- Covered entities and business associates are continuously searching for the technologies that can improve physician workflow, while also ensuring PHI security. Mobile devices are increasing in popularity, and are quickly becoming beneficial tools for healthcare. However, mHealth security measures cannot be ignored, and mobile data must be considered when organizations track where PHI is stored and how it is used.
Whether an organization is considering secure texting options, secure messaging, BYOD strategies, or just allowing physicians to use laptops regularly, mobile device security should be a top priority.
The past year has shown what can happen when entities overlook mHealth security, and that it can lead to OCR HIPAA settlements and financial fines.
At the same time, 2016 has seen more healthcare providers successfully implementing mobile options, while keeping data security in mind.
HealthITSecurity.com will review a few of the key moments for mobile security this past year, and highlight what stakeholders have observed to be ways to utilize technology and still maintian PHI security.
Congress called for mHealth, HIPAA clarification
Earlier this year, members of Congress said that the Department of Health and Human Services (HHS) was not making a distinct enough effort to clarify HIPAA security regulations for mHealth app use and development.
A bipartisan coalition led by Congressman Tom Marino and Congressman Peter DeFazio said that HHS has yet to follow through on its November 2014 commitment. At the time, HHS said it would release clearer HIPAA guidelines with regard to mHealth apps.
“The sluggish pace of work since has been very disappointing,” the signatories wrote. “At this stage, a detailed plan with concrete deadlines is required.”
Healthcare can be advanced with the right mHealth apps, but ambiguous security regulations leave providers feeling uncomfortable with incorporating what is available, the lawmakers explained. The slow regulation output also shows that HHS cannot keep up with the fast pace of technological innovation.
“We have serious concerns about the consequences of HHS inaction,” the lawmakers stated. “Advances in mobile health technology have the potential to dramatically improve patient outcomes and the accessibility of health care. This innovation is coming at a rapid pace, but your agency has done little to demonstrate it can manage the significance.”
HHS and OCR did release a document one month earlier describing instances when developers are and are not bound to HIPAA compliance.
Oftentimes, developers are HIPAA covered entities when they are working as a business associate for a healthcare organization, an insurer, or a clearinghouse.
“So, most vendors or contractors (including subcontractors) that provide services to or perform functions for covered entities that involve access to PHI are business associates,” OCR said. “For example, a company that is given access to PHI by a covered entity to provide and manage a personal health record or patient portal offered by the covered entity to its patients or enrollees is a business associate.”
Federal agency discusses mobile application security
The Office of the National Coordinator (ONC) stressed earlier this year that application developers need to be mindful of mobile application security issues and regulatory requirements when creating new health apps.
ONC collaborated with the Federal Trade Commission (FTC), the Food and Drug Administration (FDA) and the HHS Office for Civil Rights (OCR), to create an informative online tool.
“This interactive tool helps guide developers through a short assessment of their app with a series of questions about the nature of the app, including its function, the data it collects, and the services it provides to its users,” ONC Chief Privacy Officer Lucia Savage, J.D. and ONC Senior Health Information Privacy Program Analyst Helen Caton-Peters, MSN, RN wrote in a blog post.
Mobile app developers must also consider HIPAA regulations, according to ONC.
Federal laws and regulations originating with FTC, FDA and the OCR all could influence the development of a new health-related product,” Savage and Caton-Peters stated. “And while these may not be the only applicable federal laws and regulations, they are often important requirements to consider when developing a health-related app.”
The FTC Act, the FTC’s Health Breach Notification Rule, and the Federal Food, Drug and Cosmetics Act (FD&C Act) also need to be considerations when creating mHealth apps, ONC observed.
“As the number of mobile health products available today continues to rise, it’s important to clarify for developers how FDA and other agencies’ regulations would apply to their app,” Bakul Patel, associate director for digital health in the FDA’s Center for Devices and Radiological Health, said in a statement. “This effort is part of the FDA’s continued commitment to protecting patient safety while encouraging innovation in digital health.”
Debate over secure texting continues for Joint Commission
The Joint Commission on Accreditation of Healthcare (JCAHO) went back and forth in 2016 on whether or not it would allow secure texting on physician orders.
In its May 2016 newsletter, JCAHO announced that it had ended its ban on clinician secure texting and secure messaging options. It maintained that healthcare organizations may allow orders to be sent via text messaging, but outlined necessary components, standards organizations must follow, and the necessary quality assurance activities to ensure security.
However, the Commission reversed that decision just a few months later. JCAHO said it would collaborate with the Centers for Medicare and Medicaid Services (CMS) to create more guidance on using secure texting for physician orders and ensure that they align with the Medicare Conditions of Participation.
“The Joint Commission and CMS will develop a comprehensive series of Frequently Asked Questions (FAQ) documents to assist health care organizations with the incorporation of text orders into their policies and procedures,” the newsletter stated. “This guidance information is designed to supplement the recommendations in the May 2016 Perspectives article permitting the use of secure text messaging platforms to transmit orders.”
In December 2016, the Commission clarified its secure texting rules, further reiterating that the mobile platform was not allowed for physician orders.
Collaborating with CMS, JCAHO said that certain components must be in place for secure texting to be safely utilized.
“All health care organizations should have policies prohibiting the use of unsecured text messaging — that is, short message service (SMS) text messaging from a personal mobile device — for communicating protected health information,” the December newsletter stated.
Entities must have limitations on unsecured text messaging use keep PHI secure, and all practitioners and staff working in a facility need to be properly and routinely trained.
Computerized provider order entry (CPOE) “should be the preferred method for submitting orders as it allows providers to directly enter orders into the EHR,” according to the Commission and CMS.
“CPOE helps ensure accuracy and allows the provider to view and respond to clinical decision support (CDS) recommendations and alerts. CPOE is increasingly available through secure, encrypted applications for smartphones and tablets, which will make following this recommendation less burdensome,” the newsletter said.