Apple recently released a message addressing the replacement of batteries in iPhone devices which are out-of-warranty. Apple has voluntarily reduced the cost of a battery replacement in iPhone 6 and later devices which are out-of-warranty to $29 from $79, a reduction of $50 per device.
Many healthcare organizations allow workforce members to use their personal iPhone devices to connect to corporate email and, in some cases, sensitive clinical applications. This is often referred to as Bring Your Own Device or BYOD.
While the iPhone 6 and above are encrypted, a carrier or Value-Added Reseller (VAR) may ask a user to unlock the phone so they can test the battery replacement.
Any mobile device which is connected to corporate email has the potential to store a downloaded email attachment. If this attachment contains ePHI, simply disconnecting the device from the email system will not rid the device of the downloaded attachment.
This poses a risk of an impermissible disclosure since the encryption was bypassed by providing the PIN or passcode to the technician.
All iPhone devices, whether BYOD or corporately-owned, which have access to corporate email or applications should be verified to be “wiped” or clear of corporate data and email is disconnected by the information technology or information security (IT/IS) departments prior to being delivered to Apple or a VAR for battery replacement. This activity falls under the responsibility of the HIPAA Security Officer who should be driving the program.
This may pose a challenge for some organizations who do not have appropriate policies and procedures regarding management of BYOD mobile devices but still allow workforce members access to the corporate email system. This should be managed through an information “campaign” which requires all workforce members to have their personal devices verified and cleaned by IT/IS prior to delivering for a battery replacement.
This event provides should provide an organizational impetus to develop the appropriate BYOD and mobile device management policies and procedures and consider implementing technical capabilities (i.e., Mobile Device Management system) to assist with device management.