Q&A: HIPAA and Health Apps
Rachel V. Rose, JD, MBA, presented the webinar “HIPAA and Health Apps” recently and a recording can now be found on our YouTube Channel. Rachel returned to answer many commonly asked questions on our blog.
How has HIPAA evolved to address mobile technology?
HIPAA was signed into law in August 1996. Subsequently, the Privacy Rule and Security Rule were implemented. In 2009, the HITECH Act passed and with it came an increased focus on security of protected health information (PHI) and breach notification. Finally, on January 25, 2013, the Final Omnibus Rule was published (78 Fed. Reg. 5566 (Jan. 25, 2013)). In general, the U.S. Department of Health and Human Services – Office for Civil Rights has primary jurisdiction over HIPAA enforcement for covered entities, business associates and subcontractors. Other agencies such as the Federal Trade Commission (FTC) and the Food and Drug Administration (FDA) also play a role.
In terms of mobile technology and health apps in particular, HHS recently published FAQs – a series of five questions and answers that target a covered entity’s liability when transferring a patient’s data to an app. Additionally, over the past couple of years, the FDA has released guidance on mobile medical apps – specifically those medical apps the FDA will regulate and those that it won’t, which depends on the app’s function.
What is covered under ePHI?
ePHI, which is also known as electronic protected health information, is protected health information that is produced, saved, transferred or received in an electronic form. This can include USB drives, CD-ROMS, email, apps and VoIP technology. The management of ePHI is covered under the Security Rule.
What steps can companies take to ensure compliance?
One can think of compliance as an inverted triangle – start with a broad base at the top and narrow the focus into different departments and the relevant technical, administrative and physical safeguards set forth in the Security Rule. The top should include forming an enterprise risk management team and conducting an annual, comprehensive risk analysis that every team member reads. From there, understanding the ingress and egress of protected health information, the vulnerabilities and compliance solutions identified in the risk analysis can be addressed.
Are there any National Institute for Standards and Technology (NIST) publications that address privacy, security and mobile apps?
Yes. Two key NIST special publications are SP 800-124, Rev. 1, Managing the Security of Mobile Devices in the Enterprise and SP 800-53, Rev. 5, Security and Privacy Controls for Info Systems and Organizations. Both of these publications provide useful frameworks for achieving compliance to ensure that the confidentiality, integrity and availability of the data is maintained, even on an app.
Rachel V. Rose – Attorney at Law, PLLC (Houston, Texas) – represents clients on healthcare, cybersecurity, securities and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer’s Top 25. She can be reached at rvrose@rvrose.com.
Be sure to look up a recording of this webinar on YouTube and be on the lookout for Rachel on our radio program 1st Talk Compliance in September 2019. Take a look at our brand-new book: HIPAA Privacy and Security, and our online compliance training courses such as What is HIPAA?, and HIPAA Business Associate Agreements Under HITECH. And check out Rachel’s other blog Recent HHS Guidance Underscores the Importance of HIPAA Compliance. Come hear Rachel Rose speak live at the HIPAA Privacy and Security Summit, November 14, 2019 at Delaware Law School.