Achieving HIPAA Compliance with Mobile Devices

Sam Guiliano
by (86 posts) under Healthcare IT
0 Comments

Last year, Google Fit and Apple Health brought health applications into the mainstream. Developers unfamiliar with this space must learn how to maintain HIPAA compliance.

  • Study: Health IT will Change Rapidly
  • Possible PHI Issues
  • Example: Mobile HIPAA Provider Selection Story
  • A Simple and Predictable Plotline

Study: Health IT will Change Rapidly

Two major trends, a boost in cloud adoption among healthcare providers and a drop in the expenses to deploy systems will make a major impact on the American HIT market through 2018, per a whitepaper released last year.

The report, created by the consultancy RNCOS, forecast that health IT  will expand at a CAGR of almost 10%.  The creation of increasingly better technologies and public-sector promotion for this type of application (e-health applications) will contribute to the strong growth rate of this sector. How good is 10%? As an example, How over the same period, the Economist Intelligence Unit and International Monetary Fund agree that the US GDP growth rate will be around 3%.

Remember, though, that this isn’t just a time of growth but a time of change. In order for health IT to be delivered as effectively as possible, resulting in both better care and better ROI, a complex network of stakeholders (doctors, insurance companies, pharmaceutical firms, medical device manufacturers, drugstores, and patients) must work collaboratively.

“The full value of health IT is realized when all parties come to the table to ensure data liquidity and ultimately, information and support flowing to people and patients,” advised health management consultant Sarasohn-Kahn. “More value can be derived when technologies don’t add costs, but conserve costs and resources.”

Possible PHI Issues

If you are creating a mobile app (whether for wearables or standard smart devices), you want to know the parameters of HIPAA compliance. Using technology that is in compliance with the federal law can be critically important to protect your business from fines from the US Office for Civil Rights. Compliance is necessary specifically for systems that have two characteristics:

  1. Use health data that is personally identifiable (PII in some form).
  2. Exchange the data with healthcare providers (PHI, much of it patient-generated health data).

If your application meets those two criteria, you must be intimately familiar with the law – especially the privacy, security, and breach notification rules. Consider the issues you can run into with protected health information in the mobile arena:

  1. Mobile devices are often stolen. If PHI is unencrypted, you could end up with a fine.
  2. The device typically provides access to email and social media. Accidental posting could occur.
  3. Push notifications and other features could represent violations.
  4. You could have instances of purposeful or accidental sharing of protected health information between users.
  5. If a user turns off the password protection that locks the phone’s screen, anyone present could access immediately visible data.
  6. Since mobile devices are often smaller, many users shorten their passwords (thereby making them less secure) so it’s easy to get online.

Developers can’t control against all those scenarios, but they can make sure that they maintain compliance on behalf of both their customers and themselves (as of 2013).

Example: Mobile HIPAA Provider Selection Story

Below is a snippet from a developer selecting a solution for a HIPAA-Compliant Hosted mobile application, anonymized and edited for privacy. The intention here is to look at questions and concerns rather than the specs of particular plans.

Note that we’re looking at an excerpt from the middle of their back-and-forth, right after the Hosting Consultant has explained the 12-month agreement.

Healthcare Client:

  1. So what would be the penalty if we break the agreement or would like to move to a different establishment?
  2. Do you have any referral incentives, since this will be for a client of ours?
  3. The business associate agreement will be between the business owner and you folks?

Hosting Consultant:

Here are the answers to your questions.

  1. You would be responsible for the balance of the term of the agreement. So if you
    cancelled after 6 months, you would owe us another 6 months.
  2. Will the HIPAA Hosting agreement be under the name of your company or under the name of your client (which means that they would be paying the monthly bill)?
  3. It will be if your client is signing the HIPAA hosting agreement and paying the bill.

Healthcare Client:

Since we are managing the application, we typically manage the hosting as well. However, the owner of the application is our client. So is it possible that we will manage the application and hosting issues, but the business (application owner) signs the agreement and pays through us?

Hosting Consultant:

I have permission to provide you with pricing based on a 6-month agreement. I have attached the updated pricing.

A Simple and Predictable Plotline

Do you need HIPAA compliance for an e-health application? Make sure there aren’t any surprises in your success story. Work with the mobile HIT industry leader.

“[Atlantic.Net’s] financial strength and proven track record are something we view with great confidence,” commented Complete Healthcare Solutions VP Joseph Nompleggi.

Choose Atlantic.Net, and you can mobilize healthcare with confidence.


Related Posts

Stay Connected With Us