New regulations may dampen BYOD plans for doctors and hospitals

Hide Caption

Secretary of Health and Human Services Kathleen Sebelius at the 2011 HHS Consumer Health IT Summit

Credit: Ted Eytan via Flickr

Show Caption

Late last month, the U.S. Department of Health and Human Services (HHS) announced the first major update to HIPAA, the 1996 law that governs how companies operating in the health care field are required to protect the privacy and security of patient information. The update, known as the HIPAA omnibus final rule, includes provisions that give Americans greater control over the personal health data and that strengthen the requirements of providers to report data breaches as well as the enforcement options available to HHS in the event of a breach.

In announcing the rule, Secretary of Health and Human Services Kathleen Sebelius pointed to the massive changes in health care technologies since HIPAA was became law in 1996. In a statement, she said, "Much has changed in healthcare since HIPAA was enacted over 15 years ago. The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."

HIPAA was passed long before mobile technology like today's smartphones and tablets came on the market and in an era where issues like BYOD programs or modern cloud computing were virtually unimaginable in medicine (or any other industry). In updating HIPAA rules to directly or indirectly address these issues, HHS may actually make it harder for health care entities -- hospitals, medical groups, private practices, insurers, individual providers, health insurance exchanges -- to take full advantage of these technologies.

The Huge BYOD Risk You're Probably Ignoring
Stay on top of CITE: Subscribe to the InCITE newsletter.

What's changed?

When it comes to technology, the most significant change is an expansion of liability when it comes to data breaches.

To date, providers have only been required to inform HHS of data breaches that result in "a significant risk of financial, reputational, or other harm to an individual." In other words, if you discover a breach but conclude that it doesn't present a risk of harm to an individual, you're not required to identify and report it.

The new requirements are much more stringent: any incident that results in unauthorized access, use, or disclosure of personal health information is automatically presumed to be a breach and potentially harmful to the individuals whose data is compromised. As a result, all such incidents need to be reported and will be considered data breaches (with potential penalty implications) until a risk assessment can be performed and reported that shows the chances that personal health information was actually exposed or compromised can be considered to be low.

That puts a much greater burden on the provider or organization.

One of the biggest areas of concern is mobile devices and removable media like USB flash drives or memory cards. If these devices contain patient data or credentials to access patient data, then a lost or stolen device may qualify a breach and would need to be reported -- even if the breach was unlikely to cause harm because a procedure like a remote wipe or device access and encryption policies. As a result, the new rule may make health care IT leaders, practice or hospital administrators, and risk management officials more hesitant to move forward with BYOD programs or broadening the range of devices provided to doctors, nurses, and other staff members.

How health care providers can cope