Earlier this year, the U.S. Department of Health and Human Services released the Omnibus Final Rule, significantly amending the privacy and security standards outlined in the Health Insurance Portability and Accountability Act (HIPAA). Since enforcement is now in effect, I’ve been getting a lot of questions as to what this means for developers, users and patients interacting with mobile technology.
First and foremost, it’s important to understand the scope of HIPAA and its specific terminology, since both are often misunderstood, making it difficult to understand the various provisions within the HIPAA Omnibus rule. Hopefully, by addressing a few common concerns or questions that arise, I can help lay the groundwork for ensuring that your institution, application, or clinic is adequately prepared.
Myth: I’m not a medical provider or connected to a healthcare institution, so HIPAA doesn’t apply.
This is likely the most profound change in the Omnibus update. Whereas previously, HIPAA only applied to “covered entities” that included “healthcare providers who conduct healthcare transactions electronically, health plans and healthcare clearinghouses,” the HIPAA Omnibus rule expands enforcement to any business associate that “creates, receives, maintains or transmits PHI.” This enforcement expansion, therefore, very clearly will involve all vendors who partake in the transmission or storage of protected health information … which, as we’ll see below, isn’t all health information.
Myth: HIPAA applies to all health data.
HIPAA actually only applies to a narrow definition of health information and data – namely, only data that is the held by a patient’s physician or healthcare team. For example, if you record your morning weight, sleep cycles or glucose levels and use a mobile app or website that is entirely patient-facing (meaning it doesn’t transmit that data to your physician or healthcare team), then that application or website is not liable or held to HIPAA standards. However, if you record that same information in a mobile platform that is accessible by your physician (i.e, a health journal or healthcare portal), then that data becomes the physician’s responsibility to protect and is protected by its statutes.
Myth: The data is secure, so of course it’s private.
HIPAA addresses both the security and privacy of a patient’s health information under the care of a healthcare team. Security refers to how the information is guarded and protected. Legacy systems typically rely on local installations that allow the protected health information (PHI) to be safely hidden behind firewalls, encrypted Wi-Fi and network security protocols. The common way in which these systems cause security breaches is when a local computer or laptop is stolen or removed from the institution. Mobile and cloud-based systems, however, remove the onus from the local institution and place the level of security squarely on the vendor. Data transmission and storage must be highly encrypted to ensure that it's reasonably secure from third-party access or attacks.
From a customer or patient perspective, keys to look for are that the site is hosted on a secure website (https, for example) and appropriately uses encryption and authentication certificates. Another question to ask your vendor is exactly how the data is stored. The minimum requirement for servers is to have an iVirtual or dedicated firewall, appropriate backup, antivirus and patch management. In contrast to security, privacy refers to the appropriate sharing of PHI, which includes potentially any and all information exchanged between physician and patient. Therefore, while it is perfectly reasonable for patients to use a popular e-mail client to message their doctor, the physician without prior permission cannot use this method without violating HIPAA statutes.
Privacy requirements can also vary between states (think sharing specific HIV, STDs, drug and alcohol abuse, mental health information), so mobile vendors would be wise to err on the side of caution when it comes to sharing sensitive information via their application or network.
Myth: A smartphone’s (4- or 5- digit) PIN makes it secure.
Security relies on the user’s behavior. For example, if an EMR company allows most of its users to adopt PINs that are easy to crack, is aware of the problem and neglects to address this potential breach despite relatively easy modifications that could negate this risk, than the vendor may be held negligible for any breaches (or even potential breaches). To illustrate that point, an HHS study pointed out that over a recent three-year period, more than half of all HIPAA breaches were attributable to actions (theft, loss of device, use of mobile devices) rather than system issues.
Myth: Being HIPAA-compliant is only an IT problem.
I hate to berate the terminology point, but it provides a good conclusion to this primer. HIPAA security involves encryption, storage and transmission of the PHI. HIPAA compliance is the act of following these principles to ensure that “reasonable steps” have been followed “for adequate PHI protection.” For example, having a “fully secure” system and placing a sticky-note with your username and password onto the monitor (real-life example) is not a HIPAA-compliant act. Showing a patient’s record to a colleague who is not involved in care, teaching or consultation is a breach of HIPAA. However, the same also applies to mobile apps. Having an application that is fully encrypted and uses adequate pass-controls, but allows the application to run in the background without timing out could potentially be seen as a violation, since there are clearly “reasonable steps” that were not taken.
While these are some of the most common HIPAA myths that I am asked about, they don’t represent nearly all the intricacies and confusions that arise. Feel free to ask me or one of my colleagues for HIPAA consultation or post some of your comments or questions below.
In a future blog or commentary, I plan on touching upon the relationship of business associates with covered entities (when the associate is liable and when the CE is), how to plan for breach notification, and how to do a HIPAA self-assessment (and how to properly document it).
Zachary Landman, MD, is the chief medical officer for Doctorbase, a developer of scalable mobile health solutions, patient portals and patient engagement software. He earned his medical degree from UCSF School of Medicine. As a resident surgeon at Harvard Orthopaedics, he covered Massachusetts General Hospital, Brigham and Women’s Hospital and Beth Israel Deaconess Medical Center.