While there was a time when organizations and professionals speculated on whether mobile devices could or should be adopted for use in the healthcare sector, that time has clearly passed, and the way forward is clear: mobile devices are here to stay.
Indeed, a KLAS research survey found that 7 out of 10 doctors use mobile devices to access their patients’ electronic health records (EHR). And another study by QuantiaMD found that 83% of doctors owned at least one mobile device, and 25% of them were so-called “super mobile users” who used both a smartphone and tablet in their practice.
Mobile Apps Security implications of HIPAA Compliance
However, despite the benefits they deliver, not everyone is excited about the growing use of mobile devices in the healthcare sector. Governments, patient advocate groups, and even major healthcare information providers (e.g. GE, Siemens, Cerner, Epic, McKesson, Allscripts, and others) are very concerned about the security of electronic protected health information (ePHI). and HIPAA compliance in general. And it’s a worry that takes on an even deeper significance – and poses greater and graver consequences — given that the use of mobile devices to transfer ePHI triggers the HIPAA Security Rule.
Per the US government’s Department of Health and Human Services, the HIPAA Security Rule establishes national standards to protect electronic personal health information that is created, received, used, or maintained by a covered entity. Such entities (e.g. healthcare organizations) must take what is considered to be appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Furthermore, in 2013 “Meaningful Use Stage 2” rolled out, which authorized the Department of Health and Human Services’ Office of Civil Rights (OCR) to conduct HIPAA-compliance audits of hospital ePHIs.
Given the rising fear of a HIPAA breach — a fear that is fueled by an increasing spate of high profile penalties, such as the $1.2 million settlement between the OCR and a Boston specialty hospital after a physician’s laptop with ePHI was stolen, and the $1.7 million settlement between the OCR and the Alaska Department of Health and Social Services after a USB with ePHI was stolen — some CIOs in the healthcare sector are moving to lock down mobile devices, and therefore significantly limit ePHI and other confidential data access and control. Yet, while this approach solves compliance needs, it triggers two difficult and potentially intractable problems: surging patient demand, and circumvention via BYOD.
With respect to the first problem, the drive towards accessing and transmitting ePHR is not exclusively driven by physicians and other healthcare professionals; patients are also looking to reap the benefits. As noted by the Frost & Sullivan white paper Moving Beyond the Limitations of Fragmented Solutions, “as our healthcare system transitions to electronic health records (EHR), consumers are demanding digital access to personal health information.” As such, any move to limit the accessibility and sharing of ePHRs is ultimately going to prevent this patient/consumer demand from being met.
And with respect to the second problem, while IT staff can lock down corporately-owned devices, they have no way to maintain total control over personally-owned devices (BYOD), and even partial control raises user privacy concerns. Nor, frankly, is such control a practical expectation. As Ken Congdon, the editor-in-chief of Health IT Outcomes notes: “Unlike other IT initiatives that are the brainchild of the IT department or driven by federal incentives, the BYOD movement is being propelled by the end users themselves — namely doctors and nurses. An overwhelming number of clinicians want to use their own mobile devices (e.g. tablets, smartphones) on the job. Denying these caregivers a means to do so in line with IT policies will only encourage some to sidestep IT roadblocks and use personal devices haphazardly. Better to find a way to address the BYOD demand as securely as possible, than to stand in the path of the avalanche”.
Given the above, it’s clear that healthcare sector CIOs appear stuck between the proverbial “rock and a hard place”. On the one hand, they wisely fear the consequences of a HIPAA compliance breach, which could lead to huge fines and major, long-term reputation damage. And on the other hand, locking down devices to prevent access to files in the face of physician and patient demand, and fosters BYOD use that could ironically lead to data leakage rather than prevent it.
However, this only appears to be an unsolvable problem, because there is an option for CIOs that allows them to choose compliance and productivity, rather than one or the other.
Appdome helps healthcare organizations achieve HIPAA Compliance while protecting patient data
Major healthcare provider uses Appdome’s no-code mobile security and development platform to implement a full suite of mobile app security, privacy, data protection and compliance features into any iOS or Android app – instantly without any coding. This ensures that mobile apps have the security needed to protect user and patient data and achieve HIPAA compliance, as well as other regulations.
Healthcare organizations retain complete control over ePHI on mobile devices so they can identify and thwart misuse, and fully comply with the HIPAA Security Rule.
Doctors and other healthcare professionals, along with authorized agents, brokers and members get access to ePHRs they need on any mobile app, and they can rest assured that patient data is protected.
Check out our free Mobile Healthcare Compliance and HIPAA Case Study.