Evidence that the world is going mobile is everywhere. The market for connected health technology is projected to hit $117 billion by 2020, and 86 percent of clinicians believe mobile apps will be central to patient health in that time frame. At least 50 percent of smartphone users have downloaded a mobile health app. We also see mobile’s growth with the appearance of tablets, more powerful smartphones and Fitbits. As healthcare patients turn into healthcare consumers, patient portals and apps to enter health information, schedule appointments or even chat with a doctor have become the norm. Most people have their phones on them at all times (or nearly at all times), and that gives healthcare providers the opportunity to interact with them in ways not possible before. That also means availability of data is more critical than ever.
Even HIPAA, the federal law that protects PHI from being mishandled or abused, and which all healthcare providers and their business associates are required to follow, has gotten on board the mobile train and issued guidance specific to mhealth apps and their developers. It offers six scenarios that address two frequently asked questions regarding HIPAA regulations:
- How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
- When might an app developer need to comply with the HIPAA Rules? (ie, when is an app developer a business associate?)
Essentially, the guidance says the answers to those questions are determined on a case-by-case basis, and developed the listed scenarios to provide examples. It also provides questions to ask yourself to determine if you are a business associate. If you’re unfamiliar with terms like Covered Entity or Business Associate, click here to review some basic HIPAA terms.
With all the new data being created daily, it’s imperative for doctors to have access to it 24/7. That means putting the right IT framework in place. How does that affect the confidentiality and integrity of patient data and medical records in a mobile setting?
Mo’ mobile, mo’ problems? Not necessarily
The problem with mobile platforms by themselves at first was compliance. But now that mhealth developers are natively building HIPAA requirements into their programs (and that the government issued guidance to help), the healthcare industry has accepted the mobile platform and is using it to create a better patient experience.
Now the problem is data leakage. Mobile devices are more susceptible to theft, and while data breaches due to lost or stolen devices were down about 25 percent from 2015, they still accounted for nearly 25 percent of breaches reported in 2016. It’s important to note a data breach, as defined by the Security Rule, means the integrity, confidentiality, or availability of Protected Health Information (PHI) is compromised through the acquisition, access, use or disclosure of it. A device that has been encrypted before being stolen may not be considered compromised—the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) specifies compromised unsecured PHI must be reported, nothing else. HIPAA doesn’t specifically require encryption to meet the Security Rule, but security experts recommend it as a best practice for compliance. In fact, had encryption policies been in place last year, 1.5 million records could have remained intact.
There are many ways to achieve secure, compliant data transfers between a mobile device and the data center. The diagram below offers a high-level overview of one way a physician can secure send information such as a referral to another physician.
The importance of the cloud to healthcare IT
What does cloud computing have to do with mobile? People are putting their data into the cloud, and it must be accessible on many different devices, including computers, tablets and phones. Another pain point for the healthcare industry is the change in the billing model between insurance providers, the federal government and healthcare providers. Under the old model, the healthcare provider billed the patient’s insurance or Medicare for each individual visit and procedure, treating them as separate, disconnected events even when the patient had the same treatment twice for a single need. Now that insurance carriers and Medicare are only paying for the initial cost, hospitals need to see which treatments the patient has already had or if they’ve received the same treatment for the same need. The cloud is the best way to address the IT requirements that come with such a shift in interoperability.
The cloud, though, means many different things. It could be an on-premises cloud or one managed by a third-party provider. It could include a mix of legacy IT and cloud systems—after all, not all data is meant to be stored in the cloud. No matter what, having the right architecture that properly secures your data is key. What is most of the industry looking to do?
These days, healthcare CIOs are more often looking to a hybrid cloud solution. Admittedly, there’s been a slow transition to the cloud because HIPAA requires measurable, auditable controls, and it’s easier to achieve compliance with current on-premise systems. But the need for scalability and the move to a more mobile platform means a cloud solution is in order, and this is where hybrid comes in. It provides the best-of-both-worlds mix of the control CIOs get (and need) from their legacy IT systems, with the scalability and adaptability of the cloud to address the patient move to mobile as well as any changes to their business model.
The mobile industry has taken off for healthcare, and providers are adjusting accordingly, if somewhat slowly. For IT, the demand for a network designed to take on the security and compliance risks mobile requires is high, and it may mean looking to a third party if that hasn’t already been considered. The cloud plays a major role in developing the right mobile strategy that keeps PHI secure yet available, and it’s very likely a hybrid cloud approach is the best path for your organization. Patients are demanding a more flexible, accessible healthcare experience, and IT must find ways to quickly and securely provide the services needed to make that experience possible.