We have written about HIPAA on several occassions on this blog (and even when we aren't writing about it, we are staying abreast on the subject). In the course of our recent research, we have found a number of articles discussing ideas on how new (and growing) technologies can fit into HIPAA regulations. We feel that, while this isn't the start, the fact that more consistent reporting is happening in this capacity will help bring the industry together to work towards a solution.
The risk of fines (or worse) is still a major concern for those reluctant to convert to EHR, so the idea of a transition to developing mobile sites and apps is beyond most physicians' range of thought. However, Diversenet, a company focused on strengthening mobile health technology capabilities, recently developed a whitepaper with nine mobile security best practices, such as encrypting PHI on mobile devices, authentication of users prior to transmitting PHI and automatic session timeout, logoff and device locking. Additionally, it lists 10 questions about mobile health data that healthcare organizations should ask when evaluating mobile technology.
The problems with mobile devices are obvious. Once information leaves a server, there are any number of complications that can result in breaches, and mobile technology has not proven itself to be anywhere near consistently secure. However, according to the article, a number of small mobile health companies are providing targeted wireless personal health monitoring devices and services that collect and transmit health data, while others have developed mHealth apps for patient monitoring, scheduling medical appointments and medication reminders, all of which work. And, at the security end, global technology service providers are adapting existing security products for the healthcare sector.
This just leaves the actual mobile device as the key problem, but Diversinet has a solution for that as well.
The advent of cloud computing, as it relates to HIPAA, is allowing certain organizations to reconsider certain security protocols and, according to a recent article in Tech News World. The story addresses how organizations are typically confused as how to meet the addressable requirements of the Security Rule, causing a refrain from full implementation, leaving the institution in the precarious position of not fully complying with the law -- at least not in the manner intended by HHS.
However, with cloud computing scenario, most security activities occur in partnership between vendor and client. So, while the onus still resides with the covered entity, components of the implementation can be handled by the business associate cloud provider. An organization that could commit, at some level, to helping maintain the HIPAA security requirements, would have a significant leg up.
"HIPAA is a well-intentioned, but poorly implemented law that is unnecessarily scaring doctors and keeping them in an unrealistic 'technology lockdown'."
This is a quote from Mark Britton, Founder and CEO of Avvo, a company that helps physicians deal with the legalities of new technology, such as social media. While Avvo has the ability to deal with specific issues, they do offer these five basic pieces of advice for managing their career online in relationship to HIPAA:
- Use email, SMS and social media messaging
- Feel free to share information with other providers
- Feel free to answer general patient questions
- Keep family members in the loop
- Exercise common sense and reasonable practices in all instances
Pam Argeris is a thought leader in the Healthcare Industry and possesses extensive, hands-on experience with CMS compliance, and multiple regulatory bodies such as NCQA, JACHO, and DOI. In her role at Merrill Corp., Pam focuses on developing solutions for compliance and quality assurance, delivered in a cost effective manner to improve beneficiary and prospect communications. You can contact Pam at Pamela.Argeris@merrillcorp.com.