Late last month, the U.S. Department of Health and Human Services (HHS) announced the first major update to HIPAA, the 1996 law that governs how companies operating in the health care field are required to protect the privacy and security of patient information. The update, known as the HIPAA omnibus final rule, includes provisions that give Americans greater control over the personal health data and that strengthen the requirements of providers to report data breaches as well as the enforcement options available to HHS in the event of a breach.
In announcing the rule, Secretary of Health and Human Services Kathleen Sebelius pointed to the massive changes in health care technologies since HIPAA was became law in 1996. In a statement, she said, "Much has changed in healthcare since HIPAA was enacted over 15 years ago. The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."
HIPAA was passed long before mobile technology like today's smartphones and tablets came on the market and in an era where issues like BYOD programs or modern cloud computing were virtually unimaginable in medicine (or any other industry). In updating HIPAA rules to directly or indirectly address these issues, HHS may actually make it harder for health care entities -- hospitals, medical groups, private practices, insurers, individual providers, health insurance exchanges -- to take full advantage of these technologies.
Don't miss: Why the Blackphone isn't good enough for mobile privacy
When it comes to technology, the most significant change is an expansion of liability when it comes to data breaches.
To date, providers have only been required to inform HHS of data breaches that result in "a significant risk of financial, reputational, or other harm to an individual." In other words, if you discover a breach but conclude that it doesn't present a risk of harm to an individual, you're not required to identify and report it.
The new requirements are much more stringent: any incident that results in unauthorized access, use, or disclosure of personal health information is automatically presumed to be a breach and potentially harmful to the individuals whose data is compromised. As a result, all such incidents need to be reported and will be considered data breaches (with potential penalty implications) until a risk assessment can be performed and reported that shows the chances that personal health information was actually exposed or compromised can be considered to be low.
That puts a much greater burden on the provider or organization.
One of the biggest areas of concern is mobile devices and removable media like USB flash drives or memory cards. If these devices contain patient data or credentials to access patient data, then a lost or stolen device may qualify a breach and would need to be reported -- even if the breach was unlikely to cause harm because a procedure like a remote wipe or device access and encryption policies. As a result, the new rule may make health care IT leaders, practice or hospital administrators, and risk management officials more hesitant to move forward with BYOD programs or broadening the range of devices provided to doctors, nurses, and other staff members.
How health care providers can cope
It's worth noting that privacy and security requirements concerning mobile technology haven't really changed. That means that many of the approaches already being used in the health care field to secure data on mobile devices will still meet the HIPAA requirements. Those approaches include mobile management, securing data on a device in an encrypted container, ensuring secure remote access to data, and using systems that let patient data be viewed on a mobile device without storing it on that device. All of those approaches require IT oversight of configuration of a smartphone or tablet regardless of whether it is employee-owned or not. They may also require limiting device features to ensure security.
Some organizations may also limit the selection of devices, platforms, or mobile OS versions that can be used by health care professionals. There are two key reasons for this. One is that the older versions of mobile OSes don't always include the security and management features that may be required. iOS devices running anything prior to iOS 4 or devices running a version of Android prior to Honeycomb on tablets or Ice Cream Sandwich on smartphones are key examples. The second reason is that SD cards, common on many Android devices, are removable media and therefore can present their own data loss or leakage concerns.
Eliminating BYOD from the equation makes it easier to ensure mobile devices used to access patient information are properly secured. That could mean locked-down devices provided specifically for work use, which is essentially the old BlackBerry model.