1. AGNESIAN HEALTHCARE POLICY AND PROCEDURE
(AHE9/03
, CLW9/03
, FDLRC9/03
, SAH9/03
, SFH9/03
, WMH9/03
, RMC08/12
)
SUBJECT: Mobile Computing Devices Policy
Department
Responsible:
Information Services
(HIPAA Security Committee)
Page 1 of 2 Policy No: IM2459
Effective Date: December, 2009 Approved: s/Nancy Birschbach
Vice President & Chief Information Officer
Reviewed/Revised Date: 11/2004, 5/2006, 9/2007 NB, 12/2009, 8/2012, 1/2013 revised
Developed Date: 09/03
Formerly named Portable Computing Devices
POLICY STATEMENT:
The purpose of the Agnesian HealthCare Mobile Devices Security policy is to establish guidelines for the use of mobile
devices (i.e., smartphones, laptops, tablets, and other smart devices (i.e., iTouch)) and their connection to the internal
resources at Agnesian HealthCare. The guidelines are necessary to preserve the integrity, availability and
confidentiality of Protected Health Information (PHI) and confidential Agnesian HealthCare data.
DEFINITIONS:
AHC: Agnesian HealthCare
I.S.: Information Services
PHI: Protected Health Information
Mobile Computing Devices: Any easily portable device that is capable of receiving and/or transmitting data.
PROCEDURE:
Agnesian HealthCare is committed to providing remote access to internal resources when appropriate for business
use. The I.S. Devices Security Team uses best practices to help guide this policy and implement training. Devices
that are granted access to locally stored business information and applications (for example, email, calendars and
contacts) must follow the procedures outlined below:
Users must set device password authentication upon issue. Users should choose a password that is strong and should
not share their password with others.
Non AHC - owned mobile computing devices that require network connectivity or store AHC-owned PHI or
confidential data must conform to AHC I.S. standards and must be approved by the AHC Information Security
Officer.
Protected Health Information and confidential Agnesian HealthCare data should not be stored on mobile
computing devices.
Transmission or storage of PHI and confidential AHC information must be encrypted using an approved
security software.
Corporate issued laptops must be encrypted using an AHC approved encryption software.
Corporate issued mobile devices and personal mobile devices requesting AHC network access must enroll in
the Mobile Device Management tool issued by I.S.
Using mobile computing devices to photograph and transmit AHC owned information is strictly prohibited.

2. SUBJECT: Mobile Devices Policy Policy No: IM2459
Page 2 of 2
Users must initiate the “device lock” feature. This lock should be set for no more than 3 minutes in length.
Users must utilize a “remote wipe” application for the device.
o It is recommended that all personal (non AHC) information should be backed up regularly.
o A lost/stolen mobile device must be reported immediately to the I.S. department Help Desk xt 8000 to
determine if remote wipe is necessary.
Users must follow all additional AHC I.S. standards and are subject to audits by the AHC Information Security
Officer.
I.S. encourages users to only download applications from trusted sources.
I.S. will review director approved requests for users who have their own devices and wish to access AHC
network resources.
Agnesian HealthCare reserves the right to refuse or revoke network access.
Violation of this policy may result in disciplinary action, which may include termination for associates, a termination of
contract in the case of contractors or consultants. Associates who terminate employment with Agnesian HealthCare
should refer to policy HR2043 - Separation of Employment and turn in all Agnesian owned devices with their ID badge
and keys.