Lauren Rosen, profile picture
Uploaded byLauren Rosen
133 views

lauren_rosen_compliance_article

Mobile health, or mHealth, utilizes consumer electronic technologies to improve healthcare delivery by increasing transparency and convenience. As mHealth grows, protecting sensitive patient information transmitted across devices becomes more important. Whether an mHealth company is regulated by HIPAA depends on its relationship to covered entities. If an mHealth app directly interacts with a provider or health system, transmitting patient data to electronic health records, the company is likely a business associate subject to HIPAA. Ensuring strong cybersecurity is key to protecting patient privacy and avoiding costly HIPAA breaches for companies involved in mHealth.

Embed presentation

Download to read offline
888-580-8373  www.hcca-info.org  75 ComplianceToday  August2016 A dvancements in technology and improved access to health informa- tion have changed the landscape of our healthcare system over the past decade, and there can be little doubt that this trend will only accelerate in the years ahead. As a result, it is more important than ever that those who design or use newly available health technologies stay ahead of the possible privacy and data security risks associated with these advancements. The move toward consumer driven healthcare, the ease of sharing and exchang- ing health information, and the passing of the Affordable Care Act (ACA) have encour- aged the creation of novel platforms in which healthcare is structured and available directly to patients, healthcare providers, and family members. The concept of accountable health- care fundamentally links healthcare and wellness initiatives to positive outcomes. Indeed, even before the inception of the ACA, the Centers for Medicare & Medicaid Services (CMS) imple- mented the Meaningful Use program via the American Recovery and Reinvestment Act (ARRA) of 2009. This program incentivizes hospitals and physicians to adopt and use electronic health records (EHR) in meaningful ways. In addition, the program also encourages patient engagement and allows patients to be more involved in their care, including an understanding of their own health outcomes via patient portals. What is mobile health? Mobile health, or “mHealth,” is a rising use of consumer electronic technology within the healthcare industry that fosters greater transparency and convenience in healthcare delivery. It enables both the patient and the provider to access mobile tools at any time, as well as providing continual care man- agement across various devices and platforms. One of the biggest challenges mHealth faces is by Jennifer Mitchell, JD, CIPP/US and Lauren Rosen, MPA, CPC Identifying and managing HIPAA risks in mobile health »» Mobile health, or “mHealth,” is a rising use of consumer electronic technology within the healthcare industry that fosters greater transparency and convenience in healthcare delivery. »» Mobile application developers, as well as organizations that use mHealth technologies, must determine whether their activities are governed by HIPAA, and if so, must determine if their organization is HIPAA-compliant. »» An mHealth company may be appropriately classified as a business associate to a covered entity depending on the identity of the end user, the type of relationship between the entities, and what information is shared. »» OCR guidance confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearing house, or provider. »» Cybersecurity is the foundation for protection of personal data in an mHealth application. Mitchell Rosen Jennifer Mitchell (jennifer.mitchell@navigant.com) is a Director with Navigant Consulting, Inc. in Los Angeles. Lauren Rosen (lauren.rosen@navigant.com) is a Senior Consultant with Navigant Consulting, Inc. in New York City. bit.ly/jennifer-mitchell
76   www.hcca-info.org  888-580-8373 ComplianceToday  August2016 how to protect privacy and secure the sensi- tive patient information exchanged. Although the accessibility of healthcare data creates enhanced pathways for providers and patients to communicate and potentially make more informed decisions about clinical intervention, the ease in which data is accessed is also its biggest threat. Mobile health may include a variety of mobile communication devices, such as smart- phones and tablet computers, that support the practice of medicine, health, and wellness. The growing list of examples of mHealth includes: ·· Patient monitoring devices ·· Mobile telemedicine/telecare devices ·· Medicine adherence monitoring ·· Activity monitoring ·· Smart wearables/smartphone applications (e.g., Jawbone/Fitbit) ·· Emergency response systems ·· Health-related mLearning or the general public, and ·· Support for long-term or chronic conditions According to the 2014 Mobile Devices Study by the Health Information Management Systems Society (HIMSS), 500 million global smartphone users would be using a healthcare application by 2015. Almost 83% of the physicians who participated in the survey reported that they had downloaded at least one medical app. Another 33% of physicians and 75% of nurses reported that they used medi- cal apps on smartphones daily as part of their work. About a third (35%) of the responding hospitals reported that they offered medical apps to patients in the form of patient portals, telehealth services, and various forms of remote monitoring.1 As the mHealth sector grows, however, the risks associated with the storage and/or transfer of sensitive health information across multiple platforms are also on the rise. Mobile application develop- ers, as well as organizations that use mHealth technologies, must determine whether their activities are governed by HIPAA, and if so, must determine if their organization is HIPAA-compliant. HIPAA and the entities it regulates The Health Insurance Portability and Accountability Act of 1996 (HIPAA) safeguards protected health information (PHI) from being used or disclosed without a patient’s consent. In addition, HIPAA imposes technical, administra- tive, and physical safeguard requirements for storing and transmitting electronic PHI (ePHI). As the landscape of healthcare changed, the HIPAA rules adapted to the growing amount of information healthcare organizations collected and managed. By 2013, now referred to as the HIPAA Omnibus Rule, the HIPAA require- ments evolved and created privacy and security requirements for contractors and subcontractors of healthcare organiza- tions. Companies such as health plans, health- care clearinghouses, and most healthcare providers are consid- ered covered entities (CEs) under HIPAA, and are therefore regulated by HIPAA. Most often, covered entities are the initial gatekeeper of PHI and are likely to control the main data warehouse where PHI is stored. Many covered entities have relationships and partnerships with other organizations, As the landscape of healthcare changed, the HIPAA rules adapted to the growing amount of information healthcare organizations collected and managed.
888-580-8373  www.hcca-info.org  77 ComplianceToday  August2016 commonly known as business associates, such as EHR vendors, law firms, and information technology companies. These organizations may utilize and/or store some aspects of PHI or all of the PHI data elements. Business associates may also sub-contract with other vendors and relay the same PHI housed by the covered entity and the business associ- ate. If a covered entity delegates any privacy or security function or duty to a business associate, the business associate must perform in compliance with the HIPAA Privacy and Security Rule. In fact, business associates are subject to civil and, in some cases, criminal penalties for the inappro- priate disclosure of PHI. Covered entities, business associates, and all other downstream entities who adopt mHealth technologies must be cognizant of the storage and transmission of PHI across all related entities, as well as other types of sensitive consumer-generated data. mHealth businesses: Covered entities or business associates? One of the initial challenges that the mHealth industry faces is deciphering whether they are regulated under HIPAA. An mHealth company may be appropriately classified as a business associate to a covered entity depend- ing on the identity of the end user, the type of relationship between the entities, and what information is shared. In February 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) provided much-awaited guidance to mobile application developers to answer the question of the applicability of HIPAA to their operations. In addition, OCR provided a crosswalk that maps the National Institute of Standards and Technology (NIST) to the HIPAA Security Rule. OCR also designed an interactive websiteto assist mobile app developers and healthcare organiza- tions with submitting questions in order to determine whether the entity is required to follow HIPAA rules and regulations. The website also provides various examples explaining circumstances under which an app developer would be regulated by HIPAA.2 In its guidance, OCR confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearinghouse, or provider. Specifically, OCR stated that an mHealth appli- cation is a business associate if: (1) they contract with a healthcare provider or healthcare orga- nization; (2) the device or software allows a patient to enter their PHI; and (3) the informa- tion transfers directly into the patient’s EHR for purposes of care decision-making or planning. The OCR guidance suggests mobile app devel- opers consider the following questions in order to determine if they are business associates: ·· Are your clients covered entities or other business associates, such as hospitals, doctor’s offices, clinics, pharmacies, or other healthcare providers? ·· Do these covered entities or business asso- ciates transmit PHI to health insurance organizations or health and wellness pro- gram-related information to a health plan offered by an employer? …OCR confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearinghouse, or provider.
78   www.hcca-info.org  888-580-8373 ComplianceToday  August2016 ·· How will the covered entity or other business associates use the data? (e.g., an application that assists a physician with following up with patients and providing information about an office visit) ·· Were you hired by, or are you paid for your service or product by, a covered entity? ·· How is the data collected? Is it transferred directly to and collecting information for or on behalf of consumers, or on behalf of a provider, health plan, or healthcare clearinghouse? Conversely, according to the OCR guidance, a mobile health app that allows consumers to create, receive, maintain, or transmit information about themselves is not likely required to comply with HIPAA. In this scenario, the individual is the gatekeeper for his/her own information, and the individual has determined to transmit this health information to a third party. Here, the app developer does not have the requisite rela- tionship with the covered entity or the business associate, as the consumer controls all the deci- sions regarding the transmission of PHI to the third party. Accordingly, well- ness apps and other consumer-driven health-related apps not used by covered entities or business associates may not be sub- ject to HIPAA rules and regulations. However, organizations should be aware that these com- panies might be subject to other regulatory bodies, such as the Federal Trade Commission (FTC) and the Food and Drug Administration (FDA). The FTC guidelines govern similar enti- ties as HIPAA, including: ·· Vendors of personal health records (PHRs) or EHRs, ·· PHR-related entities (i.e., web and mobile- based apps for health information); and ·· Third-party service providers for a vendor of PHRs or a PHR-related entity.3 Developers should also review the FDA standards for mobile applications, some of which are classified as medical devices. The FDA defines a mobile medical application as an app that is an accessory to a regulated med- ical device, or transforms a medical device into a regulated medical device.4 These require- ments for FDA mobile apps continue to evolve, and the FDA encourages mobile app develop- ers to check these regulations periodically. Importance of HIPAA breach prevention in mHealth There is no doubt that mHealth provides many conveniences and the potential for health enhancements for its users. However, the shelf life of an app may be brief, because the market is saturated and newer/improved versions of these apps develop at a rapid pace. As a result, a healthcare organization may rush to bring new and improved apps to market and may be tempted to over- look critical security measures. Indeed, a 2016 study shows that, among healthcare apps tested, 86% of the 71 apps had at least two critical security vulnerabilities. In addition, 54% of the people they surveyed believed their mobile health apps would be hacked within the next six months. Within that group, 55% were health app users and 48% were health app execs. The study also reported the application layer (i.e., binary protection) is the most vulnerable to cybersecurity risks.5,6 HIPAA breaches are often costly and may corrode a consumer’s confidence with an app and/or the organization promoting the app. Under HIPAA, PHI security breaches require … among healthcare apps tested, 86% of the 71 apps had at least two critical security vulnerabilities.
888-580-8373  www.hcca-info.org  79 ComplianceToday  August2016 notification of persons whose protected informa- tion may have been compromised and can result in penalties up to $50,000 per incident. Conclusion The best defense is to have the best offense. Cybersecurity is the foundation for protection of personal data in an mHealth application. Aside from the usability and benefits mobile health- care apps provide, protecting and securing PHI are key to an app’s success. The following repre- sent a sample of steps an mHealth app developer should take into consideration to support the security of their application and protect PHI: ·· Follow the technical, physical, and admin- istrative specifications from organizations such as OCR, FTC, and FDA, and keep updated on any new developments from these regulatory bodies; ·· Investigate whether data should be encrypted at every point of data lifecycle in the application (e.g., at rest and in transit); ·· Consider any encryption requirements for email and other electronic communication; ·· Ensure the app comes equipped with a pass- code requirement to access the application; ·· Determine whether technical safeguards such as anti-tampering or anti-counterfeiting measures need to be included in the devel- opment of the app. Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See navigant.com/licensing for a complete listing of private investigator licenses. 1. HIMSS Analytics: 3rd Annual HIMSS Analytics Mobile Survey, February 26, 2014. Available at: http://bit.ly/28KHh5O 2. U.S. Department of Health and Human Services, Office for Civil Rights: HIPAA Portal. Available at http://hipaaqsportal.hhs.gov/ 3. Federal Trade Commission: Complying with the FTC’s Health Breach Notification Rule. Available at: http://1.usa.gov/28MM5Lv 4. Food and Drug Administration: Nonbinding Guidance on Mobile Medical Applications, February 9, 2015. Available at: http://1.usa.gov/28LQHRz 5. Arxan: 2016 State of Application Security: Top Health Care Apps in Critical Condition. Available at: http://bit.ly/28MMaP6 6. Arxan, 2016 State of Application Security: Infographic, Mobile Health Apps. Available at: http://bit.ly/28LWl4G Authors Debbie Troklus and Sheryl Vacca have updated Compliance 101 with changes in federal regulations, including HIPAA, HITECH, and the Omnibus Rule as well as new insights on what it takes to build an effective compliance program. This book reviews the fundamentals in healthcare compliance, including the seven essential elements of a compliance program. It includes: • Step-by-step instructions on setting up and maintaining a compliance program • A chapter dedicated to HIPAA privacy and security regulations • A glossary with compliance terms and definitions • Sample compliance forms and policies This book is ideal for compliance professionals new to the field, compliance committee members, compliance liaisons, board members, and others who need a foundation in compliance principles. softcover available from HCCA: www.hcca-info.org/compliance101 Now Available! Compliance101, Fourth Edition DEBBIE TROKLUS SHERYL VACCA Compliance FOURTH EDITION 101

More Related Content

DOCX
Sarah Kim HIPAA for Small Providers
bySarah Kim
 
PPTX
Hipaa checklist for healthcare software
byConcetto Labs
 
PDF
Healthcare - Customer-Centric Healthcare Best Practices for CIO and CISOs
byNicholas Christiano Jr.
 
PPTX
mHealth Israel_Levi Shapiro_Israel Digital Health Overview
byLevi Shapiro
 
PDF
Safeguarding_Innovations
byPJ Fitzpatrick
 
PDF
A revolution called_interoperability_and_integration_in_healthcare
byhealthitech
 
PDF
Rethinking Health Plan Business Models for the Emerging On-Demand Digital Eco...
byCognizant
 
PDF
Healthcare Rx: The Rise of the Empowered Consumer
byCognizant
 
Sarah Kim HIPAA for Small Providers
bySarah Kim
 
Hipaa checklist for healthcare software
byConcetto Labs
 
Healthcare - Customer-Centric Healthcare Best Practices for CIO and CISOs
byNicholas Christiano Jr.
 
mHealth Israel_Levi Shapiro_Israel Digital Health Overview
byLevi Shapiro
 
Safeguarding_Innovations
byPJ Fitzpatrick
 
A revolution called_interoperability_and_integration_in_healthcare
byhealthitech
 
Rethinking Health Plan Business Models for the Emerging On-Demand Digital Eco...
byCognizant
 
Healthcare Rx: The Rise of the Empowered Consumer
byCognizant
 

What's hot

PDF
4 Digital Health Trends Affecting Your Revenue Cycle
byMeduit
 
PDF
Hipaa omnibus
bywardell henley
 
PDF
Wardell, Future of Digital Health, Leerink Research 2014-10
bySteven Wardell
 
PDF
mHealth regulations - Global efforts and readiness _White paper_DELL
bySandesh Prabhu
 
PPTX
mHealth App Developer Economics 2015 by research2guidance
byresearch2guidance - The mobile research specialists
 
PDF
Digital technologies are driving a new generation of telehealth_White paper_DELL
bySandesh Prabhu
 
PPTX
Industry and Firm Analysis
byAshley Leonzio
 
PDF
Duff-Phelps Healthcare IT Insights
byeynonglyn
 
PDF
The Digital Mandate for Health Plans
byCognizant
 
PDF
mHealth Israel_Allianz_Steffen Krotsch_eHealth at Allianz Group
byLevi Shapiro
 
PDF
Maninging Risk Exposure in Meaningful Use Stage 2
byCompliancy Group
 
PPTX
how to really implement hipaa presentation
byProvider Resources Group
 
PPTX
Medical Billing Software Trends
byManny Oliverez
 
PDF
5 healthcare technology transformation trends to watch out for in 2017
byRahul Gupta
 
DOCX
Hi paa and eh rs
bysupportc2go
 
PDF
Healthcare-Patient Care & Technology
byRobert Gordon
 
PDF
Steve wardell Digital Health Marketing Deck
bySteven Wardell
 
PDF
The mHealth + Telehealth World 2014
byWorldCongress
 
PDF
CB Insights Q2 2021 Healthcare Report
byLevi Shapiro
 
PDF
Uemr Cloud
byHenry Val
 
4 Digital Health Trends Affecting Your Revenue Cycle
byMeduit
 
Hipaa omnibus
bywardell henley
 
Wardell, Future of Digital Health, Leerink Research 2014-10
bySteven Wardell
 
mHealth regulations - Global efforts and readiness _White paper_DELL
bySandesh Prabhu
 
mHealth App Developer Economics 2015 by research2guidance
byresearch2guidance - The mobile research specialists
 
Digital technologies are driving a new generation of telehealth_White paper_DELL
bySandesh Prabhu
 
Industry and Firm Analysis
byAshley Leonzio
 
Duff-Phelps Healthcare IT Insights
byeynonglyn
 
The Digital Mandate for Health Plans
byCognizant
 
mHealth Israel_Allianz_Steffen Krotsch_eHealth at Allianz Group
byLevi Shapiro
 
Maninging Risk Exposure in Meaningful Use Stage 2
byCompliancy Group
 
how to really implement hipaa presentation
byProvider Resources Group
 
Medical Billing Software Trends
byManny Oliverez
 
5 healthcare technology transformation trends to watch out for in 2017
byRahul Gupta
 
Hi paa and eh rs
bysupportc2go
 
Healthcare-Patient Care & Technology
byRobert Gordon
 
Steve wardell Digital Health Marketing Deck
bySteven Wardell
 
The mHealth + Telehealth World 2014
byWorldCongress
 
CB Insights Q2 2021 Healthcare Report
byLevi Shapiro
 
Uemr Cloud
byHenry Val
 

Similar to lauren_rosen_compliance_article

PDF
Does your Mobile App require HIPAA Compliance.pdf
byShelly Megan
 
PDF
Application Developers Guide to HIPAA Compliance
byTrueVault
 
PDF
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
bySuccessiveDigital
 
PDF
How to Build a HIPAA-Compliant Software Application
byXDuce Corporation
 
PDF
HIPAA-Compliant Healthcare App.pdf
byphilipthomas428223
 
PDF
How to Build HIPAA Compliant Healthcare Apps: Everything You Should Know!
bydefault default
 
PPT
Scary acronyms
byDeven McGraw
 
PPTX
The mobile health IT security challenge: way bigger than HIPAA?
byStephen Cobb
 
PDF
Upcoming New 2025 HIPAA Changes and Beyond
byConference Panel
 
PPTX
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
byRightScale
 
PDF
Constructing a HIPAA-compliant healthcare app from scratch
byTechugo
 
PDF
An Overview of HIPAA Laws and Regulations.pdf
bySeasiaInfotech2
 
PDF
Overview of hipaa & tools for hipaa compliance
bySquare 9
 
PDF
Meaningful Use vs HIPAA
byCompliancy Group
 
PDF
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
byNetwork 1 Consulting
 
PDF
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
byShelly Megan
 
PPTX
HIPAA Overview
byTim Perry, MPA, MS, CPHIMS, PCMH CCE, CISSP
 
PPT
Healthcare2.0 Turning Hell care into healthcare
byBetsy Bevilacqua
 
PDF
Mobile Device Security
byBen Quirk
 
PPT
How to Protect Patient Data in an Increasingly Social Healthcare Industry
byPerficient, Inc.
 
Does your Mobile App require HIPAA Compliance.pdf
byShelly Megan
 
Application Developers Guide to HIPAA Compliance
byTrueVault
 
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
bySuccessiveDigital
 
How to Build a HIPAA-Compliant Software Application
byXDuce Corporation
 
HIPAA-Compliant Healthcare App.pdf
byphilipthomas428223
 
How to Build HIPAA Compliant Healthcare Apps: Everything You Should Know!
bydefault default
 
Scary acronyms
byDeven McGraw
 
The mobile health IT security challenge: way bigger than HIPAA?
byStephen Cobb
 
Upcoming New 2025 HIPAA Changes and Beyond
byConference Panel
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
byRightScale
 
Constructing a HIPAA-compliant healthcare app from scratch
byTechugo
 
An Overview of HIPAA Laws and Regulations.pdf
bySeasiaInfotech2
 
Overview of hipaa & tools for hipaa compliance
bySquare 9
 
Meaningful Use vs HIPAA
byCompliancy Group
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
byNetwork 1 Consulting
 
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
byShelly Megan
 
HIPAA Overview
byTim Perry, MPA, MS, CPHIMS, PCMH CCE, CISSP
 
Healthcare2.0 Turning Hell care into healthcare
byBetsy Bevilacqua
 
Mobile Device Security
byBen Quirk
 
How to Protect Patient Data in an Increasingly Social Healthcare Industry
byPerficient, Inc.
 

lauren_rosen_compliance_article

  • 1.
    888-580-8373  www.hcca-info.org  75 ComplianceToday  August2016 A dvancements intechnology and improved access to health informa- tion have changed the landscape of our healthcare system over the past decade, and there can be little doubt that this trend will only accelerate in the years ahead. As a result, it is more important than ever that those who design or use newly available health technologies stay ahead of the possible privacy and data security risks associated with these advancements. The move toward consumer driven healthcare, the ease of sharing and exchang- ing health information, and the passing of the Affordable Care Act (ACA) have encour- aged the creation of novel platforms in which healthcare is structured and available directly to patients, healthcare providers, and family members. The concept of accountable health- care fundamentally links healthcare and wellness initiatives to positive outcomes. Indeed, even before the inception of the ACA, the Centers for Medicare & Medicaid Services (CMS) imple- mented the Meaningful Use program via the American Recovery and Reinvestment Act (ARRA) of 2009. This program incentivizes hospitals and physicians to adopt and use electronic health records (EHR) in meaningful ways. In addition, the program also encourages patient engagement and allows patients to be more involved in their care, including an understanding of their own health outcomes via patient portals. What is mobile health? Mobile health, or “mHealth,” is a rising use of consumer electronic technology within the healthcare industry that fosters greater transparency and convenience in healthcare delivery. It enables both the patient and the provider to access mobile tools at any time, as well as providing continual care man- agement across various devices and platforms. One of the biggest challenges mHealth faces is by Jennifer Mitchell, JD, CIPP/US and Lauren Rosen, MPA, CPC Identifying and managing HIPAA risks in mobile health »» Mobile health, or “mHealth,” is a rising use of consumer electronic technology within the healthcare industry that fosters greater transparency and convenience in healthcare delivery. »» Mobile application developers, as well as organizations that use mHealth technologies, must determine whether their activities are governed by HIPAA, and if so, must determine if their organization is HIPAA-compliant. »» An mHealth company may be appropriately classified as a business associate to a covered entity depending on the identity of the end user, the type of relationship between the entities, and what information is shared. »» OCR guidance confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearing house, or provider. »» Cybersecurity is the foundation for protection of personal data in an mHealth application. Mitchell Rosen Jennifer Mitchell (jennifer.mitchell@navigant.com) is a Director with Navigant Consulting, Inc. in Los Angeles. Lauren Rosen (lauren.rosen@navigant.com) is a Senior Consultant with Navigant Consulting, Inc. in New York City. bit.ly/jennifer-mitchell
  • 2.
    76   www.hcca-info.org  888-580-8373 ComplianceToday  August2016 howto protect privacy and secure the sensi- tive patient information exchanged. Although the accessibility of healthcare data creates enhanced pathways for providers and patients to communicate and potentially make more informed decisions about clinical intervention, the ease in which data is accessed is also its biggest threat. Mobile health may include a variety of mobile communication devices, such as smart- phones and tablet computers, that support the practice of medicine, health, and wellness. The growing list of examples of mHealth includes: ·· Patient monitoring devices ·· Mobile telemedicine/telecare devices ·· Medicine adherence monitoring ·· Activity monitoring ·· Smart wearables/smartphone applications (e.g., Jawbone/Fitbit) ·· Emergency response systems ·· Health-related mLearning or the general public, and ·· Support for long-term or chronic conditions According to the 2014 Mobile Devices Study by the Health Information Management Systems Society (HIMSS), 500 million global smartphone users would be using a healthcare application by 2015. Almost 83% of the physicians who participated in the survey reported that they had downloaded at least one medical app. Another 33% of physicians and 75% of nurses reported that they used medi- cal apps on smartphones daily as part of their work. About a third (35%) of the responding hospitals reported that they offered medical apps to patients in the form of patient portals, telehealth services, and various forms of remote monitoring.1 As the mHealth sector grows, however, the risks associated with the storage and/or transfer of sensitive health information across multiple platforms are also on the rise. Mobile application develop- ers, as well as organizations that use mHealth technologies, must determine whether their activities are governed by HIPAA, and if so, must determine if their organization is HIPAA-compliant. HIPAA and the entities it regulates The Health Insurance Portability and Accountability Act of 1996 (HIPAA) safeguards protected health information (PHI) from being used or disclosed without a patient’s consent. In addition, HIPAA imposes technical, administra- tive, and physical safeguard requirements for storing and transmitting electronic PHI (ePHI). As the landscape of healthcare changed, the HIPAA rules adapted to the growing amount of information healthcare organizations collected and managed. By 2013, now referred to as the HIPAA Omnibus Rule, the HIPAA require- ments evolved and created privacy and security requirements for contractors and subcontractors of healthcare organiza- tions. Companies such as health plans, health- care clearinghouses, and most healthcare providers are consid- ered covered entities (CEs) under HIPAA, and are therefore regulated by HIPAA. Most often, covered entities are the initial gatekeeper of PHI and are likely to control the main data warehouse where PHI is stored. Many covered entities have relationships and partnerships with other organizations, As the landscape of healthcare changed, the HIPAA rules adapted to the growing amount of information healthcare organizations collected and managed.
  • 3.
    888-580-8373  www.hcca-info.org  77 ComplianceToday  August2016 commonly knownas business associates, such as EHR vendors, law firms, and information technology companies. These organizations may utilize and/or store some aspects of PHI or all of the PHI data elements. Business associates may also sub-contract with other vendors and relay the same PHI housed by the covered entity and the business associ- ate. If a covered entity delegates any privacy or security function or duty to a business associate, the business associate must perform in compliance with the HIPAA Privacy and Security Rule. In fact, business associates are subject to civil and, in some cases, criminal penalties for the inappro- priate disclosure of PHI. Covered entities, business associates, and all other downstream entities who adopt mHealth technologies must be cognizant of the storage and transmission of PHI across all related entities, as well as other types of sensitive consumer-generated data. mHealth businesses: Covered entities or business associates? One of the initial challenges that the mHealth industry faces is deciphering whether they are regulated under HIPAA. An mHealth company may be appropriately classified as a business associate to a covered entity depend- ing on the identity of the end user, the type of relationship between the entities, and what information is shared. In February 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) provided much-awaited guidance to mobile application developers to answer the question of the applicability of HIPAA to their operations. In addition, OCR provided a crosswalk that maps the National Institute of Standards and Technology (NIST) to the HIPAA Security Rule. OCR also designed an interactive websiteto assist mobile app developers and healthcare organiza- tions with submitting questions in order to determine whether the entity is required to follow HIPAA rules and regulations. The website also provides various examples explaining circumstances under which an app developer would be regulated by HIPAA.2 In its guidance, OCR confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearinghouse, or provider. Specifically, OCR stated that an mHealth appli- cation is a business associate if: (1) they contract with a healthcare provider or healthcare orga- nization; (2) the device or software allows a patient to enter their PHI; and (3) the informa- tion transfers directly into the patient’s EHR for purposes of care decision-making or planning. The OCR guidance suggests mobile app devel- opers consider the following questions in order to determine if they are business associates: ·· Are your clients covered entities or other business associates, such as hospitals, doctor’s offices, clinics, pharmacies, or other healthcare providers? ·· Do these covered entities or business asso- ciates transmit PHI to health insurance organizations or health and wellness pro- gram-related information to a health plan offered by an employer? …OCR confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearinghouse, or provider.
  • 4.
    78   www.hcca-info.org  888-580-8373 ComplianceToday  August2016 ··How will the covered entity or other business associates use the data? (e.g., an application that assists a physician with following up with patients and providing information about an office visit) ·· Were you hired by, or are you paid for your service or product by, a covered entity? ·· How is the data collected? Is it transferred directly to and collecting information for or on behalf of consumers, or on behalf of a provider, health plan, or healthcare clearinghouse? Conversely, according to the OCR guidance, a mobile health app that allows consumers to create, receive, maintain, or transmit information about themselves is not likely required to comply with HIPAA. In this scenario, the individual is the gatekeeper for his/her own information, and the individual has determined to transmit this health information to a third party. Here, the app developer does not have the requisite rela- tionship with the covered entity or the business associate, as the consumer controls all the deci- sions regarding the transmission of PHI to the third party. Accordingly, well- ness apps and other consumer-driven health-related apps not used by covered entities or business associates may not be sub- ject to HIPAA rules and regulations. However, organizations should be aware that these com- panies might be subject to other regulatory bodies, such as the Federal Trade Commission (FTC) and the Food and Drug Administration (FDA). The FTC guidelines govern similar enti- ties as HIPAA, including: ·· Vendors of personal health records (PHRs) or EHRs, ·· PHR-related entities (i.e., web and mobile- based apps for health information); and ·· Third-party service providers for a vendor of PHRs or a PHR-related entity.3 Developers should also review the FDA standards for mobile applications, some of which are classified as medical devices. The FDA defines a mobile medical application as an app that is an accessory to a regulated med- ical device, or transforms a medical device into a regulated medical device.4 These require- ments for FDA mobile apps continue to evolve, and the FDA encourages mobile app develop- ers to check these regulations periodically. Importance of HIPAA breach prevention in mHealth There is no doubt that mHealth provides many conveniences and the potential for health enhancements for its users. However, the shelf life of an app may be brief, because the market is saturated and newer/improved versions of these apps develop at a rapid pace. As a result, a healthcare organization may rush to bring new and improved apps to market and may be tempted to over- look critical security measures. Indeed, a 2016 study shows that, among healthcare apps tested, 86% of the 71 apps had at least two critical security vulnerabilities. In addition, 54% of the people they surveyed believed their mobile health apps would be hacked within the next six months. Within that group, 55% were health app users and 48% were health app execs. The study also reported the application layer (i.e., binary protection) is the most vulnerable to cybersecurity risks.5,6 HIPAA breaches are often costly and may corrode a consumer’s confidence with an app and/or the organization promoting the app. Under HIPAA, PHI security breaches require … among healthcare apps tested, 86% of the 71 apps had at least two critical security vulnerabilities.
  • 5.
    888-580-8373  www.hcca-info.org  79 ComplianceToday  August2016 notification ofpersons whose protected informa- tion may have been compromised and can result in penalties up to $50,000 per incident. Conclusion The best defense is to have the best offense. Cybersecurity is the foundation for protection of personal data in an mHealth application. Aside from the usability and benefits mobile health- care apps provide, protecting and securing PHI are key to an app’s success. The following repre- sent a sample of steps an mHealth app developer should take into consideration to support the security of their application and protect PHI: ·· Follow the technical, physical, and admin- istrative specifications from organizations such as OCR, FTC, and FDA, and keep updated on any new developments from these regulatory bodies; ·· Investigate whether data should be encrypted at every point of data lifecycle in the application (e.g., at rest and in transit); ·· Consider any encryption requirements for email and other electronic communication; ·· Ensure the app comes equipped with a pass- code requirement to access the application; ·· Determine whether technical safeguards such as anti-tampering or anti-counterfeiting measures need to be included in the devel- opment of the app. Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See navigant.com/licensing for a complete listing of private investigator licenses. 1. HIMSS Analytics: 3rd Annual HIMSS Analytics Mobile Survey, February 26, 2014. Available at: http://bit.ly/28KHh5O 2. U.S. Department of Health and Human Services, Office for Civil Rights: HIPAA Portal. Available at http://hipaaqsportal.hhs.gov/ 3. Federal Trade Commission: Complying with the FTC’s Health Breach Notification Rule. Available at: http://1.usa.gov/28MM5Lv 4. Food and Drug Administration: Nonbinding Guidance on Mobile Medical Applications, February 9, 2015. Available at: http://1.usa.gov/28LQHRz 5. Arxan: 2016 State of Application Security: Top Health Care Apps in Critical Condition. Available at: http://bit.ly/28MMaP6 6. Arxan, 2016 State of Application Security: Infographic, Mobile Health Apps. Available at: http://bit.ly/28LWl4G Authors Debbie Troklus and Sheryl Vacca have updated Compliance 101 with changes in federal regulations, including HIPAA, HITECH, and the Omnibus Rule as well as new insights on what it takes to build an effective compliance program. This book reviews the fundamentals in healthcare compliance, including the seven essential elements of a compliance program. It includes: • Step-by-step instructions on setting up and maintaining a compliance program • A chapter dedicated to HIPAA privacy and security regulations • A glossary with compliance terms and definitions • Sample compliance forms and policies This book is ideal for compliance professionals new to the field, compliance committee members, compliance liaisons, board members, and others who need a foundation in compliance principles. softcover available from HCCA: www.hcca-info.org/compliance101 Now Available! Compliance101, Fourth Edition DEBBIE TROKLUS SHERYL VACCA Compliance FOURTH EDITION 101