Health Insurance Portability and Accountability Act (HIPAA) Security Requirements for Mobile Healthcare Solutions

Transcription

1 Health Insurance Portability and Accountability Act (HIPAA) Security Requirements for Mobile Healthcare Solutions A white paper on mobility and healthcare This white paper analyzes HIPAA security requirements and mobile health security best practices to help healthcare organizations evaluate and implement secure and fully compliant mobile health solutions.

2 Table of contents Written by: SP Vijaykumar Vijay is practice manager for Mobile Healthcare at Dell Services. Vijay has over 13 years experience in traditional embedded systems for mobility & enterprise application development and solutions architecture. At Dell Services, Vijay helps clients with portfolio assessments, mobile adoption, application development approach, application migration across platforms and enterprise transformation. Executive summary...3 Mobility adoption trends in the healthcare industry...4 HIPAA privacy requirements...5 HIPAA security requirements...5 Understanding HIPAA applicability for mobile solutions...6 Application of HIPAA privacy and security requirements for... personal health information (PHI)... 7 Conclusion...9 Martin Edwards Martin is compliance officer at Healthcare and Life Sciences (HCLS), Dell. He has over 17 years of HIPAA privacy/security, healthcare compliance and operations experience in public, private and non-profit healthcare systems. Martin is certified in Healthcare Compliance (CHC) and Healthcare Privacy Compliance (CHPC). 2

3 Executive summary Most stakeholders in the healthcare community rely on mobile devices every day as their primary means of communication and have expressed an interest in accessing health-related information via smartphones and mobile technology. Mobile healthcare solutions have tremendous potential to improve the quality of care and overall effectiveness of healthcare systems. Mobile devices offer providers, payers, consumers and life sciences companies a 24x7 connection with a two-way communication channel that can facilitate improved collaboration and access to health information on the go. Using a mobile device, physicians can: Access patient records Review lab results and images Manage appointments Check drug references Monitor patient health remotely Mobility can also help the payer community enhance customer experience by making features such as insurance plans, quotes, claim management and wellness advice available on their smartphones. The pharmaceutical community can use mobile devices effectively to market drugs through edetailing and record the digital signature of a provider when dropping off drug samples. And consumers can greatly benefit from mobile technology by booking physician appointments, engaging with their doctor remotely, accessing information on specific medical conditions and even ensuring they are following their doctor s recommended diet and medication regimen. Most stakeholders in the healthcare community rely on mobile devices every day as their primary means of communication and have expressed an interest in accessing health-related information via smartphones and mobile technology. Before mobile healthcare can be fully adopted, concerns about mobile security as well as Health Insurance Portability and Accountability Act (HIPAA) and protected health information (PHI) security requirements must be addressed. This white paper analyzes HIPAA Security Rule requirements and mobile health security best practices to help healthcare organizations evaluate and implement secure and fully compliant mobile health solutions. 3

4 Mobility adoption trends in the healthcare industry Even as mobile device adoption and usage is increasingly prevalent for providers and consumers in the United States, the use of mobile healthcare applications is fairly conservative. Consumer trends Physician trends 83 percent of U.S. residents over the age Nearly all physicians own a of 18 own a cell phone mobile phone 53 percent own smartphones, and percent of physicians own percent of those own either Apple, a smartphone Android or Windows-based devices 75 percent of physicians own Apple 31 percent of cell phone users have used devices and 20 percent own Android their phone to look up health information devices (up from 17 percent two years ago) 58 percent already use or plan to use an 80 percent of cell phone owners use text ipad within the next six months (only 3 messaging, but only 9 percent receive percent are using Android tablets) text alerts or updates about health issues 79 percent prefer to use an ipad, with percent have downloaded healthrelated apps only 9 percent an Android tablet percent preferring a Windows tablet and 38 percent have installed exercise and fitness apps Statistics based on Pew Research Center and Gartner research Healthcare adoption of mobile devices by specialty Oncologist Optometrist Nephrologist Endocrinologist Psychiatrist Urologist Rheumatologist Gastroenterologist Cardiologist Clinical pathologist Radiologist Dermatologist Emergency room physicians 16% 20% 21% 22% 24% 28% 28% 30% 30% 31% 31% 33% 40% Mobile health solutions have not taken off as expected because many healthcare providers and insurers are unclear about security laws and how they relate to the transmission/access of sensitive patient health information. Concerns include: Meeting security requirements of PHI for mobile content Complying with HIPAA Security Rule Ensuring mobile device security Devising different strategies to secure mobile health data Responding to security incidents (such as a potential breach) resulting from the loss or theft of a mobile device 0% 10% 20% 30% 40% 50% 4

5 HIPAA privacy requirements Healthcare organizations have the responsibility and challenge of protecting electronic PHI (ephi), including electronic health records, from internal and external risks. The HIPAA Privacy Rule provides federal protections for protected health information (PHI) held by covered entities and business associates and gives patients many rights concerning this information. However, the HIPAA Privacy Rule permits the use and disclosure of PHI for treatment, payment and healthcare operations (TPO) without patient authorization. This rule applies to health plans, healthcare clearinghouses and any healthcare provider or business associate transmitting health information electronically. The HIPAA Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media whether electronic, paper or verbal communication. Individually identifiable health information is information, including demographic data, relating to: An individual s past, present or future physical/mental health or condition Provision of healthcare to the individual Past, present or future payment for the provision of healthcare to the individual, and that identifies the individual (or for which there is a reasonable basis to believe it can be used to identify the individual) Individually identifiable health information includes many common identifiers such as name, address, birth date and Social Security Number. HIPAA security requirements Technical safeguards are becoming increasingly important due to technological advancements in the healthcare industry. As technology evolves, new security challenges emerge. Healthcare organizations have the responsibility and challenge of protecting electronic PHI (ephi), including electronic health records, from internal and external risks. To reduce risks to ephi, safeguards must be implemented in order to comply with the HIPAA Security Rule and other state data protections laws 1. The HIPAA Security Rule specifies a series of administrative, physical and technical safeguards for covered entities and business associates to assure the confidentiality, integrity and availability of ephi. The HIPAA Security Rule, like the Privacy Rule, applies to all covered entities and business associates (including subcontractors). 5

6 Understanding HIPAA applicability for mobile solutions As a first step for adhering to HIPAA privacy and security regulations, it is important to understand whether a mobile solution falls under the HIPAA purview. Companies developing mobile applications must answer the following questions to ascertain HIPAA applicability: Who is the target audience of this application? What information will be shared or accessed through the application? HIPAA rules apply only to covered entities and their business associates not healthcare consumers. A business associate is an entity who creates, receives or transmits PHI on a covered entity s behalf. Additionally, a business associate is defined as an entity that performs HIPAA-covered services on behalf of or for a covered entity. The HIPAA Omnibus Rule further defines a business associate as an entity that creates, receives or transmits PHI on behalf of a covered entity. A practical example of this is when a health information exchange organization shares health information on behalf of a healthcare provider, or a pharmacy benefit manager who operates a health plan s prescription benefit. Additionally, HIPAA rules only apply to individually identifiable health information, though there are exceptions for employment and education records of covered entities. The Family Educational Rights and Privacy Act (FERPA) outlines the use and disclosure of educational institution records. PHI also includes otherwise anonymous information like date of service. An referring to the patient who was in last week is protected health information, because it includes a date of service that can be used to identify the patient. Any mobile solution would need to analyze whether the application will be used by a covered entity such as provider, hospital or health plan and whether it will include any PHI. An application that assists a physician in following up with patients would need to be designed to comply with HIPAA. Likewise, a mobile application used by health plan employees to acquire an individual s enrollment information remotely would need to be designed in accordance with HIPAA. In contrast, applications used by patients will not have to comply with HIPAA. An application on a patient s smartphone that can help the user follow a specific medication schedule would not be applicable because there is no covered entity involved. Even if the application permitted the user to send information to his/her physician, the application would not be subject to HIPAA. Once the HIPAAcovered physician received the information, the information itself becomes subject to HIPAA along with the database where the information is stored/hosted. In this case, the transmission of information (from mobile application to provider) should be secured. Applications that are used by a covered entity but do not involve PHI would also not be subject to HIPAA. For example, an application that provides a nurse with de-identified influenza statistics would not be applicable because it does not use individually identifiable health information. It should be noted that if the application allows the nurse to add identifiable information about the hospital s influenza patients (such as an individual came in with H1N1 symptoms today ), then the patient information becomes subject to HIPAA. So at the outset, it is extremely important to identify the application user and the content used in the solution to determine HIPAA applicability. 6

7 Application of HIPAA privacy and security requirements for mobile PHI Healthcare organizations traditionally focused on securing PHI on servers, internetbased systems and computers. With the advent of mobile solutions, the industry faces new challenges of securing PHI. These challenges should be addressed with a fresh approach. The HIPAA Security Rule technical safeguards, mandated by HIPAA, are the technology and related policies and procedures that protect and control access to ephi. Technical safeguard standards apply to all ephi. The HIPAA Security Rule requires a covered entity and business associate to comply with the administrative, technical and physical standards. These standards have two categories: required and addressable. HIPAA technical safeguard rules Access control: A covered entity must implement technical policies and procedures that allow only authorized persons to access ephi. These include: Unique user identification (required) Emergency access procedure (required) Automatic logoff (addressable) Encryption (addressable) The following table summarizes the relevant HIPAA Security Rule provisions in relation to known mobile device and wireless security issues. It also lists mobile security best practices to overcome the risk of security breaches and exposure to ephi in mobile health communications and applications. Mobile security recommendation Unique identification: Provide provision for unique identification of mobile device and individual device owner. Power-on authentication: Ensure a poweron password or PIN to ensure the device cannot be used by an unauthorized user. Two-factor authentication: Implement twofactor authentication for access to systems that contain PHI. Consider the use of tokens, call-back and biometrics for these. Auto-lock: Configure device to automatically lock up after a certain period of time. Data encryption: Establish data encryption of PHI data on mobile devices. Audit controls: A covered entity must implement hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ephi to: Record internal uses of ephi by user (required) Acknowledgement: Generate confirmation when ephi messages are delivered and read. 7

8 HIPAA technical safeguard rules Integrity controls: A covered entity must implement policies and procedures to ensure that ephi is not improperly altered or destroyed. Electronic measures must be put in place to confirm that ephi has not been improperly altered or destroyed including: Mechanism to authenticate ephi (addressable) Person or entity seeking access is the one claimed (required) Transmission security: A covered entity must implement technical security measures that guard against unauthorized access to ephi that is being transmitted over an electronic network including: Integrity controls (addressable) Encryption (addressable) Mobile security recommendation Role based: Employ role-based access as part of a user-provisioning solution. Different users may require different levels of access based on job function. Develop and employ proper clearance procedures and verify training of workforce members prior to granting access. Logging and auditing: Implement logging and auditing on device and parent network. Ensure that the issue of unauthorized access of ephi is appropriately addressed in the required sanction policy. Encrypted data: Even if the phone owner forwards a message by mistake to another recipient, the latter will not be able to read it because it remains encrypted and locked on the original phone. Encryption: Implement and mandate appropriately strong encryption solutions for transmission of PHI. Access can be implemented over SSL, IPSec or a similar VPN technology. Signed applications: Allow only signed applications to be loaded onto the devices (S/MIME, token-based). Two-way encryption: All ephi data transmitted to and from the mobile device is to be encrypted. Tightening device security: Enterprises need to look at mobile device management (MDM) and mobile application management (MAM) solutions to secure the distribution of data and apps. They offer the following benefits: MDM provides control over data that is being accessed on employee s personal devices as well as device-specific features, which can be enabled or disabled (such as WiFi) with a remote wipe feature to ensure data integrity if the device is lost or stolen. Enterprise security policies and access control can be pushed to the mobile device through an MDM solution. This has to be closely monitored for potential violations. The policy enforcement can provide a balanced security perimeter around mobile devices that isolates potential threats and prevents them from getting to other parts of the network. MAM offers features such as an enterprise app store for downloading and installing only authorized mobile applications. This centralized application control, sandboxing and software push capabilities ensures only whitelabeled apps are allowed to be installed on personal devices. Bring your own device and HIPAA The proliferation of employee-owned mobile devices in the workplace with the bring-your-own-device (BYOD) phenomenon has resulted in one of the biggest information security challenges in recent years to balance user convenience with the need to protect sensitive business data. It is imperative to consider implementing a multipronged, balanced approach to comply with HIPAA and protect ephi data in a BYOD scenario. Educating users about the risks and responsibilities associated with BYOD: While the HIPAA Security Rule doesn t require it, users need to be reminded and educated about their responsibilities when accessing an organization s systems via their personal devices. Organizations need to roll out educational campaigns to reinforce the need for a high degree of security and control, even though the organization doesn t own the device. 8

9 Conclusion Even as mobility has the potential to greatly benefit healthcare industry providers, payers and consumers, concerns involving privacy laws and the proper interpretation of HIPAA continue to delay its adoption. Companies that want to design and deploy mobile solutions successfully would first need to determine HIPAA applicability by identifying the target audience and information that will be shared through their application. Based on this, companies will have to use mobile security features such as encryptions, power-on authentication, unique identification, role-based access and auto-lock to comply with HIPAA requirements and protect the use and transmission of ephi. As additional efforts are made to secure mobile applications, the industry will be able to adopt mobile solutions with full HIPAA compliance while delivering on the many new opportunities mobile solutions will create for the healthcare industry. For more information about any of our service offerings, please visit Dell.com/services or contact your Dell representative. Scan or click this code to learn how Dell Services can help your organization. 1 This white paper is for information purposes only, and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. Product and service availability varies by country. To learn more, customers and Dell Channel Partners should contact their sales representative for more information. Specifications are correct at date of publication but are subject to availability or change without notice at any time. Dell and its affiliates cannot be responsible for errors or omissions in typography or photography. Dell s Terms and Conditions of Sales and Service apply and are available on request. Dell and the Dell logo are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others Dell Inc. All rights reserved. January 2014 HIPAA applicability in mobility.indd Rev. 1.0