features and software that comply with your employer’s BYOD policies.
- Keep your smartphone and tablet operating system up to date, as these system updates often include security updates.
- Avoid connecting to unknown Bluetooth connections and unsecure, public Wi-Fi.
- Research mobile app security features; use only employer-approved mobile apps in the workplace.
- Store your smartphone or tablet in a secure location when not in use.
- Err on the side of caution when replying to unknown or untrusted text messages, phone calls, or emails, or clicking on unknown links.6
When in doubt, it may be beneficial to revisit your organization’s policies and procedures on device security and information management.
It is also important to clearly understand your role with respect to the collection, use, disclosure and protection of patient health records. Nurses may at times be custodians of health information (also known as “trustees” in some provinces) by application of the law, whether or not they have previously agreed to undertake these responsibilities. Custodians are generally responsible for ensuring that personal health information is adequately protected and is accessed, collected, used and disclosed in accordance with the applicable privacy legislation. Custodians would also be primarily responsible for responding to any breaches of privacy or security within an organization. For more information please see Are you a custodian or trustee of health records?
The integration of smartphones and tablets into everyday provision of care has many benefits for patients but can cause distraction that may negatively impact both your ability to provide care and patient safety.
The connection between smartphone usage and distraction is well-established. Distraction in the workplace may potentially lead to poor outcomes, especially in tasks that require heightened attention.7 A recent study among Italian nurses found that 42% of respondents reported being distracted by their phone while actively working, which included checking social media, playing games, and conducting personal business online.8 In one American case, a resident was distracted by a text message while in the process of entering an order on his phone’s CPOE app to discontinue a patient’s warfarin, resulting in the resident forgetting to submit the order. Since the order was never given and the warfarin was never stopped, the patient ended up needing emergency open-heart surgery due to hemopericardium from overanticoagulation.9
Smartphone and tablet usage in patient care, even if you are using your device specifically for patient care, may also create the perception of distraction. Moreover, it may negatively affect your relationship with the patient, as it may lead to a patient having reduced feelings of perceived empathy and heighten feelings of isolation and dehumanization. In one survey of the literature on smartphone usage in healthcare, researchers found that patient perception of mobile device usage was associated with potential impacts on the provider-patient relationship. Patients believed mobile device usage reflected unprofessionalism and distracted provision of care.10 Lack of professionalism or even a perceived lack of professionalism may increase the risk of potential legal action.
CNPS beneficiaries can contact CNPS at 1-800-267-3390 with specific questions related to their practice to speak with a member of CNPS legal counsel. All calls are confidential.
- Alberta Health Services, “Edmonton Patient records impacted by missing external hard drive”, online: Alberta Health Services <https://www.albertahealthservices.ca/news/releases/2019/Page15260.aspx>.
- Investigation Report F12-02 – University of Victoria (Victoria, BC: Office of the Information and Privacy Commissioner, 2012).
- Tunney, Catharine, “Canadian energy, health, manufacturing sectors were major targets of ransomware attacks: cyber spy agency”, (6 December 2021), online: CBC News <https://www.cbc.ca/news/politics/ransomware-critical-infrastructure-cse-1.6274982>.
- British Columbia College of Nurses and Midwives, “Taking pictures of clients: is it ever OK?”, online: <https://www.bccnm.ca/RN/learning/confidentiality/Pages/photos_clients.aspx>.
- Wani, Tafheem Ahmad, Antonette Mendoza & Kathleen Gray, “Hospital Bring-Your-Own-Device Security Challenges and Solutions: Systematic Review of Gray Literature” (2020) 8:6 JMIR mHealth and uHealth.
- Government of Canada Communications Security, “Get Cyber Safe”, (2 March 2020), online: Get Cyber Safe <https://www.getcybersafe.gc.ca/en/secure-your-devices/phones-and-tablets>.
- Izenberg, Dafna, Ryan Hinds & Ngozi Iroanyah, “Cellphones in the hospital: Can staff use them for personal reasons?”, (12 November 2018), online: Healthy Debate <https://healthydebate.ca/2018/11/topic/cellphones-in-the-hospital/>.
- Pucciarelli, Gianluca et al, “Nursing-Related Smartphone Activities in the Italian Nursing Population: A Descriptive Study” (2019) 37:1 CIN: Computers, Informatics, Nursing 29–38.
- Halamka, John, “Order Interrupted by Text: Multitasking Mishap”, (1 December 2011), online: <https://psnet.ahrq.gov/web-mm/order-interrupted-text-multitasking-mishap>.
- Alameddine, Mohamad et al, “Patient Attitudes Toward Mobile Device Use by Health Care Providers in the Emergency Department: Cross-Sectional Survey” (2020) 8:3 JMIR mHealth and uHealth.
Revised March 2023
THIS PUBLICATION IS FOR INFORMATION PURPOSES ONLY. NOTHING IN THIS PUBLICATION SHOULD BE CONSTRUED AS LEGAL ADVICE FROM ANY LAWYER, CONTRIBUTOR OR THE CNPS. READERS SHOULD CONSULT LEGAL COUNSEL FOR SPECIFIC ADVICE.