Can mHealth Thrive in a Private and Secure Environment?
Q. What are the tradeoffs between better information and better privacy in a mobile world?
A. This question reflects one of the enduring challenges that organizations face in balancing clinical/business need for timely and useful information (and in the context the information is needed) with the obligation to assure the privacy and security of such information. Oftentimes, the objectives of providing information and safeguarding the privacy of information are viewed as mutually exclusive, in part because one is seen as impeding the other, more so as it relates to mobile technology. Implementing strong information privacy programs, when done without proper considerations, can sometimes constrain legitimate needs and uses of information. On the other hand, undue focus on providing information without regard to protecting the privacy of information can equally be problematic and expose organizations to regulatory and legal actions. As leading organizations have demonstrated, an effective way of addressing this is to craft cross-functional approaches that engage key stakeholders in articulating information needs, privacy and security requirements and the strictures of mobile technology platforms. This approach aligns with the concept of privacy by design that takes into consideration, clinical and business information needs, as well as the nuances of mobile communication technologies in building information ecosystems where these needs are balanced and enable the secure flow of information.
Q. What are the current hurdles associated with HIPAA and the impacts on mobile computing?
A. Some of the key issues include the fact that many organizations are not sufficiently aware of how or what mobile technologies are being used for work purposes within the enterprise. In addition, there is a general lack of policy and strategic frameworks to govern the use of mobile technologies; and from the technical perspective, poor device security and lifecycle management practices. Compliance with HIPAA implementation specifications requires constant awareness of where an organization’s Protected Health Information (PHI) is at any given time, including what resources are used in processing PHI. It also requires policy frameworks that articulate specific standards that address regulatory requirements, as well as technical and physical safeguards that protect assets used in processing PHI. The ubiquitous nature of mobile communication technologies compounds the burden of regulatory compliance. Especially where organizations have not consciously implemented effective controls.
Q. Are there best practices for compliance?
A. Focus on people, process and technology are needed to foster compliance. Organizations must implement appropriate administrative, physical and technical safeguards as stipulated by regulation. In effect, it is always a good practice to layout the compliance framework and organizational standards in policies and procedures. It is equally important to clearly designate oversight of specific aspects of the overall compliance to specific functions; and from the technical standpoint, organizations must implement effective technical controls to check against unauthorized access to PHI. This involves a suite of controls including network security solutions, identity and access management, encryption and anti-malware controls. With respect to mobile technologies, implementing effective Mobile Device Management solutions is essential. It is also crucial to educate staff during the staff in-take process and periodically afterwards to ensure ongoing awareness of privacy and security issues and controls implemented to safeguard PHI. In order to ensure that these controls are working effectively, organizations must periodically evaluate their compliance programs. Such evaluations, which are also required by HIPAA, include both technical and non-technical assessments. While these can be performed internally, most organizations find it useful to leverage independent evaluations performed by third parties to provide external perspectives and relevant industry benchmarks.
Q. How will patient generated health data be influenced by regulatory provisions?
A. In current regulatory regimes, once patient-generated health data is shared with organizations that are required to comply with HIPAA and related regulations, the data is construed as PHI, and there is a standing obligation to protect such information. Organizations are not responsible for the security and privacy of the information while it is in the primary custody of patients, unless they have provided patients with organization-owned devices where PHI is stored. For example, in situations where mobile technologies owned and used by organizations in the remote provision of care are issued to patients, such organizations must ensure technical controls are implemented to protect against unauthorized access to PHI contained in or transmitted by such devices. In the years ahead, it is prudent to expect clearer regulatory guidance as the use of mobile technologies become more pervasive in healthcare.