Healthcare Information Security

HIPAA and Compliance News

AMIA Calls for HIPAA Clarification in mHealth Patient Data

HIPAA clarification and potential expansion can help ensure that patient data used in mHealth apps stays secure, according to a recent AMIA paper.

mHealth patient data access may require HIPAA clarification, AMIA said.

Source: Thinkstock

By Elizabeth Snell

- While mHealth applications can help bridge the health IT gap between providers and patients, greater HIPAA clarification and even an expansion of the rules may be necessary, according to the American Medical Informatics Association (AMIA).

AMIA outlined several policy recommendations in a paper published in JAMIA and also listed policy action items in a document released last week.

There is a “health IT chasm” due to new models of healthcare delivery and payment that have lacking electronic systems, the report authors explained.

“Both the technologies themselves and the application of those technologies and the data they contain urgently need improvement to support the transition to value-based care,” researchers explained. “The existing obstacles are largely not knowledge barriers, but execution barriers. That is, we know what needs to be done but not necessarily how best to do it in terms of which specific actions should be pursued by which specific stakeholders.”

HHS should immediately clarify the HIPAA “right to access,” AMIA said in its policy action item list. This includes “a right to all data maintained by a covered entity’s designated record set or, to a digital copy of their legal medical record” through OCR guidance.

HIPAA should also be extended, or “HIPAA-like requirements” should be extended to non-covered entities, the research team added. This can help “improve patient access to data generated by mHealth and related technologies.”

At the very least, industry stakeholders should develop “codes of conduct” to ensure that patients are able to access their individual health data as necessary.

“A new framework is needed to fit today’s highly connected world,” the researchers wrote. “HIPAA should be strengthened and extended, in particular to accommodate the broader set of data and stakeholders that are relevant to patient health, such as data from the use of Fitbit and Apple Watch.”

However, having broad access to health-related data with privacy and security considerations in place is not enough to guarantee that the data is accurate and usable, researchers noted.

“While accuracy issues exist for data both within EHRs and generated by consumer devices, the resulting harm is not yet known,” explained the research team. “Policymakers should therefore monitor these issues and identify areas where market forces may not be sufficiently strong to protect consumers.”

AMIA also recommended that a cross-agency collaboration produce a framework with “common rule” updates in certain areas, such as facilitating secondary use of data for research, common Data Use and Reciprocal Support Agreements, and data portability from HIPAA-covered entities. 

Researchers can also “create a public-private collaboration to develop a process that ensures a minimum level of privacy, security, safety, and effectiveness while not hampering innovation,” AMIA explained. This can help develop and implement an app vetting process.

Overall, AMIA made 17 policy recommendations. Some of the other suggestions included monitoring widespread and persistent market failures to address data inaccuracy and poor usability that put patients at risk. Furthermore, AMIA recommended having federal officials work to ensure that APIs are standards-based and published in the public domain as a component of the federal Health IT Certification Program.

mHealth security and health app privacy and security concerns are not a new area for the healthcare industry, and are often cited as key worry points for providers.

A Substitutable Medical Applications, Reusable Technology (SMART) Health IT study released in February 2017 found that the top provider concern with third party healthcare apps was their privacy and security capabilities.

Approximately half of surveyed organizations said that healthcare app privacy and security was a key concern, followed by app credibility and the ongoing app maintenance.

“For years, healthcare providers have been adopting increasingly integrated healthcare IT (HIT) suites from a single vendor, but healthcare apps buck this trend, with many organizations looking to third-party vendors to supply niche solutions to improve organizational efficiency and patient care,” the report’s authors explained. “The recent passage of the 21st Century Cures Act, which states that a year from now open APIs will be necessary for EHR system certification, is expected to drive further growth in the app ecosystem.”

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks