SlideShare a Scribd company logo

Priv&security&profin electrcommunicationsrev9 23

Download as PPT, PDF
Deven McGraw
Deven McGraw

This document summarizes privacy, security, and professionalism considerations for digital communications among health care professionals and between professionals and patients. It discusses how HIPAA and state laws apply to electronic communications. Encryption is recommended but not required under HIPAA. Professionals must take care to send information to the right recipient and patient. Communications should maintain professional standards regardless of format. Guidance from medical societies can help set policies for using digital tools. The document also briefly discusses FDA regulation of mobile medical apps and acceptance of data from patients.

TechnologyNews & Politics
1 of 26
Privacy, Security & Professionalism in Electronic Communications Deven McGraw Director, Health Privacy Project September 25, 2013
Health Privacy Project at CDT  Our theory: Privacy = enabler to flows of data that have the potential to improve individual, public and population health  Aim is to build public trust in these data flows, through balanced & workable protections, as they are essential to patient engagement, health reform and building a “learning health care system.”
Privacy and Security Considerations for Digital Communications Among Health Care Professionals  HIPAA and NY State law likely apply  Privacy protections apply to communications on paper or in digital form  If you could send it on paper, you can send it digitally (NY law requires consent for even routine disclosures)  HIPAA Security Rule – which sets forth detailed security specifications - only applies to ePHI (electronic protected health information).  HIPAA also applies to “business associates” (contractors)
Privacy and Security Considerations for Digital Communications Among Professionals  Communications must be secure under federal and state law  Encryption is an “addressable implementation specification” under HIPAA  Not required but expectation is that transmissions will be encrypted (can use other security methods but must document rationale)  Encryption using NIST standards provides federal breach safe harbor
Privacy and Security Considerations for Digital Communications Among Professionals  For mobile technologies, application of HIPAA Security Rule is frequently a challenge  HHS Office for Civil Rights released guidance in December 2012: http://www.healthit.gov/providers- professionals/your-mobile-device-and-health- information-privacy-and-security
Privacy and Security Considerations for Digital Communications Among Professionals  Must use reasonable efforts to send to correct professional  Right digital address?  If send to right organization, expectation is that organization will properly rout to correct recipient  Must send data on right patient  Sending data on wrong patient, or to wrong address, may trigger breach notification obligations and potential privacy law violation
Professional to Patient Digital Communications  Generally: Providers are required to comply with privacy and security laws when transmitting ePHI.  Three frequent questions that arise:  Is it possible to send a message to a patient that isn’t considered ePHI?  Does the transmission have to comply with the HIPAA Security Rule?  Am I responsible for what the patient subsequently does with the data in the communication?  Answer to last question: No. Whatever obligation the provider has ends with the hand-off.
Professional to Patient Digital Communications  Answer to last question: No. Whatever obligation the professional has ends with the hand-off.  No federal or state privacy laws cover health information shared by patients (for ex., on social networking sites, storing in apps, etc.)  The Federal Trade Commission can hold companies accountable for failing to comply with privacy commitments, or failing to adopt even baseline security protections  Better protections for patient-generated health information is an active area of policy discussion
ePHI  Protected health information does not have to include actual clinical information in order to still be considered PHI.  If the patient is or could be identified either in the communication or by someone who receives the communication – and the communication relates to health status or the provision of health care (or payment for care), it will be PHI.
ePHI  For example, if the patient is identifiable – and the recipient knows that the communication came from a health care health care professional, it is PHI, even if the communication itself is fairly innocuous (such as an appt reminder or a reminder to take an unspecified medication).
Security Rule and Transmissions to Patients  Ordinarily, HIPAA Security Rule applies to all transmissions of ePHI.  BUT recent omnibus rule suggests patient can choose to receive communications in a form/format that works for them, even if they are not secure. http://projecthealthdesign.typepad.com/project_health_design/2013/02/new-hipaa-rules-clarify- patients-right-to-access-their-health-data.html
Security Rule and Transmissions to Patients Patient’s right to receive data - Omnibus rule (see quoted text on next slide)  Rule says patients can choose to receive information via unsecure e-mail if they choose to do so  Provider must provide light warning (this is unsecure – are you sure?)  Arguably also relevant to other communications  Obligations to send to right patient (right data, right address) still apply
Security Rule and Transmissions to Patients  Text from Omnibus Rule (78 Fed. Reg. 5634 (1/26/13))  “We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome…. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”
Security Rule and Transmissions to Patients NY law is not detailed on this point – but HIPAA trumps state laws that are less protective of patient access rights.  Omnibus rule guidance was issued to address specific question of patients requesting to receive copies of their medical records by unencrypted e-mail – but rationale could apply to proactive communications as well.  For example, seeking permission from patients about contacting them via text message.
Professionalism  Professional and ethical obligations apply to all communications, regardless of format  If you wouldn’t or shouldn’t send it on paper, don’t send it digitally  Electronic communication is “Public, Permanent, and Powerful.” (Spector et al., eProfessionalism: Challenges in the Age of Information, J. of Peds., vol 156, No. 3 (2010))  E-communications should always be done professionally.
Professionalism  Single, most consistent piece of advice: Adopt policies governing use of digital communication tools  Specialty societies are developing – one example comes from 2013 Policy Statement from the American College of Physicians and the Federation of State Medical Boards http://annals.org/article.aspx?articleid=1675927  Developed for physicians but can be adapted for other professionals.
Online Medical Professionalism (from ACP Guidance)  Communications with patients using e-mail, text, and instant messaging  Establish guidelines for types of issues appropriate for digital communication  Reserve digital communication only for patients who maintain face- to-face follow-up  Use of social media sites to gather information about patients  Consider intent of search and application of findings  Consider implications (trust) for ongoing care
Online Medical Professionalism (from ACP Guidance)  Use of online educational resources and related information with patients  Vet information to ensure accuracy of content  Refer patients only to reputable sites and sources  Physician-produced blogs, microblogs, and physician posting of comments by others  “Pause before posting”  Consider the content and the message it sends about a physician as an individual and the profession.
Online Medical Professionalism (from ACP Guidance)  Physician posting of physician personal information on public social media sites  Maintain separate personas, personal and professional, for online social behavior  Scrutinize material available for public consumption  Physician use of digital venues (e.g., text and web) for communicating with colleagues about patient care  Implement health IT solutions for secure messaging and information sharing  Follow institutional practice and policy for remote and mobile access of protected health information
Other Potential Resources for Using Social Media, Other Tools to Engage Patients  Engage! Transforming Healthcare Through Digital Patient Engagement, HIMSS, http://ebooks.himss.org/product/engage-transforming-healthcare-through- digital-patient-engagement44809  Federation of State Medical Boards, Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice, http://www.fsmb.org/pdf/pub-social-media-guidelines.pdf  8 Steps to Launch a Successful Social Media Strategy (A Guide for Health Care), http://www.hivestrategies.com/2011/02/rules-fo-a-hipaa-compliant-social- media-polic/  Mt. Sinai Medical Center Social Media Guideline, http://icahn.mssm.edu/about- us/services-and-resources/faculty-resources/handbooks-and-policies/faculty- handbook/institutional-policies/social-media-guidelines
Accepting Digital Data from Patients  Unique issues may arise in communicating back and forth with patients, particular with respect to accepting digital data from patients  Provenance and data integrity  Professional liability risk for data stream? RWJ Project HealthDesign experience  Importance of managing expectations  Data does not necessarily have to flow into EHR to be useful
FDA Regulation of Apps, EHRs  FDA takes the position that EHRs and other medical software applications are medical devices, subject to FDA regulatory authority  Issued & sought public comment on initial draft guidance for “mobile medical apps” (July 2011)  Seeking to regulate apps that more clearly perform the role of a medical device; does not include apps designed to be used for general health & wellness (like a fitness tracking app)  Distinction not always that clear
FDA Regulation of Apps Controversial  Guidance generated some controversy.  Congress (in FDASIA) called for federal advisory committee to examine issue, make recommendations  Health IT Policy Committee recently recommended a risk- based framework for regulating medical software (http://www.healthit.gov/FACAS/sites/faca/files/FDASIARecomm endationsDraft030913_v2.pdf)
Final Guidance Issued 9/23  http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandG uidance/GuidanceDocuments/UCM263366.pdf  Focuses on how app is intended to be used; platform agnostic  More clarity on where FDA will focus oversight. Medical apps that:  Are extensions of one or more medical devices (such as those that display device data);  Transform a mobile platform into a regulated device; or  Perform “patient-specific” analysis or provide “patient-specific” diagnosis or treatment recommendations Will be subject to device regulation.
Final Guidance Issued 9/23  Guidance also lists types of apps for which FDA intends to exercise “enforcement discretion” (no enforcement at this time):  Apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in a daily environment.  Apps that provide patients with simple tools to organize and track their health information.  Mobile apps that provide easy access to information on a patient’s health conditions or treatments  Apps specifically marketed to help patients document, show or communicate to providers potential medical conditions.  Apps that perform simple calculations routinely used in clinical practice.  Apps that enable individuals to interact with PHR or EHR systems.  More examples provided in guidance.
Questions? Deven McGraw 202-637-9800 x115 deven@cdt.org www.cdt.org/healthprivacy

Recommended

Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health InformaticsNawanan Theera-Ampornpunt
 
ONR Blog 1
ONR Blog 1ONR Blog 1
ONR Blog 1Charles (Mac) Hamilton M.A., M.F.A., C.P.C.
 
Cloud Compliance with Encrypted Data – Health Records
Cloud Compliance with Encrypted Data – Health RecordsCloud Compliance with Encrypted Data – Health Records
Cloud Compliance with Encrypted Data – Health Recordsijtsrd
 
Physician-Patient Email by Wieczorek
Physician-Patient Email by WieczorekPhysician-Patient Email by Wieczorek
Physician-Patient Email by WieczorekAmerican Academy on Communication in Healthcare (AACH)
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibuswardell henley
 
Crowdsource Application A Pragmatic Approach for Participation in Healthcare...
Crowdsource Application A Pragmatic Approach for Participation in Healthcare...Crowdsource Application A Pragmatic Approach for Participation in Healthcare...
Crowdsource Application A Pragmatic Approach for Participation in Healthcare...Ayesha Saeed
 
Health Information Technology Workforce Development Program Presentation
Health Information Technology Workforce Development Program PresentationHealth Information Technology Workforce Development Program Presentation
Health Information Technology Workforce Development Program PresentationBDPA Charlotte - Information Technology Thought Leaders
 
On ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOn ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOnRampAccess
 

Recommended

Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health InformaticsNawanan Theera-Ampornpunt
 
ONR Blog 1
ONR Blog 1ONR Blog 1
ONR Blog 1Charles (Mac) Hamilton M.A., M.F.A., C.P.C.
 
Cloud Compliance with Encrypted Data – Health Records
Cloud Compliance with Encrypted Data – Health RecordsCloud Compliance with Encrypted Data – Health Records
Cloud Compliance with Encrypted Data – Health Recordsijtsrd
 
Physician-Patient Email by Wieczorek
Physician-Patient Email by WieczorekPhysician-Patient Email by Wieczorek
Physician-Patient Email by WieczorekAmerican Academy on Communication in Healthcare (AACH)
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibuswardell henley
 
Crowdsource Application A Pragmatic Approach for Participation in Healthcare...
Crowdsource Application A Pragmatic Approach for Participation in Healthcare...Crowdsource Application A Pragmatic Approach for Participation in Healthcare...
Crowdsource Application A Pragmatic Approach for Participation in Healthcare...Ayesha Saeed
 
Health Information Technology Workforce Development Program Presentation
Health Information Technology Workforce Development Program PresentationHealth Information Technology Workforce Development Program Presentation
Health Information Technology Workforce Development Program PresentationBDPA Charlotte - Information Technology Thought Leaders
 
On ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOn ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOnRampAccess
 
EHLP - July 2015 pg 6-8
EHLP - July 2015 pg 6-8EHLP - July 2015 pg 6-8
EHLP - July 2015 pg 6-8Caroline Rivett
 
Hipaa and social media using new
Hipaa and social media using newHipaa and social media using new
Hipaa and social media using newOnlineAudio Training
 
Text Msgs Hlth Dev Countries Coppock M Hi091809
Text Msgs Hlth Dev Countries Coppock M Hi091809Text Msgs Hlth Dev Countries Coppock M Hi091809
Text Msgs Hlth Dev Countries Coppock M Hi091809mHealth Initiative
 
mHealth Application Clusters
mHealth Application ClustersmHealth Application Clusters
mHealth Application ClustersmHealth Initiative
 
Personal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health InformaticsPersonal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health InformaticsNawanan Theera-Ampornpunt
 
Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...Editor IJCATR
 
DVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PADVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PAWilliam Buddy Gillespie ITIL Certified
 
Power point project for submission.ppt
Power point project for submission.pptPower point project for submission.ppt
Power point project for submission.pptMEBYER4954
 
Perfect font
Perfect fontPerfect font
Perfect fontMEBYER4954
 
Totally
TotallyTotally
TotallyMEBYER4954
 
VN-Enablement is a Learning Healthcare System
VN-Enablement is a Learning Healthcare SystemVN-Enablement is a Learning Healthcare System
VN-Enablement is a Learning Healthcare SystemLarry Sitka
 
Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health InformaticsNawanan Theera-Ampornpunt
 
A12_Beyond_HIPAA_PPT1
A12_Beyond_HIPAA_PPT1A12_Beyond_HIPAA_PPT1
A12_Beyond_HIPAA_PPT1Brad Tritle, CIPP
 
Security issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewSecurity issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewjournalBEEI
 
SOA enabled next generatione EMR/EHR
SOA enabled next generatione EMR/EHRSOA enabled next generatione EMR/EHR
SOA enabled next generatione EMR/EHRVictor Chai
 
A Novel Framework for Securing Medical Records in Cloud Computing
A Novel Framework for Securing Medical Records in Cloud ComputingA Novel Framework for Securing Medical Records in Cloud Computing
A Novel Framework for Securing Medical Records in Cloud ComputingIJMER
 
Hipaa.ppt5
Hipaa.ppt5Hipaa.ppt5
Hipaa.ppt5akwei2
 
Hipaa.ppt3
Hipaa.ppt3Hipaa.ppt3
Hipaa.ppt3akwei2
 
Hipaa.ppt1
Hipaa.ppt1Hipaa.ppt1
Hipaa.ppt1akwei2
 
1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docx1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docxteresehearn
 
Confidentiality & privacy
Confidentiality & privacyConfidentiality & privacy
Confidentiality & privacykendale
 
Confidentiality & privacy
Confidentiality & privacyConfidentiality & privacy
Confidentiality & privacykendale
 

More Related Content

What's hot

Text Msgs Hlth Dev Countries Coppock M Hi091809
Text Msgs Hlth Dev Countries Coppock M Hi091809Text Msgs Hlth Dev Countries Coppock M Hi091809
Text Msgs Hlth Dev Countries Coppock M Hi091809mHealth Initiative
 
Personal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health InformaticsPersonal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health InformaticsNawanan Theera-Ampornpunt
 
Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...Editor IJCATR
 
Power point project for submission.ppt
Power point project for submission.pptPower point project for submission.ppt
Power point project for submission.pptMEBYER4954
 
VN-Enablement is a Learning Healthcare System
VN-Enablement is a Learning Healthcare SystemVN-Enablement is a Learning Healthcare System
VN-Enablement is a Learning Healthcare SystemLarry Sitka
 
Security issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewSecurity issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewjournalBEEI
 
SOA enabled next generatione EMR/EHR
SOA enabled next generatione EMR/EHRSOA enabled next generatione EMR/EHR
SOA enabled next generatione EMR/EHRVictor Chai
 
A Novel Framework for Securing Medical Records in Cloud Computing
A Novel Framework for Securing Medical Records in Cloud ComputingA Novel Framework for Securing Medical Records in Cloud Computing
A Novel Framework for Securing Medical Records in Cloud ComputingIJMER
 
Hipaa.ppt5
Hipaa.ppt5Hipaa.ppt5
Hipaa.ppt5akwei2
 
Hipaa.ppt3
Hipaa.ppt3Hipaa.ppt3
Hipaa.ppt3akwei2
 
Hipaa.ppt1
Hipaa.ppt1Hipaa.ppt1
Hipaa.ppt1akwei2
 

What's hot (19)

EHLP - July 2015 pg 6-8
EHLP - July 2015 pg 6-8EHLP - July 2015 pg 6-8
EHLP - July 2015 pg 6-8
 
Hipaa and social media using new
Hipaa and social media using newHipaa and social media using new
Hipaa and social media using new
 
Text Msgs Hlth Dev Countries Coppock M Hi091809
Text Msgs Hlth Dev Countries Coppock M Hi091809Text Msgs Hlth Dev Countries Coppock M Hi091809
Text Msgs Hlth Dev Countries Coppock M Hi091809
 
mHealth Application Clusters
mHealth Application ClustersmHealth Application Clusters
mHealth Application Clusters
 
Personal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health InformaticsPersonal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health Informatics
 
Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...
 
DVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PADVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PA
 
Power point project for submission.ppt
Power point project for submission.pptPower point project for submission.ppt
Power point project for submission.ppt
 
Perfect font
Perfect fontPerfect font
Perfect font
 
Totally
TotallyTotally
Totally
 
VN-Enablement is a Learning Healthcare System
VN-Enablement is a Learning Healthcare SystemVN-Enablement is a Learning Healthcare System
VN-Enablement is a Learning Healthcare System
 
Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health Informatics
 
A12_Beyond_HIPAA_PPT1
A12_Beyond_HIPAA_PPT1A12_Beyond_HIPAA_PPT1
A12_Beyond_HIPAA_PPT1
 
Security issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewSecurity issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A review
 
SOA enabled next generatione EMR/EHR
SOA enabled next generatione EMR/EHRSOA enabled next generatione EMR/EHR
SOA enabled next generatione EMR/EHR
 
A Novel Framework for Securing Medical Records in Cloud Computing
A Novel Framework for Securing Medical Records in Cloud ComputingA Novel Framework for Securing Medical Records in Cloud Computing
A Novel Framework for Securing Medical Records in Cloud Computing
 
Hipaa.ppt5
Hipaa.ppt5Hipaa.ppt5
Hipaa.ppt5
 
Hipaa.ppt3
Hipaa.ppt3Hipaa.ppt3
Hipaa.ppt3
 
Hipaa.ppt1
Hipaa.ppt1Hipaa.ppt1
Hipaa.ppt1
 

Similar to Priv&security&profin electrcommunicationsrev9 23

1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docx1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docxteresehearn
 
Confidentiality & privacy
Confidentiality & privacyConfidentiality & privacy
Confidentiality & privacykendale
 
Confidentiality & privacy
Confidentiality & privacyConfidentiality & privacy
Confidentiality & privacykendale
 
Confidentiality power point
Confidentiality power pointConfidentiality power point
Confidentiality power pointDoug Miller
 
Training on confidentiality MHA690 Hayden
Training on confidentiality MHA690 HaydenTraining on confidentiality MHA690 Hayden
Training on confidentiality MHA690 Haydenhaydens
 
What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docx What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docxajoy21
 
Confidentiality training
Confidentiality trainingConfidentiality training
Confidentiality trainingDDTurner
 
Patient Privacy Protections
Patient Privacy ProtectionsPatient Privacy Protections
Patient Privacy Protectionskwittman
 
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...M2SYS Technology
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxwlynn1
 
Healthcare Information Technology Trends.docx
Healthcare Information Technology Trends.docxHealthcare Information Technology Trends.docx
Healthcare Information Technology Trends.docxwrite4
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
Patient confidentiality training
Patient confidentiality trainingPatient confidentiality training
Patient confidentiality trainingSheena705
 
A Personal Health Record ( Ehr )
A Personal Health Record ( Ehr )A Personal Health Record ( Ehr )
A Personal Health Record ( Ehr )Tasha Holloway
 
Make sure it is in APA 7 format and at least 3-4 paragraphs and refe.docx
Make sure it is in APA 7 format and at least 3-4 paragraphs and refe.docxMake sure it is in APA 7 format and at least 3-4 paragraphs and refe.docx
Make sure it is in APA 7 format and at least 3-4 paragraphs and refe.docxendawalling
 
Power point project for submission ppt (2)
Power point project for submission ppt (2)Power point project for submission ppt (2)
Power point project for submission ppt (2)mshaner
 
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boroEhr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla borokayla_ann_30
 
Patient confidentilty
Patient confidentiltyPatient confidentilty
Patient confidentiltySheena705
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim
 

Similar to Priv&security&profin electrcommunicationsrev9 23 (20)

1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docx1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docx
 
Confidentiality & privacy
Confidentiality & privacyConfidentiality & privacy
Confidentiality & privacy
 
Confidentiality & privacy
Confidentiality & privacyConfidentiality & privacy
Confidentiality & privacy
 
Confidentiality power point
Confidentiality power pointConfidentiality power point
Confidentiality power point
 
Training on confidentiality MHA690 Hayden
Training on confidentiality MHA690 HaydenTraining on confidentiality MHA690 Hayden
Training on confidentiality MHA690 Hayden
 
What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docx What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docx
 
Confidentiality training
Confidentiality trainingConfidentiality training
Confidentiality training
 
HIPAA
HIPAAHIPAA
HIPAA
 
Patient Privacy Protections
Patient Privacy ProtectionsPatient Privacy Protections
Patient Privacy Protections
 
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
Healthcare Information Technology Trends.docx
Healthcare Information Technology Trends.docxHealthcare Information Technology Trends.docx
Healthcare Information Technology Trends.docx
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippa
 
Patient confidentiality training
Patient confidentiality trainingPatient confidentiality training
Patient confidentiality training
 
A Personal Health Record ( Ehr )
A Personal Health Record ( Ehr )A Personal Health Record ( Ehr )
A Personal Health Record ( Ehr )
 
Make sure it is in APA 7 format and at least 3-4 paragraphs and refe.docx
Make sure it is in APA 7 format and at least 3-4 paragraphs and refe.docxMake sure it is in APA 7 format and at least 3-4 paragraphs and refe.docx
Make sure it is in APA 7 format and at least 3-4 paragraphs and refe.docx
 
Power point project for submission ppt (2)
Power point project for submission ppt (2)Power point project for submission ppt (2)
Power point project for submission ppt (2)
 
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boroEhr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
 
Patient confidentilty
Patient confidentiltyPatient confidentilty
Patient confidentilty
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Priv&security&profin electrcommunicationsrev9 23

  • 1. Privacy, Security & Professionalism in Electronic Communications Deven McGraw Director, Health Privacy Project September 25, 2013
  • 2. Health Privacy Project at CDT  Our theory: Privacy = enabler to flows of data that have the potential to improve individual, public and population health  Aim is to build public trust in these data flows, through balanced & workable protections, as they are essential to patient engagement, health reform and building a “learning health care system.”
  • 3. Privacy and Security Considerations for Digital Communications Among Health Care Professionals  HIPAA and NY State law likely apply  Privacy protections apply to communications on paper or in digital form  If you could send it on paper, you can send it digitally (NY law requires consent for even routine disclosures)  HIPAA Security Rule – which sets forth detailed security specifications - only applies to ePHI (electronic protected health information).  HIPAA also applies to “business associates” (contractors)
  • 4. Privacy and Security Considerations for Digital Communications Among Professionals  Communications must be secure under federal and state law  Encryption is an “addressable implementation specification” under HIPAA  Not required but expectation is that transmissions will be encrypted (can use other security methods but must document rationale)  Encryption using NIST standards provides federal breach safe harbor
  • 5. Privacy and Security Considerations for Digital Communications Among Professionals  For mobile technologies, application of HIPAA Security Rule is frequently a challenge  HHS Office for Civil Rights released guidance in December 2012: http://www.healthit.gov/providers- professionals/your-mobile-device-and-health- information-privacy-and-security
  • 6. Privacy and Security Considerations for Digital Communications Among Professionals  Must use reasonable efforts to send to correct professional  Right digital address?  If send to right organization, expectation is that organization will properly rout to correct recipient  Must send data on right patient  Sending data on wrong patient, or to wrong address, may trigger breach notification obligations and potential privacy law violation
  • 7. Professional to Patient Digital Communications  Generally: Providers are required to comply with privacy and security laws when transmitting ePHI.  Three frequent questions that arise:  Is it possible to send a message to a patient that isn’t considered ePHI?  Does the transmission have to comply with the HIPAA Security Rule?  Am I responsible for what the patient subsequently does with the data in the communication?  Answer to last question: No. Whatever obligation the provider has ends with the hand-off.
  • 8. Professional to Patient Digital Communications  Answer to last question: No. Whatever obligation the professional has ends with the hand-off.  No federal or state privacy laws cover health information shared by patients (for ex., on social networking sites, storing in apps, etc.)  The Federal Trade Commission can hold companies accountable for failing to comply with privacy commitments, or failing to adopt even baseline security protections  Better protections for patient-generated health information is an active area of policy discussion
  • 9. ePHI  Protected health information does not have to include actual clinical information in order to still be considered PHI.  If the patient is or could be identified either in the communication or by someone who receives the communication – and the communication relates to health status or the provision of health care (or payment for care), it will be PHI.
  • 10. ePHI  For example, if the patient is identifiable – and the recipient knows that the communication came from a health care health care professional, it is PHI, even if the communication itself is fairly innocuous (such as an appt reminder or a reminder to take an unspecified medication).
  • 11. Security Rule and Transmissions to Patients  Ordinarily, HIPAA Security Rule applies to all transmissions of ePHI.  BUT recent omnibus rule suggests patient can choose to receive communications in a form/format that works for them, even if they are not secure. http://projecthealthdesign.typepad.com/project_health_design/2013/02/new-hipaa-rules-clarify- patients-right-to-access-their-health-data.html
  • 12. Security Rule and Transmissions to Patients Patient’s right to receive data - Omnibus rule (see quoted text on next slide)  Rule says patients can choose to receive information via unsecure e-mail if they choose to do so  Provider must provide light warning (this is unsecure – are you sure?)  Arguably also relevant to other communications  Obligations to send to right patient (right data, right address) still apply
  • 13. Security Rule and Transmissions to Patients  Text from Omnibus Rule (78 Fed. Reg. 5634 (1/26/13))  “We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome…. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”
  • 14. Security Rule and Transmissions to Patients NY law is not detailed on this point – but HIPAA trumps state laws that are less protective of patient access rights.  Omnibus rule guidance was issued to address specific question of patients requesting to receive copies of their medical records by unencrypted e-mail – but rationale could apply to proactive communications as well.  For example, seeking permission from patients about contacting them via text message.
  • 15. Professionalism  Professional and ethical obligations apply to all communications, regardless of format  If you wouldn’t or shouldn’t send it on paper, don’t send it digitally  Electronic communication is “Public, Permanent, and Powerful.” (Spector et al., eProfessionalism: Challenges in the Age of Information, J. of Peds., vol 156, No. 3 (2010))  E-communications should always be done professionally.
  • 16. Professionalism  Single, most consistent piece of advice: Adopt policies governing use of digital communication tools  Specialty societies are developing – one example comes from 2013 Policy Statement from the American College of Physicians and the Federation of State Medical Boards http://annals.org/article.aspx?articleid=1675927  Developed for physicians but can be adapted for other professionals.
  • 17. Online Medical Professionalism (from ACP Guidance)  Communications with patients using e-mail, text, and instant messaging  Establish guidelines for types of issues appropriate for digital communication  Reserve digital communication only for patients who maintain face- to-face follow-up  Use of social media sites to gather information about patients  Consider intent of search and application of findings  Consider implications (trust) for ongoing care
  • 18. Online Medical Professionalism (from ACP Guidance)  Use of online educational resources and related information with patients  Vet information to ensure accuracy of content  Refer patients only to reputable sites and sources  Physician-produced blogs, microblogs, and physician posting of comments by others  “Pause before posting”  Consider the content and the message it sends about a physician as an individual and the profession.
  • 19. Online Medical Professionalism (from ACP Guidance)  Physician posting of physician personal information on public social media sites  Maintain separate personas, personal and professional, for online social behavior  Scrutinize material available for public consumption  Physician use of digital venues (e.g., text and web) for communicating with colleagues about patient care  Implement health IT solutions for secure messaging and information sharing  Follow institutional practice and policy for remote and mobile access of protected health information
  • 20. Other Potential Resources for Using Social Media, Other Tools to Engage Patients  Engage! Transforming Healthcare Through Digital Patient Engagement, HIMSS, http://ebooks.himss.org/product/engage-transforming-healthcare-through- digital-patient-engagement44809  Federation of State Medical Boards, Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice, http://www.fsmb.org/pdf/pub-social-media-guidelines.pdf  8 Steps to Launch a Successful Social Media Strategy (A Guide for Health Care), http://www.hivestrategies.com/2011/02/rules-fo-a-hipaa-compliant-social- media-polic/  Mt. Sinai Medical Center Social Media Guideline, http://icahn.mssm.edu/about- us/services-and-resources/faculty-resources/handbooks-and-policies/faculty- handbook/institutional-policies/social-media-guidelines
  • 21. Accepting Digital Data from Patients  Unique issues may arise in communicating back and forth with patients, particular with respect to accepting digital data from patients  Provenance and data integrity  Professional liability risk for data stream? RWJ Project HealthDesign experience  Importance of managing expectations  Data does not necessarily have to flow into EHR to be useful
  • 22. FDA Regulation of Apps, EHRs  FDA takes the position that EHRs and other medical software applications are medical devices, subject to FDA regulatory authority  Issued & sought public comment on initial draft guidance for “mobile medical apps” (July 2011)  Seeking to regulate apps that more clearly perform the role of a medical device; does not include apps designed to be used for general health & wellness (like a fitness tracking app)  Distinction not always that clear
  • 23. FDA Regulation of Apps Controversial  Guidance generated some controversy.  Congress (in FDASIA) called for federal advisory committee to examine issue, make recommendations  Health IT Policy Committee recently recommended a risk- based framework for regulating medical software (http://www.healthit.gov/FACAS/sites/faca/files/FDASIARecomm endationsDraft030913_v2.pdf)
  • 24. Final Guidance Issued 9/23  http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandG uidance/GuidanceDocuments/UCM263366.pdf  Focuses on how app is intended to be used; platform agnostic  More clarity on where FDA will focus oversight. Medical apps that:  Are extensions of one or more medical devices (such as those that display device data);  Transform a mobile platform into a regulated device; or  Perform “patient-specific” analysis or provide “patient-specific” diagnosis or treatment recommendations Will be subject to device regulation.
  • 25. Final Guidance Issued 9/23  Guidance also lists types of apps for which FDA intends to exercise “enforcement discretion” (no enforcement at this time):  Apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in a daily environment.  Apps that provide patients with simple tools to organize and track their health information.  Mobile apps that provide easy access to information on a patient’s health conditions or treatments  Apps specifically marketed to help patients document, show or communicate to providers potential medical conditions.  Apps that perform simple calculations routinely used in clinical practice.  Apps that enable individuals to interact with PHR or EHR systems.  More examples provided in guidance.

Editor's Notes

  1. FDA does not intend to regulate “mobile apps that are solely used to log, record, track, evaluate, or make decisions or suggestions related to developing or maintaining general health and wellness.”  Examples of health and wellness apps are provided in the guidance, and include dietary tracking logs, appointment reminders, dietary suggestions based on a calorie counter, posture suggestions, exercise suggestions, etc. In contrast, a mobile medical app is one that is intended for “curing, treating, seeking treatment for, mitigating, or diagnosing a specific disease, disorder, patient state, or any specific, identifiable health condition.” FDA intends to place most stringent requirements on devices that pose the most risk; general controls only for those that pose minimum risk to morbidity/mortality