mHealth and HIPAA


Wireless health technologies are proliferating into various transmission modalities and spectrum of wellness and healthcare. Safety and privacy of data is of paramount importance to providers and patients. HIPAA laws apply to some types of mHealth products and the implications of this are important to recognize.  For example, a patient’s mHealth program that interacts with an EHR system needs to be compliant. In turn, the EHR system should have a way of communicating a breach of its own HIPAA compliance to the mHealth company. The HIPAA compliance extends to parties outside of the mHealth company with which data may be shared (marketers, pharmaceutical or device companies, etc).  See http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/index.html for an  extensive explanation of HIPAA regulations.

HIPAA compliance should be taken into account with any new type of technology utilized in mHealth.  Apple recently addressed HIPAA compliance as it considers having its Facetime video calling feature utilized in telehealth endeavors.  The company stated that with appropriate adaptation, the iPad can be made HIPAA compliant with encryption (http://mhealthwatch.com/apple-says-facetime-can-become-hipaa-compliant-through-proper-configuration-17659/).

HIPAA rules would need to be addressed with the use of personal technologies by providers for mHealth, whether it is in the hospital or outpatient setting.  The emergence of EHR connectivity with mobile devices should refocus on this issue, and the security and verification of security needs to be demonstrated.

Of course not all mHealth products need to be HIPAA compliant.  HIPAA rules only apply to “protected health information,” which identifies an individual and that relates to an individual’s physical or mental health, health care services to that individual, or payment for the health care services.  If the technology will be used by or in association with a ‘covered entity (provider, health plan, or medical institution), then HIPAA applies.  Of course, if there is no identifiable personal data, the regulations do not apply.

There are currently no less than 16 bills proposed regarding Internet security and protection of personal information. Chief among the issues addressed are the requirement for prompt notification of compromise of data security, increased penalties for failure to do so, transparency of business relationships of entities involved in the sharing of personal data, and increased powers to investigate and prosecute those without strict security measures in place as well as unlawful access to data.  (For listing of the proposed bills, see http://www.himss.org/ASP/ContentRedirector.asp?ContentId=78709&type=HIMSSNewsItem).

HIPAA regulatory issues arise when dealing with hospital and office wireless equipment.  Newer technologies are being added to the HIT space every day.  Connectivity from a technical as well as HIPAA standpoint needs to be addressed.  Biomedical devices need to be as secure as possible too.  And some of that technology is lagging behind with respect to encryption.  Wireless networks in the hospital need protected from non-users (patients, guests, non-essential employees).

Wireless technologies present many challenges to HIPAA regulatory compliance, by virtue of the fact that they may connect with multiple covered entities and various IT portals.   Hopefully the security will develop in step with the technology and mHealth does not become oppressively over-regulated.

Advertisements

About davidleescher

David Lee Scher, MD is Founder and Director at DLS HEALTHCARE CONSULTING, LLC, which specializes in advising digital health technology companies, their partners, investors, and clients. As a cardiac electrophysiologist and pioneer adopter of remote patient monitoring, he understood early on the challenges that the culture and landscape of healthcare present to the development and adoption of digital technologies. He is a well-respected thought leader in mobile and other digital health technologies. Scher lectures worldwide on relevant industry topics including the role of tech in Pharma, patient advocacy, standards for development and adoption, and impact on patients and healthcare systems from clinical, risk management, operational and marketing standpoints. He is a Clinical Associate Professor of Medicine at Penn State College of Medicine.
This entry was posted in Healthcare IT, IT security, medical devices, mHealth, mobile health, smartphone apps, technology, wireless health and tagged , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s