Adhering to HIPAA in the age of smartphones

SHERRY KARABIN
Legal News Reporter
Published: August 24, 2015

A patient sends a text message to a doctor asking for test results, someone else logs into a medical office portal to read the summary of his/her recent visit. Such actions are now a part of everyday life as doctors and hospitals adapt to the age of smartphones and other small devices and work to equip their practices with the latest technology to make things more convenient for their patients.

The question is how can these providers ensure they don’t violate the privacy of their patients and/or risk a breach under the Health Insurance Portability and Accountability Act of 1996 or HIPAA?

Signed into law by former President Bill Clinton, HIPAA was updated in 2013 under the Final Omnibus Rule. The rule provided the public with increased protection and control of personal health information, while strengthening the HITECH Act’s (Health Information Technology for Economic and Clinical Health) breach notification requirements, clarifying when breaches of unsecured health information must be reported to the U.S. Department of Health & Human Services (HHS).

Although HIPAA’s privacy and security rules initially focused on healthcare providers, health plans and others that process health insurance claims, the changes expanded many of the requirements to the business associates of these entities, including their subcontractors and agents.

According to Joseph Feltes, partner-in-charge of the Canton office at Buckingham, Doolittle & Burroughs, there was a presumption that a HIPAA violation prior to the Omnibus Rule did not constitute a breach unless it resulted in significant risk of financial, reputation or other harm to individuals.

“Following Omnibus, that presumption shifted,” said Feltes, who handles health and medicine, employment and litigation matters. “Now the unauthorized use or disclosure of unsecured protected health information (PHI) is presumed to be a breach. In order to rebut that presumption, a covered entity or business associate must demonstrate that there is a low probability that the PHI has been compromised in a way that could harm individuals.”

He said the rules require covered entities and business associates to maintain the privacy of protected health information, in paper or electronic form, for 50 years following an individual’s death.

Finally, he said, HIPAA is being more rigorously enforced, with covered entities and business associates facing greater fines and penalties for privacy violations.

“We are moving toward a mobile device and apps-based society,” said Feltes. “In order to protect against a HIPAA breach, any email or text message containing PHI or ePHI (electronic protected health information) must be encrypted.

“Another issue is verifying who is receiving the PHI,” said Feltes. “If the conversation is held over the phone and the healthcare professional confirms the patient’s identity, the provider has a good deal of assurance of whom he/she is speaking with. However, if this information is being sent to the patient’s phone via a text message, it is more difficult to confirm whether the patient is the recipient when the message arrives.”

Feltes said such issues could be more complicated when employer-issued devices are used to conduct both business and personal communications.

“The easiest way to avoid problems is for healthcare providers to have a dedicated device for dealing with patient and hospital information,” he said.

Information on laptops must also be encrypted, said Feltes, to avoid major problems should the laptop get lost or stolen.

There are other concerns surrounding patient portals that allow people to access their medical records, request prescriptions as well as receive appointment reminders. Many physician offices and even hospitals have equipped their websites with these portals.

“This is part of the government’s encouragement of providers to provide ‘meaningful use’ of certified electronic health record technology to improve the quality and efficiency of healthcare and better engage patients and their families in taking an active role in improving their health,” said Feltes.

“The problem is this information must be secure on both the physician and patient side,” he said. “This is usually a two-step process involving a patient password and sometimes a secondary question.”

Feltes said if a breach does occur there can be tangible and intangible consequences.

“Any time a breach occurs, the patients must be notified along with the U.S. Department of Health & Human Services. If the breach involves 500 or more individuals, the media must also be notified.

“The cost of the fines can range depending on the frequency of the breach,” said Feltes. “In some cases, they could be $1 million or more. There is also a cost to the covered entity’s reputation, which may result in the loss of patients.”

More organizations, including healthcare providers, are looking to the cloud as a way to store massive amounts of data. Feltes said HHS has not established a HIPAA certification for cloud service providers. He advises doctors and others to do their ‘due diligence’ when selecting a cloud service.

“Two things that they should keep in mind is that a cloud service provider (CSP) is a business associate,” said Feltes. “It is important for doctors to have a business associate agreement that gives them maximum protection, particularly if the breach occurred at the CSP level. Second, protected health information transmitted (ePHI) and ePHI stored must be secure, which includes meeting national standards for encryption and password protection.”

Jason Edwards, lead web developer at Akron-based M.E.D. Media Mart, which creates websites and products primarily for health and human service providers, said a number of his clients do not use email or mobile devices to communicate with their patients because they are concerned that their sites and devices are not secure.

“We offer HIPAA-compliant web hosting and email services along with training on how breaches might occur and what can be done to minimize the risks,” said Edwards.

Edwards said he advises all clients to develop policies and procedures regarding who can access protected health information and how they can do so securely.

 “The digital age is transforming the medical profession much like the printing press changed the world,” said Edwards. “In the future video chats will replace some of the doctor-patient interactions in the office. The digital age offers many possibilities but professionals must first learn what is required to maintain confidentiality.”

Dr. Todd Beyer, a board certified ophthalmologist and oculofacial-plastic surgeon in Summit County recently hired M.E.D. Media Mart to design a website for a medical concierge service called Preferred Access Care (PAC). Patients who join PAC pay a fee in turn for fast access to a network of local physicians and discounts on numerous health services.

Beyer said PAC members also receive the benefit of secure email communications with network physicians.  

“Our website does not contain any patient information, but it does provide a way for patients to contact us,” said Beyer, a PAC founder who also runs the Novus Clinic. “Our website is designed to offer patients alternatives to dealing with the high deductibles that occur under Obamacare.”

He said his patients’ data is maintained on a local office server and those staff members who have access have been issued passwords and must follow protocol.

“I am especially concerned about storing information in the cloud so I have decided against doing that,” said Beyer.

[Back]

The Akron Legal News • 60 South Summit St. • Akron, Ohio 44308 • Phone: 330-376-0917 • Fax: 330-376-7001