Wireless health technologies are proliferating into various transmission modalities and spectrum of wellness and healthcare. Safety and privacy of data is of paramount importance to providers and patients. HIPAA laws apply to some types of mHealth products and the implications of this are important to recognize. For example, a patient’s mHealth program that interacts with an EHR system needs to be compliant. In turn, the EHR system should have a way of communicating a breach of its own HIPAA compliance to the mHealth company. The HIPAA compliance extends to parties outside of the mHealth company with which data may be shared (marketers, pharmaceutical or device companies, etc). See http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/index.html for an extensive explanation of HIPAA regulations.
HIPAA compliance should be taken into account with any new type of technology utilized in mHealth. Apple recently addressed HIPAA compliance as it considers having its Facetime video calling feature utilized in telehealth endeavors. The company stated that with appropriate adaptation, the iPad can be made HIPAA compliant with encryption (http://mhealthwatch.com/apple-says-facetime-can-become-hipaa-compliant-through-proper-configuration-17659/).
HIPAA rules would need to be addressed with the use of personal technologies by providers for mHealth, whether it is in the hospital or outpatient setting. The emergence of EHR connectivity with mobile devices should refocus on this issue, and the security and verification of security needs to be demonstrated.
Of course not all mHealth products need to be HIPAA compliant. HIPAA rules only apply to “protected health information,” which identifies an individual and that relates to an individual’s physical or mental health, health care services to that individual, or payment for the health care services. If the technology will be used by or in association with a ‘covered entity (provider, health plan, or medical institution), then HIPAA applies. Of course, if there is no identifiable personal data, the regulations do not apply.
There are currently no less than 16 bills proposed regarding Internet security and protection of personal information. Chief among the issues addressed are the requirement for prompt notification of compromise of data security, increased penalties for failure to do so, transparency of business relationships of entities involved in the sharing of personal data, and increased powers to investigate and prosecute those without strict security measures in place as well as unlawful access to data. (For listing of the proposed bills, see http://www.himss.org/ASP/ContentRedirector.asp?ContentId=78709&type=HIMSSNewsItem).
HIPAA regulatory issues arise when dealing with hospital and office wireless equipment. Newer technologies are being added to the HIT space every day. Connectivity from a technical as well as HIPAA standpoint needs to be addressed. Biomedical devices need to be as secure as possible too. And some of that technology is lagging behind with respect to encryption. Wireless networks in the hospital need protected from non-users (patients, guests, non-essential employees).
Wireless technologies present many challenges to HIPAA regulatory compliance, by virtue of the fact that they may connect with multiple covered entities and various IT portals. Hopefully the security will develop in step with the technology and mHealth does not become oppressively over-regulated.