Imagine: you wake up in the middle of the night with severe thumping in your chest. Your breath is coming in short, choppy bursts and you break out in a cold sweat. Ah, but you are a healthcare tech lover and you have a prototype of a portable echo-cardiogram attached to your smartphone. You can take your own ECG and, with the help of an algorithm app, you can find out in moments whether you are having an MI or not. This time, fortunately, it is not a heart attack; you do not need to call 911; you have avoided a trip to the ER, not to mention a lot of anxiety.
These new mobile health care technologies, or mHealth devices, are shaping up to be the hottest innovation trend in health care since vaccines. Like all innovations, however, they are evolving faster than government regulations can keep up with them. Remember the way regulators first thought they could respond to the Internet revolution with laws designed for land-line telephones.
In the case of mHealth, the legislation left in the dust is the Health Insurance Portability and Accountability Act. Given the laughable likelihood that this Congress will react quickly, some experts are recommending that early technology adopters should slow down. Doctors and other healthcare providers who use mHealth technologies and fail to abide by HIPAA’s current Omnibus standards are leaving themselves open to huge legal trouble, which could extend to other healthcare providers in their circles.
Numbers are exciting, concerning
In the last few years, mobile healthcare technologies have been growing in popularity. In 2014 there were more than 100,000 health-related applications in the iTunes app store and Google Play. However, questionable data security methods and unreliable readings have largely limited adoption to clinical environments and fitness enthusiasts. Consequently, the Food and Drug Administration has chosen to take a hands-off approach with mHealth and, so far, only regulates technologies that can be considered medical devices or that interact with already regulated medical devices.
This approach makes it challenging for doctors and developers using mHealth technologies to interpret rules set forth by the Department of Health and Human Services’ Office for Civil Rights, the office charged with enforcing HIPAA rules. For example, some innovators want to give your doctor the ability to access and make use of your mHealth device's data. When that technology surfaces, will your doctor even be allowed to use it under current HIPAA policy?
How to drive your physician crazy
Let's say you hand a week's worth of echo-cardiogram readings to your primary care physician. Your poor doctor will immediately face several pressing questions. Is that data part of your medical record now? Is she responsible for it under HIPAA security rules? Is she required to archive those readings for seven years? Is it identifying information, or not identifying information and, if it is, does that make it protected health information or not PHI?
These are all policy questions that policymakers have not yet fleshed out, though HIPAA regulators have indicated they are concerned about them. Obviously, more direction needs to be given in order for healthcare providers and their business associates to know how they are expected to handle patient-supplied, electronic health data. These directions are needed immediately, as mHealth is growing in popularity. HIPAA specifics need to evolve alongside that growth to properly protect patients and their caregivers.
HIPAA literacy continues to lag
Even when rules are clear, HIPAA covered entities at all levels appear to be insufficiently knowledgeable about them. When existing policies are updated to clarify how to handle mHealth-sourced data, the way those policies are communicated to covered entities must be improved. A recent health care study, conducted by Porter Research, NueMD and the Daniel Brown Law Group, found that a significant portion of surveyed small medical practices and medical billing companies are not compliant with HIPAA's updated Omnibus privacy and security regulations, compliance measures, and communication methods. Click here for complete survey results.
The study gathered responses from more than 1,100 medical practices and billing companies throughout the country. Researchers interviewed providers, administrators, and medical office staff, 36 percent of whom did not even know about HIPAA’s updated rules. Of those respondents who did know of the new rulings, only 58 percent said they have a HIPAA compliance plan — a required task!*
The 2013 HIPAA updates, which are affected by the Health Information Technology for Economic and Clinical Health Act, increased penalties for privacy and security violations up to $1.5 million per year, forced business associates of HIPAA covered entities to abide by certain HIPAA policies, and established new rules for notifying patients and the public of security breaches.
Additionally, the survey team noticed a trend suggesting billing companies may be doing better with compliance compared to medical practices, and that there is a consistent information gap between management and staff when handling HIPAA compliance measures.
Survey Results Overview
The survey of more than 1,100 healthcare professionals revealed several areas of concern, including:
As it is, the number of medical workers not abiding by HIPAA policies, often due to ignorance, is enormous. Adding mHealth regulations into that mix can only complicate an already precarious situation. Although the Department of HHS is aware of these problems, little seems to be in the works to address them. Mobile health care has an abundance of potential to reshape our knowledge of underlying disease causes while getting people to be proactive about their personal health, but if doctors have their hands tied by an outdated HIPAA policy, or worse, if they are penalized for trying to help their patients with these technologies, everybody loses.
*Editor's note: These results regarding physicians who refer patients to home healthcare reflect what we found in our own 2013 survey of home health workers. We reported our results in multiple articles over a period of weeks. To read them and compare the NueMD survey with our own, go to http://homecaretechreport.com and click on the "Search Articles" tab. Type "HIPAA Survey" into the first search field and click Go.
©2015 by Rowan Consulting Associates, Inc., Colorado Springs, CO. All rights reserved. This article originally appeared in Tim Rowan's Home Care Technology Report. homecaretechreport.com One copy may be printed for personal use; further reproduction by permission only. firstname.lastname@example.org