- Both covered entities and business associates should be well-aware of the OCR HIPAA audit program, especially as Phase 2 has been underway for several months now. However, as technology continues to evolve, there are also several areas that could bring confusion to healthcare organizations.
More organizations are opting for cloud computing options, and may even start to implement wearable devices, in addition to other connected devices (i.e. medical devices, smartphones, tablets).
Entities need to be prepared for integrating new technologies into their overall approach to HIPAA compliance.
Sidley Austin LLP Partner Anna Spencer explained to HealthITSecurity.com that the key difference in the second round of HIPAA audits is that business associates are included, according to Spencer.
The desk reviews have essentially been completed, she noted, which is where policies and procedures are reviewed. Organizations are also required to produce documentation of the policies and procedures.
What has yet to happen for 2017 though are the onsite reviews, Spencer pointed out.
Even with that, there are key areas that covered entities and their business associates must focus on to ensure that they remain HIPAA compliant while also working toward staying innovative.
Understanding HIPAA regulations and wearables
Wearable devices and how HIPAA regulations potentially apply is a very difficult issue, Spencer said.
“There is a lot of ambiguity about exactly where HIPAA is triggered and where it's not,” she stated. “The only real clarity is where a company that offers a wearable, or a mobile app that collects health information, where that arrangement is just directly between the device maker and the individual. Or it’s between the app maker and the individual, and there's no covered entity or business associate involved. Then there's no application of HIPAA, that's clear.”
HIPAA regulations only apply to covered entities and business associates, Spencer reiterated. This includes health plans, healthcare clearinghouses and certain healthcare providers that engage in certain payment and other financial transactions.
Business associates are those organizations that specifically have access to health information to provide a service or perform a function on behalf of a covered entity, she noted.
“If you are not either of those and you're really just interacting with an individual, then there's no HIPAA application,” Spencer said. “Where HIPAA is triggered is in situations where there is some sort of interaction between that device maker, or mobile app developer, and a HIPAA covered entity or business associate.”
ONC and other federal agencies have published guidance to help organizations determine what types of regulations are potentially applicable to them and their devices, she added. For example, the Federal Trade Commission (FTC) has specific guidance on sharing consumer health information, as well as guidance for mobile health app developers.
ONC also collaborated with the FTC, the Food and Drug Administration (FDA), and OCR to create an informative online tool for potential legal concerns with mobile application security. Developers can use the website to ensure that they are properly adhering to federal requirements.
Along with guidance on how HIPAA regulations would potentially apply to mobile applications, the tool also highlights the FTC Act, the FTC’s Health Breach Notification Rule, and the Federal Food, Drug and Cosmetics Act (FD&C Act).
Spencer also mentioned a recent ONC report, Examining Oversight of the Privacy and Security of Health Data Collected by Entities Not Regulated by HIPAA. In that release, ONC discusses companies that offer wearables, mobile health apps, and websites that publish health data.
“People will go online and go to these websites to inform themselves about their disease and maybe share information with others who are facing similar health issues,” Spencer said. “They're kind of another area, a growing area where health data is being collected but it may not be subject to HIPAA.”
The report also explained that when health technology is used by a covered entity, such as a healthcare provider, and that technology collects, stores, or uses individually identifiable health information, the health information on the device is protected by the HIPAA rules, she stated.
“Thus, in health technology used by individuals to manage their own health, but not offered or provided to the individual by a HIPAA covered entity or business associate, is outside of HIPAA's scope,” Spencer explained.
OCR also released a report entitled Health App Use Scenarios and HIPAA, Spencer pointed out. This release fleshes out several potential scenarios, such as what happens when a doctor tells a patient to go get a particular app that tracks diet or exercise. Then if the patient goes and gets it, does that mean the developer is subject to HIPAA? Spencer continued that OCR states clearly that it does not.
“You can kind of get a sense when you look at these scenarios where there might be ambiguities, and how it's not always an easy question or easy for app developers, innovators, and individuals to figure out, where is the line?” Spencer said. “When is it protected by HIPAA, and when is it not? There's some guidance, but there are still ambiguities in a lot of people's minds about where to draw the line.”
Foley Hoag attorney Jeremy Meisinger told HealthITSecurity.com that when it comes to wearables, there are a few decision making steps that organizations should keep in mind as there’s a bit of an aura of uncertainty hanging over how HIPAA may apply.
“OCR has certainly raised the issue of technology like wearables, and they’ve even explicitly raised that HIPAA often doesn’t apply to the type of information that wearables gather,” he said. “That doesn’t necessarily mean that OCR may not figure out a way that it does apply to certain types of information, and may not introduce some guidance along those lines.”
Organizations must first determine exactly whether HIPAA applies to the type of information that the device in question is gathering, he explained.
“There can be a potential for just whenever there is something vaguely health related, there’s this assumption that it creates something like a health record, to which HIPAA is applicable,” Meisinger stated. “Any company developing some type of technology like that, or is developing an app that works in tandem with something like that, wants to be really clear with what is being gathered.”
Organizations should also determine if other types of privacy regulations, such as state laws, would potentially apply to a device.
“It’s easy to have issues arise out of the disclosures that surround the way the data those devices gather is used,” he explained. “State laws differ on this, and state attorneys general differ in their appetite for enforcing those.”
Preparing against ever-evolving threats to health data security
Fellow Foley Hoag attorney Colin Zick also spoke with HealthITSecurity.com, and emphasized that data breaches are not going to go anywhere. Organizations need to remain vigilant in developing and maintaining strong cyber hygiene, he said.
“[Healthcare data breaches] are not going anywhere. They’re all going to take different forms and it’s constantly evolving,” Zick stated. “If the goal is to look ahead, and try to anticipate what is happening, you’re better off not thinking about, and not fighting the last war, but trying overall to have good hygiene internally.”
Oftentimes, the human factor will be an organization’s downfall, Zick explained. Employees will click on links they’re not supposed to and inadvertently download ransomware. Or perhaps an employee will stick a flash drive he or she found outside into a work computer.
“People do things that they’ve been told not to do,” he added. “People take the laptop out of the building and leave it in their car when they go into lunch. People leave data on the laptop that they weren’t supposed to have on the laptop. You can write the best policies in the world, and you can have all the audits that you want, but if your people aren’t effectively trained, it won’t do any good.”
Specifically, employees must be trained on why the rules exists, and why certain policies and procedures must be followed.
“The best thing you can do is train your people to have that appropriate level of caution and concern,” Zick said. “There must be some sense of the practical and how things really happen.”