Experts warn that healthcare companies must implement mobile platforms and BYOD programs in HIPAA compliant ways, and offer best practices.
Mobile solutions and BYOD programs can help U.S. healthcare organizations provide cost-effective and technologically robust solutions for patient care, but the technology must be implemented in a HIPAA (Health Insurance Portability and Accountability Act) compliant environment.
I recently spoke with Paul McRae, director of healthcare solutions at AirWatch by VMware and Dave Packer, vice president of product marketing for Druva to do a "yearly check up" on what's happening with HIPAA, mobility, and BYOD.
Data breaches fuel concerns about HIPAA compliance
"Probably the most notable change in our line of business is that we're finally starting to see healthcare systems begin to look at the mobile platform as a true work flow tool," McRae said.
He is also seeing the adoption of BYOD. He said one of the things you need to take into consideration is what type of data resides on the device.
"If you look at some of the EMR (electronic medical record) companies, their perception is that as long as I keep the data in a secure location and accessible from a mobile device, I don't have to have the data on a mobile device," McRae said.
"Essentially, the logic behind it was that in most systems the margins were too thin to buy an enterprise provided device," McRae said. "So they said if you want access to these things, email, content, whatever that may be, using the internet on a WiFi basis, you need to enroll your device. BYOD was how is was discussed and generally adopted across healthcare as a whole. From the larger multi-state, multi-site IDNs (healthcare integrated delivery networks) all the way down to individual clinics and such."
Packer said that he's seen a growing awareness about mobility and HIPAA in the last year because of the high profile hacks that have made the headlines. One of the high profile acts he cited was Anthem, the health insurance provider.
Developing a HIPAA roadmap for mobile solutions
"Our goal is to say that we support your HIPAA compliant strategy," McRae said. "That's really the linchpin of the discussion. If you look at what's required to implement a mobile strategy or leverage mobile solutions within an environment, you really need to have the wherewithal to implement a HIPAA compliant program."
The biggest component of a mobile HIPAA strategy is developing a roadmap and a compliance program that says these are the things that must be adhered to to have access to this information, McRae said.
"We've seen for the last 2 or 3 years, HHS (U.S. Health and Human Services) really makes it very painful for hospital systems as they set off into sourcing this information to anyone and everyone who has access to it. Other systems where they've had troubles with doctors that are a lot smarter technology wise now, that punch holes in the back of the server. There is no perfect solution, but what we do with our platform id that we are a supplement to your compliance strategy."
"I look at it more from the aspect of, the economics of healthcare have changed so much not the degree that there's more patents going in, so more volume, the clinical ecosystem is now extended across multiple environments so now it's not just your hospital and your doc with the black bag," McRae said.
"So you have to be cognizant of how and when and where the data is being used and I thin kit starts with a really good strong structure and strategy around the policies and the behavior that you still support within your environment.
"Same thing goes with what we're seeing with secure messaging, which is one of the earlier use cases that we're seeing a lot of traction in," McRae said. Which is that if we don't provide a tool set to the doctors, they're going to pretty much do whatever the heck they want to do."
"I've given you the tool, if you step outside the tool and do bad things there could be liability on your back, and really that's all you can do," McRae said about how healthcare facilities are defining HIPAA liabilities.
User education is key
Packer recommends formalize education programs to improve enterprise mobility in HIPAA compliant environments. In particular, he said, "I think when you look at what's going on out there today, if you really think about it, it's mostly human error. It's causing the problem. Technology is a Band-Aid or it's a tool, but the tool in the wrong hands . You'd build a house so you'd have a bunch of broken wood. You put it into a hand of somebody who's well educated and do what they need to do or what those processes are. I think where I see we lack today."
"You'll see this happens, it's not just HIPAA, it's not just PHI (patient health information) data and stuff like that." McRae said It's happening across the board in enterprises and a lot of different dimensions. The ability to have better education programs so that people who actually are [interacting] with your own data will know what should and shouldn't be doing.
He also recommended extend education out to Doctors and partners. McRae said healthcare institutions need to have better contracts built in place too for identification and how risk is applied to organizations and individuals.