Experts: mHealth poses privacy challenge
January 9, 2013 in Medical Technology
Despite the potential of mobile healthcare, experts say they worry about the added risks of security breaches, privacy violations and other concerns that come with the increasing use of mobile technology.
Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society (HIMSS), says the biggest privacy concern with the use of cell phones in healthcare is lost or stolen phones that contain unencrypted patient data.
Erin McAlpin Eiselein, an attorney and a partner at Davis, Graham Stubbs, LLP in Denver, says one of the primary concerns for physicians engaging in mHealth is maintaining patient privacy of electronically stored protected health information or “ePHI.”
“There are federal and state laws governing ePHI privacy and substantial penalties can be imposed for even inadvertent violations of these laws,” Eiselein warns.
[See also: What will it take for docs to use apps?]
“In addition to privacy, the other main concern for physicians engaging in mHealth is security. The federal government requires all ePHI to be secured in a manner that protects it against unauthorized access. This requires physicians to take steps such as using passwords and encrypted files to protect ePHI,” Eiselein says. “Often, devices such as iPhones, blackberries, and iPads and the apps that physicians are using on those devices are not compliant with the security standards. Physicians who electronically store information directly on their smartphones have the greatest risk of running afoul of these privacy and security laws. Simply losing a smartphone can have important and expensive consequences.”
In the past couple of years, the federal government has very clearly put the healthcare community on notice that it is increasing its enforcement efforts in this area, according to Eiselein. The Department of Health and Human Services Office of Civil Rights (OCR) has issued a document called HIPAA Security Guidance stating that physicians and other covered entities should be “extremely cautious” about allowing remote or mobile access to ePHI. Enforcement has moved to the state level as well, and state attorneys general now have the authority to enforce HIPAA. In fact, the OCR is providing HIPAA enforcement training to state attorneys general in order to further this goal.
Twila Brase, president of Citizens’ Council for Health Freedom in Saint Paul, Minn., says patients have to be aware. “They need to think about how powerful the information is on a phone,” she says. “My concern is that patients will think only of the convenience and won’t think about the cost of their current privacy or their privacy in the future. She warns patients who choose to use a health app to make sure they can shut off the app should they decide not to participate any further in using it with their physician.
“There are always potential benefits to technology, but it matters who’s in control. If the patient loses control, then I think they have to question the benefits,” Brase says.
John Halamka, MD, CIO of Beth Israel Deaconess Medical Center, warns in his blog that security will have to move beyond policy-based controls to technology-based controls that may cost up to $10 per device per month. At Beth Israel, where more than 1,000 mobile devices are in use, that could be a $150,000 per year increase operating expense to protect consumer devices brought from home.