BYOD (Bring Your Own Device)
Bring Your Own Device
The practice of allowing workforce members to use personally-owned devices to access organizational information systems.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Security
- Acronym for
- Bring Your Own Device
- Primary sources
- 2
- Workspace handoff
- compliance binder →
Where this comes up
This sits inside the security risk analysis under 45 CFR 164.308(a)(1)(ii)(A) — workstation controls, EHR access roles, ePHI transmission encryption, audit logging, vendor risk, and incident response. Reviewers expect dated evidence of the control, not a policy PDF that says it exists.
Full definition
What it is in practice
NIST SP 800-46 Rev. 2 describes the security considerations for BYOD and teleworking. Under HIPAA, BYOD that touches ePHI must be addressed by the risk analysis and governed by a documented policy covering authentication, encryption, remote wipe, and acceptable use.
How it shows up in your practice
Either prohibit BYOD for ePHI access or require a mobile device management (MDM) profile that enforces encryption, MFA, and remote-wipe capability. Document the choice.
Sources
- NIST SP 800-46 — Telework and BYOD Securityhttps://csrc.nist.gov/pubs/sp/800/46/r2/final
- NIST SP 800-66 Rev. 2 — HIPAA Security Rule Implementation Guidehttps://csrc.nist.gov/pubs/sp/800/66/r2/final
Adopt your BYOD policy in the Compliance Binder
Open compliance binder →Related terms
- SecurityMobile Device Management (MDM)Software that lets administrators centrally enforce security policies on smartphones, tablets, and laptops.
- SecurityEncryption at RestCryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
- SecurityMFA (Multi-Factor Authentication)Authentication requiring two or more independent factors — something you know, have, or are.
- SecurityRemote AccessWorkforce member access to an organization's information systems from outside the organization's networks.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryMobile Device Management (MDM)Software that lets administrators centrally enforce security policies on smartphones, tablets, and laptops.
- GlossaryRemote AccessWorkforce member access to an organization's information systems from outside the organization's networks.
- GlossaryEncryption at RestCryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
- GlossaryMFA (Multi-Factor Authentication)Authentication requiring two or more independent factors — something you know, have, or are.
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- RegulationNIST Cybersecurity Framework 2.0The 2024 update to the NIST CSF added the Govern function alongside Identify, Protect, Detect, Respond, and Recover — providing a common language for organizational cybersecurity risk management.
- SRAHIPAA Contingency Plan for a Small PracticeWhat the Security Rule contingency plan standard at 45 CFR 164.308(a)(7) actually requires, including data backup, disaster recovery, emergency mode operation, and testing — for a small practice.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.