Late last month, the U.S. Department of Health and Human Services (HHS) announced the first major update to HIPAA, the 1996 law that governs how companies operating in the health care field are required to protect the privacy and security of patient information. The update, known as the HIPAA omnibus final rule, includes provisions that give Americans greater control over the personal health data and that strengthen the requirements of providers to report data breaches as well as the enforcement options available to HHS in the event of a breach.
In announcing the rule, Secretary of Health and Human Services Kathleen Sebelius pointed to the massive changes in health care technologies since HIPAA was became law in 1996. In a statement, she said, "Much has changed in healthcare since HIPAA was enacted over 15 years ago. The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."
HIPAA was passed long before mobile technology like today's smartphones and tablets came on the market and in an era where issues like BYOD programs or modern cloud computing were virtually unimaginable in medicine (or any other industry). In updating HIPAA rules to directly or indirectly address these issues, HHS may actually make it harder for health care entities -- hospitals, medical groups, private practices, insurers, individual providers, health insurance exchanges -- to take full advantage of these technologies.
When it comes to technology, the most significant change is an expansion of liability when it comes to data breaches.
To date, providers have only been required to inform HHS of data breaches that result in "a significant risk of financial, reputational, or other harm to an individual." In other words, if you discover a breach but conclude that it doesn't present a risk of harm to an individual, you're not required to identify and report it.
The new requirements are much more stringent: any incident that results in unauthorized access, use, or disclosure of personal health information is automatically presumed to be a breach and potentially harmful to the individuals whose data is compromised. As a result, all such incidents need to be reported and will be considered data breaches (with potential penalty implications) until a risk assessment can be performed and reported that shows the chances that personal health information was actually exposed or compromised can be considered to be low.
That puts a much greater burden on the provider or organization.
One of the biggest areas of concern is mobile devices and removable media like USB flash drives or memory cards. If these devices contain patient data or credentials to access patient data, then a lost or stolen device may qualify a breach and would need to be reported -- even if the breach was unlikely to cause harm because a procedure like a remote wipe or device access and encryption policies. As a result, the new rule may make health care IT leaders, practice or hospital administrators, and risk management officials more hesitant to move forward with BYOD programs or broadening the range of devices provided to doctors, nurses, and other staff members.
How health care providers can cope
It's worth noting that privacy and security requirements concerning mobile technology haven't really changed. That means that many of the approaches already being used in the health care field to secure data on mobile devices will still meet the HIPAA requirements. Those approaches include mobile management, securing data on a device in an encrypted container, ensuring secure remote access to data, and using systems that let patient data be viewed on a mobile device without storing it on that device. All of those approaches require IT oversight of configuration of a smartphone or tablet regardless of whether it is employee-owned or not. They may also require limiting device features to ensure security.
Some organizations may also limit the selection of devices, platforms, or mobile OS versions that can be used by health care professionals. There are two key reasons for this. One is that the older versions of mobile OSes don't always include the security and management features that may be required. iOS devices running anything prior to iOS 4 or devices running a version of Android prior to Honeycomb on tablets or Ice Cream Sandwich on smartphones are key examples. The second reason is that SD cards, common on many Android devices, are removable media and therefore can present their own data loss or leakage concerns.
Eliminating BYOD from the equation makes it easier to ensure mobile devices used to access patient information are properly secured. That could mean locked-down devices provided specifically for work use, which is essentially the old BlackBerry model.
It could also mean using the COPE (corporate owned, personally enabled) model that lets users treat a device as their own while also ensuring security requirements are met. And it can mean supporting a scaled down version of BYOD in which employee devices are permitted but their access to an office or hospital network is limited to systems that don't provide patient information -- an approach that lets doctors and nurses access medical references and tools, which some studies suggest is a much more common use than accessing patient records, as well as their personal data and apps.
Outside providers also impacted
The expansion of liability could also affect outside organizations.
Before the update, companies that provide services to health care organizations, like consulting firms, software vendors, and cloud service providers, could only be liable for breaches if they operated under a business associate agreement with an organization that was required to comply with HIPAA like a hospital, doctor's office, or insurance company.
The new rule expands the type of companies that can be considered business associates or subcontractors and holds them liable for breaches along with their customers.
Cloud service providers are probably the most significant example because many individual health care providers and small practices rely on cloud-based EMR systems like Dr. Chrono which are designed primarily to support mobile devices like the iPad. They could also cover firms that setup and manage in-office systems, including mobile management solutions and overall practice management and administrative services.
As a result, companies or consultants whose primary business is not health related -- independent software developers or storage providers who work with clients from across a range of different fields -- may find that the prospect of taking on HIPAA liability is more than they're willing to consider. This could lead to a type of market isolation in which health care providers have fewer choices.
Other changes in the updated law -- paticularly granting patients or their designees access to their health information and blocking providers from reporting specific events to insurers -- also have some impact on health IT and health care administrators. Transferring patient data electronically may create some challenges in ensuring that the data is formatted in a way to pass from one system to another. Blocking data from being reported to an insurer may pose issues with EMR, practice management, and medical billing systems.
Both of these issues, however, will almost certainly be handled by the developers of the software and systems involved.