Five years after the Internet went live to an unsuspecting public - one that had no idea how much it would need cat videos, online shopping and binge-watching - the Health Insurance Portability and Accountability Act (HIPAA) was born in 1996. Fast forward more than 20 years and we've seen the birth of the smartphone, tablet and smartwatch; the rise of social media; the emergence of cloud-based hosting and data storage; and now the Internet of Things (IoT).
Translation? Healthcare information exchange can occur - and must be protected - in more ways than those early HIPAA architects ever dreamed of. The following details what HIPAA does specify, where it's lacking, and some of the technologies and solutions that can help you stay protected.
A Brief History of HIPAA
HIPAA established the first set of national guidelines for healthcare data maintenance and exchange. Over the next 10+ years, HIPAA expanded to include the enactment of the Privacy, Security and Enforcement rules, which set standards for personal health information (PHI) protection, disclosure, and access. These rules also outlined the compliance infrastructure that healthcare providers, health plans, and clearinghouses should have in place to protect data, monitor HIPAA adherence, and report breaches.
What HIPAA Has to Say About Mobile
HIPAA Journal provides an excellent summary of what HIPAA does and does not mandate when it comes to mobile devices. For instance, HIPAA requires multi-layered user-authentication controls for the access, storage, and transmission of electronic patient health information (ePHI). It further requires protections against data alteration and destruction through the implementation of monitoring controls. Here are a few specific focal areas and technologies for HIPAA compliance:
- Data tracking - Consider digital watermarking
- Information access - Certify all devices, block the transmission/download of ePHI where necessary and segregate work/personal data on individually owned devices
- Password and public wi-fi security - Create policies that specify requirements and mandate VPN for remote access
- App control - Limit usage to those with certified security controls and ensure security updates occur.
- Device scanning and maintenance - Install anti-virus software, perform regular scans, and ensure automated security updates.
- Data erasure - Implement technologies that allow for remote data deletion.
Text Me, Maybe
The healthcare industry is now using text marketing automation tools, social media, chatbots, and SMS marketing tools for everything from appointment reminders to wellness engagement. Opt-out functionality is a must. And while message encryption is critical, HIPAA does not technically require it for data at rest. For data in motion, however, the Security Rule advises encryption for the transmission of ePHI, particularly over SMS networks.
One thing that's not allowed? Texting patient orders. In December 2017, the Centers for Medicare & Medicaid Services (CMS) clarified that while providers may text patient information to one another, it must be via a secure platform and cannot include the texting of patient orders. Its position reinforces not only HIPAA but its own Conditions of Participation (CoPs) and Conditions for Coverage (CfCs) agreements.
Hey, You! Get on to My Cloud
HIPAA also allows cloud-based storage. The OCR issued guidance in 2016 outlining requirements for the cloud service providers (CSPs) that medical practices must inevitably turn to for secure system implementation. Google Drive is just one of those cloud-based options. HIPAA Journal reports that the company's Business Associate Agreements (BAAs) address the HIPAA Security, Privacy, and Breach Notification Rules, allowing for the use of Google Drive and subcomponents such as Google Forms, which providers can use to gather and share information.
Left to Your Own Devices
There are four letters that might make anyone operating in the HIPAA spaces cringe: BYOD. It stands for Bring Your Own Device and marks a growing trend in some sectors for employees to use their own technology in the workplace. Adoption is currently higher in other countries than the U.S., but with personal mobile and the IoT entering healthcare in big ways, it's time to at least start thinking about it. While HIPAA doesn't speak specifically to these areas, the existing Security Rule is a good place to start and can help you create policies in such areas as:
- Patient and guest data access
- Network and software security
- Email, web and medical device
- Workflow and information logging
Compliance: Broader than HIPAA, More Important Than Ever
Because there is much that HIPAA doesn't specify, any organization protecting healthcare data should be aware of what other agencies are advising, including:
- Mobile security - The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) issued 2015 guidance addressing standards for company-owned and BYOD mobile devices.
- App development - The Office of Civil Rights (OCR), the agency responsible for HIPAA enforcement, has created a portal for app developers that addresses components of the Privacy and Security Rules, along with BAA guidance. Meanwhile, ACT | The App Association, has called on the OCR to get more specific as technology grows by leaps and bounds.
- Connecting the dots - The OCR has mapped the HIPAA Security Rule and NIST Cybersecurity Frameworks, which it acknowledges is more granular when it comes to outlining administrative, physical, and technical safeguards.
As healthcare innovation continues to move at lightning speed, those in the industry will remain continually challenged by the dual needs to keep up with technology while protecting patient data. Advancements shouldn't be limited by lagging regulations, which puts healthcare providers, executives and manufacturers in a position to drive compliant solutions where federally defined standards are lacking.
Laura Beerman is a writer for TechnologyAdvice. Her insights have appeared in RevCycleIntelligence, Becker's, InformationWeek and other outlets. She has spoken nationally on population health, long-term care, and been interviewed by The Wall Street Journal for her accountable care predictions. She resides in Nashville with her Canadian husband and American kittens. You can find her on LinkedIn.