If it takes a village of federal agencies to raise the HITECH Act, it takes an alphabet soup of national departments to regulate the use of mobile devices in health care.
During the first panel session of the ONC’s Mobile Devices Roundtable event, representatives from five federal offices explained their department’s role in setting the regulatory framework for using mobile devices in health care, specifically with regard to the privacy and security of protected health information (PHI).
Federal Communications Commission (FCC)
The FCC authorizes a variety of RF-based medical devices, under part 95 of its rules, including implanted medical devices as well as patient monitoring devices. The FCC authorizes carriers whose networks are used by many mobile devices in health care to access, transmit or store information. The FCC also establishes the technical rules used by Wi-Fi or other similar networks for short transmissions.
Food and Drug Administration (FDA)
The FDA aims to promote and protect public health. To that end, the administration is concerned with any technology — including phones and other mobile devices — that is used for treating disease in patients. The FDA looks at the effectiveness of a medical device as well as the risk — including security and privacy risk — the device could bring to patients.
Last year the FDA released a draft guidance document on mobile medical applications. Right now the administration is looking at non-traditional ways of finding a good balance between the benefits and risks associated with using mobile devices in health care, said Bakul Patel, policy advisor for the FDA’s Center for Devices and Radiological Health (CDRH).
Federal Trade Commission (FTC)
The FTC attempts to combat unfair or deceptive practices, so any false or misleading claims or omissions of material facts in relation to a mobile device or app could fall under FTC jurisdiction.
Cora Tung Han from the FTC’s Division of Privacy and Identity Protection cited two recent cases of enforcement involving mobile devices used for the purpose of health care. The first involved an app that claimed to treat acne through a light emitted from the mobile device. The second case was against the developer of a peer-to-peer file sharing app that caused consumers to unwittingly share personal information on their mobile device.
Office for Civil Rights (OCR)
Described by deputy director Susan McAndrew as the “cops” of privacy and security in health care, the OCR, within the U.S. Department of Health and Human Services, is charged with enforcing HIPAA regulations. Mobile devices being used in health care are subject to HIPAA rules, said McAndrew, so it’s important to apply the same privacy and security protections that would be used with enterprise equipment, such as computers.
Since mobile devices are especially susceptible to being lost or stolen, said McAndrew, OCR recommends taking all reasonable precautions to secure them. Though encryption is not required by HIPAA, it’s a good idea to encrypt mobile devices if it’s reasonable to do so, she added. Using other data security strategies such as user authentication and role-based access at the system level is also a good idea, McAndrew noted.
National Institute of Standards and Technology (NIST)
NIST, a non-regulatory federal agency within the U.S. Department of Commerce, is concerned with measurement, standards and testing. The institute produces a variety of publications related to computer security, said Tim Grance, senior computer scientist with NIST, including some with mobile security guidance.
When asked how mobile devices play into risk assessment for health care, Grance recommended taking an enterprise-wide view of the devices, examining the issues and threats that come with them and considering the context of their use.