Mobile health security policies must weigh legal risks as well as privacy
The proliferation of mobile devices in healthcare requires organizations to not only consider the security and privacy issues related to their use, but also the legal risk associated with information contained on them that becomes part of patients' health records, according to an article published this month in the Journal of the American Health Information Management Association.
Author Lydia Washington, director of practice leadership with AHIMA, pointed out that several federal agencies, like the U.S. Food and Drug Administration, have been involved in monitoring use of healthcare mobile devices, so far. Other groups Washington mentioned were the Federal Communications Commission, the Federal Trade Commission, the Office for Civil Rights and the National Institute of Standards and Technology.
"It is widely accepted that any health information captured or stored by clinicians using either a personal mobile device or one provided by the healthcare organization becomes part of the HIPAA-designated record set if that information is used to make decisions about a patient," Washington wrote. "The same is true when health information that is collected or captured by an individual or patient is transmitted or communicated to a provider who uses it in the provision of care."
Such information then likely is subject to requests for disclosures, subpoenas, and e-discovery. It also could be used in non-clinical applications such as audits, health research, and information reporting. The trick, according to Washington, is tracking and preserving the records on mobile devices.
"The use of mobile devices that access health information and health records, whether personally owned or provided by the healthcare organization, need to be addressed in security risk assessments, litigation response plans, and human resources policies," Washington said.
In January, FierceMobileHealthcare's Sara Jackson advocated having a frank discussion with physicians on how mobile devices can span the personal/professional divide--and not always in good ways. Secure messaging certainly remains an issue--especially as more physicians use smartphones or send emails from unsecured hotspots.
To learn more:
- read the Journal of AHIMA article
Guide: Share medical data across mobile platforms
Protect medical devices from cybercrime
Group releases guide to improve interoperability between EHRs, mobile devices
Researcher: Non-secure patient-doc emails OK if both sides accept risk