- Ridesharing company Uber launched a platform in March 2018 that aimed to provide more transportation options to patients. Individuals can use Uber Health to get a ride to their provider, while being reassured that HIPAA compliance remains a top priority. Patient data security was never an afterthought, and the platform will operate on its own application programming interface (API).
Millions of people across the country do not receive the healthcare that they should be receiving because of transportation issues, Clearwater Compliance CEO Bob Chaput told HealthITSecurity.com.
Clearwater Compliance worked with Uber to conduct risk and compliance assessments, helping to ensure that Uber developed, implemented, and customized the necessary safeguards for data security.
Uber has leveraged its network of hundreds of thousands of drivers in ride share programs to be able to offer transportation to people in non-emergent and non-urgent situations, he explained.
“Uber's platform is enabling those hospitals, health systems, clinics, etc., to leverage solutions,” he said. “Uber leverages with all their drivers to use an app that they have developed that enables them to dial up a ride.”
“It brings people home, but equally important from their perspective and from a revenue perspective, those who otherwise would not have a ride can receive the care they need,” Chaput continued. “Uber is able to have organized such travel for someone.”
Essentially, it is a creative leveraging of an existing platform. Laying over that is an application that enables numerous types of healthcare providers to provide rides to people who need healthcare but otherwise wouldn't receive it.
HIPAA compliance was a key consideration in the development process, Chaput added.
Uber is a business associate, but drivers are not given any medical information and they are not even informed that a ride is an Uber Health ride. Therefore, drivers aren't business associates, Chaput explained.
Uber has executed on an overall program that involves a number of steps taken to ensure the patient data remains protected, he added. It is a 10 point program to ensure HIPAA compliance and cyber risk management.
The 10 points are aligned with what OCR has found to be the single biggest issues in the course of their enforcement actions over the course of the last 10 years, Chaput observed.
“Establishing a governance and risk and compliance program is the first step,” he stated. “Next, an organization must establish the appropriate policies and procedures to address requirements in the HIPAA Privacy Rule, Security Rule, and Notification Rule.”
Workforce members must also be properly trained, Chaput continued. There is also a series of requirements that emerged out of the HIPAA Security Rule specifically. For example, organizations must establish a risk analysis or risk assessment.
“This is one of the single biggest issues in healthcare right now when it comes to risk management or cyber security program,” Chaput noted. “Organizations are implementing controls to address the ‘vulnerability du jour’ or the ‘threat du jour’, but without regard to their specific exposures.”
“There are a certain number of controls that everyone ought to have in place, but informing your decision making by doing a risk assessment is not only good business practice, but it's also something required in the Security Rule,” he added.
Once an organization has done that, it must devise or develop a risk management plan based on its unique issues and problems. There is a requirement to assess if the entity is compliant by conducting technical testing, such as penetration testing, vulnerability scans, or social and generic testing.
While not the case for Uber specifically, another critical step for risk management is for organizations to implement a third-party vendor risk management program.
“That would be if Uber were sharing this information with anyone downstream in its supply chain,” Chaput explained. “In that case, the company would have obligations to manage that transferring of data. But Uber houses everything itself.”
Overall though, Uber has embraced a multi-point program to ensure PHI security, Chaput maintained.
The HITECH Act really changed how business associates and covered entities interact because it changed the definition of a business associate, and the responsibilities that go along with that title, he said.
There could be potentially 750,000 HIPAA covered entities in the US, and maybe close to 8 to 10 million business associates, Chaput hypothesized. Many of those business associates are still “living in the land of ignorance” because they are simply unaware of what is actually required.
“Other business associates find out what is required, and then they move into the land of denial,” he posited. “Contrary to that, Uber very proactively sought out a clear understanding of what its applications were.”
“Uber not only implemented all of the previously mentioned risk management steps, but it proactively set a meeting with OCR,” Chaput continued. “Uber did that before they did the product launch. They reviewed everything with OCR to make sure they were in alignment.”
This platform will hopefully be regarded as a best practice in the healthcare industry, Chaput said.
“I hope it's regarded as an exemplary way in which one can go about this work by being proactive and being comprehensive in it,” he stated. “One of the single biggest issues people can face is getting transportation to getting to the appropriate provider that would serve them. This is very, very big in that regard.”
Overall, cybersecurity risks and data privacy risks are not just an IT problem, Chaput stressed. Those risks are enterprise risk management issues. Some organizations are embracing that and proactively addressing it, but cybersecurity risks and data privacy risks bleed over into patient safety.
There are numerous types of medical devices that can be implanted into people, such as insulin pumps or pacemakers. Defibrillators are also increasingly having wireless capabilities, he said.
“All of these devices, connected as they are wirelessly or otherwise, are part of the Internet of Things,” Chaput explained. “If we think about the fundamental problem we're each trying to solve as security professionals as to avoid a compromise of confidentiality, integrity, or availability, think about the fundamental tenants of healthcare.”
“That is ensuring patients have safe and high quality care, access to care, and timely care.”
For example, confidentiality, integrity, and availability are three dots in healthcare, he said. When those dots at the top are connected with the three dots on the bottom of quality and safe care, access to care, and timely care, the issue that emerges is way beyond an IT problem.
“It's an enterprise-wide business risk management issue that's bleeding over into medical professional liability,” Chaput concluded. “That's the issue of the day. It's not about the firewalls, and mobile device management, and intrusion detection. It's really about organizations coming to recognize that this is a patient safety issue.”