Mobile Health, Meet Your Biggest Obstacle: HIPAA.

More and more, doctors are using smartphones, iPads, Dropbox and other mobile devices and cloud storage to share electronic patient health information ("ePHI") with colleagues and to diagnose. In fact, health care reform incentivises the increased use of patient data to improve patient outcomes as one avenue to decrease health care spending.

Technology can facilitate more expedient second opinions, generate better patient outcomes with fewer resources and, therefore, save money.  However it can also expose providers and their business associates with huge fines if usage of this technology violates HIPAA.

Recent reports by Manhattan Research found that a 9% increase in physician smartphone use in 2010 resulted in a 32% increase in data breaches.  Each data breach carries a $50,000 fine, that can be increase drastically if the breach is not remedied.

What Is HIPAA and Who Does it Affect? 

HIPAA is short for the Health Insurance Portability and Accountability Act.  Title I of HIPAA protects health insurance coverage for workers and their dependants when they change or lose their jobs. Title II establishes national standards for electronic health care transactions to protect the privacy of individually identifiable health information that is "created, received, used, or maintained" by a covered entity or its business associate.  The regulations associated with Title II of HIPAA govern the recent increased use of smart phones and cloud storage of ePHI.

A covered entity is a health care provider, health plan, or health care clearninghouse that transmits any information in an electronic form.  A business associate is an individual or business with whom the covered entity engages to help it carry out its health care activities and functions.  Entities that do not meet the definition of either covered entity or business associate do not have to comply with HIPAA.

Common Causes of HIPAA Violations:

Cause	In 2010	In 2011
Lost or stolen computing device	41%	49%
Third-party problem	34%	46%
Unintentional employee action	45%	41%
Technical glitch	31%	33%
Criminal attack	21%	30%
Malicious insider	15%	14%
Intentional nonmalicious employee action	10%	9%

What Can Physicians Do?

1. Safeguard Mobile Devices. 
• Encrypt, encrypt, encrypt. Software is readily available that will encrypt smartphones and mobile devices.  Encryption means that information is sent in non-readable form, and must be unlocked by a key on the device of the person wishing to view it.
• Conduct periodic risk assessments. Document which devices are being used to transmit ePHI, whether proper encryption exists, and what physical protections are in place to secure ePHI.
• Password Protect All Devices. The lack of authentication on mobile devices presents a risk that any user of the device could access ePHI stored on the device 
2. Set policies on mobile use in your practice or at your hospital.  Pay special attention to security measures, such as antivirus software and password protection.  Small physician practices who don't have technology professionals thinking through these issues for them, like hospitals do, should sit down and review their technology policies.  Consider quarterly training meetings for physicians and staff to reinforce these policies.
3. Have a Secure Wi-Fi Connection.  Mobile devices that use public Wi-Fi or unsecure cellular networks to send and receive information risk exposing ePHI. Unless mobile device users connect to a secure website to transmit data or connect using a VPN ("virtual private networking"), which encrypts data to and from the mobile device, there is a risk ePHI could be compromised.

Is Your Xerox Machine Violating HIPAA?

The next time you go visit your doctor's office and notice an employee using the office copy machine, consider the type and volume of data that has crossed through that device -- consider how many patients' protected health information (PHI) is stored in the copier hard drives.

This is a consideration that New York-based Affinity Health Plan, Inc. failed to make before returning its leased copiers back to the leasing company.  As luck would have it, CBS Evening News was the subsequent purchaser of those copiers.  Much to their surprise, CBS discovered the PHI of 344,559 individuals on the copier's hard drive.  

Affinity settled the claim of the alleged massive HIPAA breach for $1,215,780 and the promise to institute a corrective action plan.  

"Electronic equipment with any type of memory or storage media has the capacity to retain data passed through it long after the data is believed to be removed or deleted." (Kevin Alonso, Esq., Arant Boult Cummings LLP, Nashville, TN.)  In light of the risks that newer technologies pose to the privacy and security of PHI, covered entities (health care providers, health plans or health care clearinghouses who transmit any information in electronic form), and now business associates (one who contracts to help a covered entity carry out its health care activities and functions), must do more than empty their computers' Recycling Bins in order to remain HIPAA compliant.

Privacy vs. Gun Control, the Debate Continues

Just when we thought the HIPAA Final Rule was, well, "final," HHS may be making additional changes less than seven months since the behemoth Final Rule was published in January 2013.

Since December, President Obama has called for the creation of the National Instant Background Check System, or NICS - a database to be used by gun dealers to determine whether a potential gun buyer is prohibited from purchasing a gun.

The database only works, however, if states volunteer lists of residents who are not allowed by guns because of, among other reasons, they have been involuntarily committed to a mental hospital, or a court has found them to have a serious mental illness. Currently many states do not participate, so the Obama administration is seeking to change part of HIPAA to require state reporting.

Although HHS has not yet released a proposed outline for this rule change, they have received over 2,000 comment letters from gun advocates and mental health professionals, alike. While gun advocates fight for the constitutional rights of gun owners, mental health professionals worry that this new HIPAA modification would compound the stigma of mental illness and could discourage those patients from seeking treatment.

However, even with an expanded database, the gunshow loophole remains.  As many as 40% of firearms ar purchased at such venues where the NICS system is not required.  Mark Heyrman, mental health professor at the University of Chicago noted that adding more records to the ineffective database will only hurt people's privacy without improving safety.

The move toward an expansion of the database falls on the heels of the government's collection of of citizens' phone and internet data in the national headlines, creating worry that this database may one day go public.