Senior News Writer
Published: 17 Sep 2012
As if U.S. health care providers' chief information officers and their HIPAA compliance officer colleagues don't have enough to worry about, here's one more thing: The convergence of mobile and mHealth technology with updated federal privacy and security regulations brings a whole new round of patient privacy and security challenges.
In an epoch of health care reform, mHealth technology and new laws, such as the Affordable Care Act and updated HIPAA requirements, are propelling a "massive" cultural change in the health care sector right now, pointed out attorney Catherine Barrett, lead health care consultant for Mitre Corp. and an eHealth Initiative policy fellow.
"Health care has been stuck in paper for a very, very long time," she said. "[Patient privacy and security are] a work in progress."
Yet with the right approach to locking down data -- and following forthcoming guidance from the Office of the National Coordinator for Health IT (ONC) -- HIPAA compliance can be managed for wireless health technologies such as bring your own device (BYOD) initiatives, wireless medical devices, emerging mobile body area network (MBAN) technology and telemedicine service implementations.
ONC will weigh in
Will Phelps, ONC IT security specialist, told HealthcareInfoSecurity that the agency plans to issue guidance on mobile security, likely next spring. While it will be aimed toward solo physicians and small group practices, it promises to have tips that hospitals incorporating BYOD and mHealth technologies can use, too, such as turning on built-in data encryption services for iOS devices including iPads and iPhones used in health care settings.
That isn't the only guidance regulators have issued. CMS also offers risk analysis advice for HIPAA compliance. That gels with another program health information technology leaders are trying to comply with meaningful use, which requires hospitals and outpatient providers that receive electronic health record incentive payments to conduct yearly security risk analyses.
CMS meaningful use specialist Rob Anthony told SearchHealthIT that HIPAA and meaningful use risk analyses are identical, but meaningful use participants must conduct them yearly, as opposed to every other year by HIPAA standards.
It comes down to providers, not vendors
Carlos Leyva, Digital Business Law Group attorney and HIPAA Survival Guide author, said although following federal guidance doesn't guarantee compliance, it can get providers on the path to achieving it. It also will show HIPAA enforcement officials that a provider made efforts to comply in the event of a breach.
"If you follow the guidance ... it helps you make a good-faith argument that you looked at the law, you tried to do what was reasonable and you certainly didn't thumb your nose at the law, and you did the best you could," Leyva said. "I think that's going to be the difference between a fine for willful neglect and a slap on the wrist."
Leyva cautions organizational leaders charged with HIPAA compliance to disregard vendor claims that a technology or service is "HIPAA compliant," which he frequently hears, because there's no such thing. He also cautions against similar claims that software or security vendors might make that don't guarantee HIPAA compliance, per se, but might make a health care provider feel more secure or less worried about it if they choose that vendor's product over a competitor's. HIPAA compliance, he said, is achieved only by the provider, through a combination of well-enforced employee policies and the application of technology to help carry out those policies.
Another document that ONC has not yet issued but has been due out for months as of this publication -- dubbed "the HIPAA omnibus rule" -- will outline how HHS is to enforce HIPAA's update for electronic handling of protected patient data. Mitre's Barrett advises providers to familiarize themselves with this document when it finally sees the light of public release. The part she's most curious to see revealed by regulators: Whether wireless carriers will be considered business associates. As of now, they aren't, but the new rule could include them, too.
BYOD and iPhone, iPad, Android devices
As far as HIPAA compliance goes, BYOD is a complicated, scary proposition for health care CIOs, Leyva said. More nurses, physicians and other practitioners demand to use their personal smartphones and tablets for work. The problem? While it might seem to be a simple matter of forbidding BYOD, the movement toward such consumerization of the health care workplace can't be stopped, he said, a notion echoed by Barrett as well.
HIPAA-compliant BYOD include these security policies: Onboard encryption must be turned in with Android and iOS devices; periodic practitioner sign-on; and mandating that devices are registered with IT departments before they can be used on the network.
Catherine Barrettlead healthcare consultant, Mitre
Knowing what devices are on the network at any given time will help enhance HIPAA compliance through creating audit logs for patient data access and tracking devices to more nimbly respond to device theft. Plus, IT will know when unauthorized devices are attempting to sign on.
Some facilities go as far as installing software that allows IT staff to remotely wipe devices when they are lost or stolen, but Leyva said that becomes a sticking point when an employee doesn't want to lose personal data on his or her device such as family photos that haven't been backed up. Enforcing encryption policies is a problem, too, if it slows down the device and becomes an inconvenience.
"There's a sort of push and pull between consumerism and the organization," Leyva said. "ONC can mandate encryption. ut if it, say, takes an extra 45 seconds each time I'm going to do something with the phone because it's encrypted, how long do you think that's going to last? It's a much more complex problem because of the organizational dynamics that are in play."
Barrett points out mobile devices are vulnerable to theft because they're small, light and highly visible to would-be thieves, especially in public places like restaurants. Forcing strong user authentication as well as limiting access to health data through a secure network (such as a VPN) to prevent eavesdroppers at public Wi-Fi hotspots helps health care providers reduce some risk these devices pose.
Policies should cover MBAN, Wi-Fi medical devices
On one hand, many medical devices, such as wireless sensors a patient might wear, feed data into monitoring software and EHRs. They have simple operating systems that can't accommodate encryption of protected patient data, especially legacy devices currently in use that may have been manufactured before HIPAA's 2009 update. On the other, health care providers are required to protect that data, anyway, when the device isn't patient-owned.
Medical devices might be vulnerable to hacks, but when it comes down to it, they represent one patient's data at a time and do not pose the same risk of an unencrypted laptop that stores thousands of patients' data. That doesn't make it an easier pill for that one patient to swallow if his data gets stolen.
"The purpose behind HIPAA is to protect your personally identifiable information [PII]," Barrett said. "I would argue that you want to put systems in place and IT solutions in place that dramatically reduce the likelihood of [a breach] happening," Barrett said. "I certainly wouldn't want to be the person whose PII shows up on Google or on the Internet as part of a security breach."
However, if health care providers are working through a list of vulnerabilities they've identified on their HIPAA risk analyses -- in the order of how many patients each one could potentially affect -- they're probably shoring up more pressing needs en route to full compliance and will eventually get to these lower-risk devices.
Telemedicine requires its own HIPAA compliance strategy
Rural and other hard-to-serve patient populations might already be familiar with telemedicine services; practitioners have used them for decades. Two discrete trends -- rapidly advancing streaming video technology, along with accountable care models that strive to minimize office visits and encourage between-visit monitoring -- suddenly make telemedicine attractive to a wider audience of providers.
HIPAA compliance-minded health care providers need to consider how to secure telemedicine services, and build policies that protect privacy as well. That means not only encrypting the video signal between the practitioner and the remote patients, but also keeping the proceedings private so the discussions can't be overheard by the patient's family members or friends who might be present. It also means keeping talks private from employees not directly involved in patient care unless the patient gives permission.
"You have to ask," Leyva said. "If there are other folks in the room; you have to deal with it accordingly."