Wednesday, September 11, 2013

Mobile Health, Meet Your Biggest Obstacle: HIPAA.

More and more, doctors are using smartphones, iPads, Dropbox and other mobile devices and cloud storage to share electronic patient health information ("ePHI") with colleagues and to diagnose. In fact, health care reform incentivises the increased use of patient data to improve patient outcomes as one avenue to decrease health care spending.

Technology can facilitate more expedient second opinions, generate better patient outcomes with fewer resources and, therefore, save money.  However it can also expose providers and their business associates with huge fines if usage of this technology violates HIPAA.

Recent reports by Manhattan Research found that a 9% increase in physician smartphone use in 2010 resulted in a 32% increase in data breaches.  Each data breach carries a $50,000 fine, that can be increase drastically if the breach is not remedied.

What Is HIPAA and Who Does it Affect? 

HIPAA is short for the Health Insurance Portability and Accountability Act.  Title I of HIPAA protects health insurance coverage for workers and their dependants when they change or lose their jobs. Title II establishes national standards for electronic health care transactions to protect the privacy of individually identifiable health information that is "created, received, used, or maintained" by a covered entity or its business associate.  The regulations associated with Title II of HIPAA govern the recent increased use of smart phones and cloud storage of ePHI.

A covered entity is a health care provider, health plan, or health care clearninghouse that transmits any information in an electronic form.  A business associate is an individual or business with whom the covered entity engages to help it carry out its health care activities and functions.  Entities that do not meet the definition of either covered entity or business associate do not have to comply with HIPAA.

Common Causes of HIPAA Violations:

CauseIn 2010In 2011
Lost or stolen computing device41%49%
Third-party problem34%46%
Unintentional employee action45%41%
Technical glitch31%33%
Criminal attack21%30%
Malicious insider15%14%
Intentional nonmalicious employee action10%9%

What Can Physicians Do?


  1. Safeguard Mobile Devices
    • Encrypt, encrypt, encrypt. Software is readily available that will encrypt smartphones and mobile devices.  Encryption means that information is sent in non-readable form, and must be unlocked by a key on the device of the person wishing to view it.
    • Conduct periodic risk assessments. Document which devices are being used to transmit ePHI, whether proper encryption exists, and what physical protections are in place to secure ePHI.
    • Password Protect All Devices. The lack of authentication on mobile devices presents a risk that any user of the device could access ePHI stored on the device 
  2. Set policies on mobile use in your practice or at your hospital.  Pay special attention to security measures, such as antivirus software and password protection.  Small physician practices who don't have technology professionals thinking through these issues for them, like hospitals do, should sit down and review their technology policies.  Consider quarterly training meetings for physicians and staff to reinforce these policies.
  3. Have a Secure Wi-Fi Connection.  Mobile devices that use public Wi-Fi or unsecure cellular networks to send and receive information risk exposing ePHI. Unless mobile device users connect to a secure website to transmit data or connect using a VPN ("virtual private networking"), which encrypts data to and from the mobile device, there is a risk ePHI could be compromised.

No comments:

Post a Comment