Compliance Foundations

HIPAA Mobile Device & BYOD Policy Template (45 CFR § 164.310(d) + 164.308(a)(1)(ii)(B))

10 min read · Last reviewed May 23, 2026

A HIPAA mobile device and BYOD policy governs how personally-owned and practice-owned mobile devices access, store, and transmit ePHI. The federal baseline lives at 45 CFR § 164.310(d)(1) (device and media controls) and the risk-management rule at 45 CFR § 164.308(a)(1)(ii)(B). NIST SP 800-124 Revision 2 is the federal mobile baseline OCR investigators reference.

What HHS actually requires

The HIPAA Security Rule does not say BYOD anywhere. The obligation is derived: § 164.310(d)(1) requires policies and procedures that govern the receipt and removal of hardware and electronic media containing ePHI, into and out of the facility, and movement within the facility. Personal phones move ePHI in and out of the facility every day. § 164.310(d)(2)(i) makes disposal a required implementation specification — including the disposal that happens when a workforce member leaves with their phone in their pocket.

The HHS Mobile Device guidance and the HHS Mobile Health App Developer guidance both treat BYOD as a covered use case requiring a written policy, MDM or equivalent, encryption, authentication, remote wipe, and an offboarding workflow. OCR Resolution Agreements involving mobile devices — Lifespan ($1.04M, unencrypted laptop), Children's Medical Center of Dallas ($3.2M, unencrypted devices including a BlackBerry), CardioNet ($2.5M, unencrypted laptop in employee car — all share the same defect: ePHI on a portable device, no policy, no MDM, no proof of encryption at the time of loss.

The four entities every credible BYOD policy references: the HHS Office for Civil Rights (OCR), NIST SP 800-124 Revision 2, NIST SP 800-111 for storage encryption, and the HHS Mobile Devices and Health Information guidance.

Template — section by section

``` MOBILE DEVICE AND BYOD POLICY [Practice Name] Effective: [DATE] Owner: Security Officer

  1. PURPOSE

This policy governs every mobile device that creates, receives, maintains, or transmits ePHI on behalf of the practice. It implements 45 CFR § 164.310(d)(1), 45 CFR § 164.310(d)(2)(i), and the risk-management requirement at 45 CFR § 164.308(a)(1)(ii)(B).

  1. SCOPE

In scope:

  • Practice-owned smartphones, tablets, and laptops
  • Personally-owned ("BYOD") smartphones and tablets that access:
  • Practice email
  • EHR or PM mobile apps
  • Secure messaging or paging
  • Telehealth platform
  • Imaging viewers
  • Any cloud storage holding ePHI
  • Wearables paired to in-scope phones

Out of scope:

  • Devices used solely for non-PHI personal use
  • Practice-owned voicemail-only forwarding devices
  1. ENROLLMENT REQUIREMENT

Before any in-scope device touches ePHI, the workforce member: a) Reads and signs the Mobile Device Enrollment Form (Appendix A) b) Enrolls the device in the practice's MDM/MAM platform c) Verifies device integrity (no jailbreak/root) d) Sets a 6-digit PIN or biometric + 6-digit fallback e) Confirms full-device encryption is enabled (iOS default; Android requires version 7+ and verified-boot device) f) Installs the practice work container or app set

The Security Officer co-signs and files the enrollment form in the device inventory.

  1. ALTERNATIVE FOR WORKFORCE MEMBERS WHO DECLINE BYOD

A workforce member who declines BYOD enrollment is offered: Option A: A practice-issued device for work use Option B: Access restricted to in-office workstations only Option C: A read-only BYOD profile (no PHI download permitted) The choice is documented on the enrollment form and is the basis for access provisioning thereafter.

  1. TECHNICAL CONTROLS (NIST SP 800-124r2 baseline)
  • Full-device encryption (AES-256 baseline)
  • PIN/biometric authentication with 6-digit fallback
  • Auto-lock after 5 minutes of inactivity
  • Remote wipe enabled by the practice (work container if MAM,

full device on practice-owned and on BYOD with consent)

  • Jailbreak/root detection with conditional access deny
  • OS version minimum: iOS current minus 1, Android 13+
  • MDM/MAM agent installed and reporting
  • VPN required on untrusted Wi-Fi for any EHR session
  • Disallowed apps (consumer messaging without BAA, unvetted cloud

storage) blocked by app-vetting policy

  1. PROHIBITED CONDUCT
  • Disabling MDM, encryption, or remote-wipe capability
  • Sharing the device PIN or biometric with anyone
  • Photographing PHI with the device camera unless using the EHR's

secured photo workflow

  • Storing PHI in personal cloud (iCloud personal, Google Drive

personal, Dropbox personal)

  • Using consumer messaging (iMessage SMS fallback, WhatsApp, etc.)

for clinical communication

  • Charging the device on an unknown USB station (juice-jacking)
  • Selling, donating, or recycling the device without first

confirming a successful wipe with the Security Officer

  1. INCIDENT REPORTING

A lost, stolen, suspected-compromised, or unrecoverable device must be reported to the Security Officer within four hours of discovery. The Security Officer:

  • Issues an immediate remote wipe
  • Revokes SSO and MFA tokens
  • Pulls the device's last-known location from MDM
  • Performs the breach-safe-harbor analysis under § 164.402 within

24 hours

  • Files the incident report
  1. OFFBOARDING (CRITICAL — see deployment notes)

On the workforce member's termination date, within four hours: a) Disable SSO and revoke MFA tokens b) Deauthorize the device from EHR, PM, email, secure messaging c) Issue MDM remote wipe (work container if MAM; full device on practice-owned) d) Collect any practice-owned items e) Complete the offboarding checklist (Appendix B) and file in the personnel record

  1. PRIVACY OF THE PERSONAL SIDE

The practice has visibility into the work container only. Personal photos, texts, browsing history, and applications outside the work container are not visible, collected, or wiped by the practice. The workforce member acknowledges this scope on the enrollment form.

  1. STIPEND / EXPENSE REIMBURSEMENT

[Optional clause — local employment law] The practice provides a monthly stipend of $___ for workforce members who enroll a personal device. Stipend continues during active employment; ends on the termination date.

  1. ENFORCEMENT

Violations are subject to the workforce sanction policy under 45 CFR § 164.308(a)(1)(ii)(C). Disabling MDM, encryption, or remote wipe is a Level 3 violation. Storing PHI in personal cloud or selling the device without wipe is a Level 4 violation.

Reviewed and approved: ___________________________ Security Officer Date: ________ ___________________________ Privacy Officer Date: ________ ___________________________ Practice Owner Date: ________ ```

Mobile Device Enrollment Form (Appendix A)

``` MOBILE DEVICE ENROLLMENT FORM Workforce member: ______________________ Role: ______________ Device type: □ iOS phone □ iOS tablet □ Android phone □ Android tablet □ Laptop □ Wearable (paired) Ownership: □ Practice-owned □ BYOD personal Make/model: ______________________ IMEI/serial: ______________ OS version: ______________________ MDM enrollment date: ______________________ PIN/biometric set: □ Yes Full-device encryption: □ Verified Jailbreak/root status: □ Clean Work container installed: □ Yes (MAM) / □ Full MDM Remote-wipe authorization: □ Work container only / □ Full device BYOD decline alternative chosen (if applicable): □ Practice-issued device □ In-office only □ Read-only profile

Acknowledgement: I have read the Mobile Device and BYOD Policy. I understand that the practice manages the work container only on a BYOD device, that I must report loss within four hours, that I must not disable MDM or encryption, and that on termination my work container will be wiped.

___________________________ ___________________________ Workforce Member (signature) Date

___________________________ Security Officer signoff Date: ______ ```

Offboarding Checklist (Appendix B)

``` MOBILE DEVICE OFFBOARDING CHECKLIST Workforce member: ______________________ Termination date: ________ Devices enrolled: ___________________________________________________

T+0 hours (immediately on termination decision): □ Disable SSO account □ Revoke MFA tokens □ Pull last MDM check-in record (filed)

T+4 hours (within the workday): □ Issue remote wipe (work container or full) □ Confirm wipe success in MDM console □ Deauthorize device from EHR □ Deauthorize device from PM system □ Deauthorize device from email □ Deauthorize device from secure messaging □ Collect practice-owned items □ Pay any final stipend through termination date

T+24 hours: □ Confirm no orphaned sessions in EHR/PM access logs □ File this checklist in the personnel record

Completed by: ______________________ Security Officer Date: ______ ```

Device Inventory (Appendix C)

| Workforce member | Device | Ownership | OS | MDM enrolled | Encryption verified | Remote-wipe scope | Last check-in | |---|---|---|---|---|---|---|---| | <name> | iPhone 15 | BYOD | iOS 17 | Yes | Yes | Work container | YYYY-MM-DD | | <name> | iPad Pro | Practice | iPadOS 17 | Yes | Yes | Full device | YYYY-MM-DD | | <name> | Pixel 8 | BYOD | Android 14 | Yes | Yes | Work container | YYYY-MM-DD | | <name> | MacBook Air | Practice | macOS 14 | Yes (Jamf) | FileVault | Full device | YYYY-MM-DD |

How to deploy

The deployment sequence: ratify the policy with the Security Officer, Privacy Officer, and practice owner; stand up an MDM/MAM platform (Intune, Jamf, Kandji, JumpCloud); enroll every existing in-scope device using the Enrollment Form and verify encryption + PIN + remote-wipe before granting access; communicate the policy to the workforce in a single session with sign-in evidence; file every signed Enrollment Form in the personnel record; copy the Offboarding Checklist into the HR runbook so the offboarding workflow runs the same way every time.

BYOD policies fail not at the policy, but at the offboarding workflow. Every audit we have responded to where a former employee retained ePHI access traced back to a missing or partial offboarding. Set the four-hour clock and put a named owner on it.

Common gaps

The five most common defects from binder review:

  1. No device inventory. Policy exists; no list of which workforce members are enrolled on which devices. OCR cannot verify scope.
  2. Wearable forgotten. Apple Watches and similar devices that display patient-name notifications are in scope and almost never on the inventory.
  3. Offboarding done by HR without IT confirmation. HR marks the employee inactive; nobody disables EHR access on the personal phone. The MDM console still shows the device checking in weeks later.
  4. MAM container present but personal cloud sync enabled. Workforce member screenshots PHI inside the work container, the screenshot saves to personal iCloud, the practice loses visibility.
  5. Provider declines BYOD enrollment and is allowed in-office access — but takes home a personal laptop with the EHR open. The decline alternative was not enforced.

Maintenance cadence

  • Monthly: MDM compliance report; remediate non-compliant devices within 14 days; review check-in dates for stale devices that may indicate offboarding gaps.
  • Quarterly: full inventory reconciliation against active payroll; sample five Enrollment Forms for completeness; review jailbreak/root telemetry.
  • Annually: policy refresh; re-acknowledgement by every workforce member; review against current NIST SP 800-124 revision; OS minimum-version bump.
  • On every termination: offboarding checklist within four hours.
  • On every new device: Enrollment Form, MDM enrollment, encryption verification before access.

State preemption note: Massachusetts 201 CMR 17.04 requires encryption on portable devices holding personal information — required, not addressable. NY SHIELD requires reasonable safeguards including device controls. California's CMIA imposes additional disclosure restrictions that interact with photo workflows. The federal BYOD policy is the floor; state law tightens the obligation when residents of those states are in scope.

How d3rx fits

The d3rx compliance binder generates the mobile device and BYOD policy, the Enrollment Form, the Offboarding Checklist, the device inventory, and the quarterly verification workflow with § 164.310(d), § 164.308(a)(1)(ii)(B), and NIST SP 800-124r2 cited inline. The practice's Security Officer remains responsible for selecting the MDM platform, enforcing enrollment, and verifying offboarding execution.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversHIPAA Mobile Device & BYOD Policy Template (45 CFR § 164.310(d) + 164.308(a)(1)(ii)(B)). We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

What if a workforce member declines BYOD enrollment?

The practice has two acceptable answers: provide a practice-owned device, or restrict the workforce member's access to ePHI to in-office workstations only. Allowing unmanaged personal devices to touch ePHI is a [§ 164.310(d)(1)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310) failure. We document the choice on the device-enrollment form so the access decision is auditable later.

Do I need MDM on every personal phone, or just the ones that open the EHR?

Any personal device that creates, receives, maintains, or transmits ePHI is in scope under [§ 164.310(d)(1)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310). That includes secure messaging, work email with patient names, telehealth visits, on-call texts, and photos of wounds or imaging. MDM (or MAM where MDM is over-scoped) is the only practical way to enforce encryption, PIN, and remote-wipe at scale. A phone that only forwards practice voicemail to voicemail-to-text without PHI content is out of scope; a phone that opens patient email is in.

BYOD policies fail at offboarding — what's the right workflow?

BYOD policies fail not at the policy, but at the offboarding workflow. On termination day: disable SSO, remote-wipe the work container (MAM) or the full device (MDM), revoke MFA tokens, deauthorize the device from EHR and PM, collect any practice-owned items, and document the steps on the offboarding checklist. We do this within four hours of the termination decision because OCR's enforcement record disfavors gap between termination and access removal.

Can the practice see personal photos and texts on a BYOD device?

No, and the policy must say so explicitly. Modern MDM and MAM solutions create a work container that the practice can see, manage, and wipe; the personal side stays private. Workforce members sign an acknowledgement that the practice has visibility into the work container only. State laws like California Labor Code § 2802 and Connecticut electronic-monitoring statutes interact with what the practice can monitor on personal property; the policy carve-out protects both sides.

What does NIST SP 800-124 Revision 2 add to the BYOD analysis?

[NIST SP 800-124 Revision 2](https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final) (Guidelines for Managing the Security of Mobile Devices in the Enterprise) is the federal mobile baseline. HHS guidance does not name it explicitly, but OCR investigators treat it as the reference standard for what reasonable and appropriate looks like on mobile. The controls that matter: device integrity attestation, MDM enrollment, app vetting, container or workspace isolation, network controls, and verified offboarding.

What about Apple Watch, AirPods Pro hearing aid mode, or other wearables?

Wearables that display notifications including patient names, that record audio during a clinical encounter, or that store call logs of patient phone numbers are in scope. The practical control is the paired phone: if the phone is MDM-enrolled, the wearable inherits the safeguards. Practices that allow unpaired wearables (some smartwatches with cellular) must add the wearable to the device inventory and run the same encryption and remote-wipe analysis as a phone.

How does NY SHIELD affect BYOD?

[NY SHIELD](https://ag.ny.gov/internet/data-breach) requires reasonable administrative, physical, and technical safeguards as part of a written information security program for any business holding NY resident data. BYOD without MDM and offboarding is not reasonable under SHIELD. SHIELD does not preempt HIPAA; it adds an enforcement vector via the NY Attorney General with civil penalties up to \$5,000 per violation.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR § 164.310(d)(1)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310
  2. 45 CFR § 164.308(a)(1)(ii)(B)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
  3. NIST SP 800-124 Revision 2https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final
  4. NIST SP 800-111https://csrc.nist.gov/publications/detail/sp/800-111/final
  5. Mobile Devices and Health Informationhttps://www.healthit.gov/topic/privacy-security-and-hipaa/your-mobile-device-and-health-information-privacy-and-security
  6. Massachusetts 201 CMR 17.04https://www.mass.gov/regulations/201-CMR-17-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth
  7. NY SHIELDhttps://ag.ny.gov/internet/data-breach
  8. California's CMIAhttps://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=1.&title=&part=2.6.&chapter=&article=

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides