There are many HIPAA considerations when deciding to integrate mHealth into a practice. One is the piece of equipment that is being used to engage in mHealth: the smartphone or tablet. All three Security Rule standards apply to the use of this technology in a practice, where the CE is expected to employ them “appropriately and reasonably.” For example:
- Administrative: Who has access to the device? Is there a procedure for signing-out/signing-in the device for use by staff? Is there a Contingency Plan for a lost or stolen device, such as having “remote wiping” software installed that can erase all ePHI if the device cannot be located?
- Physical: Where are the devices stored when not in use and are they under lock-and-key? How are the devices disposed of if they are deemed obsolete or non-functional?
- Technical: Are the devices password protected? Do staff have unique logins and password credentials to access the device and associated applications (“apps”)? Can activity on the device or in the apps be audited to determine who accessed and altered ePHI, and when?
Mobile Health Applications
Mobile health applications, or apps, have become increasingly popular for use by clinicians. Some apps offer solutions around scheduling appointments and managing a practice, whereas others are more clinically-oriented and are used as adjunctive to therapy. Both types of apps can be used by patient and doctor, alike, and each type has the potential to collect, store, and transmit, ePHI. Thus, the standards of the Security Rule apply to apps just as they do other technology.
When deciding whether to use an app, it is not only appropriate to consider how the app aligns with the Administrative, Physical, and Technical standards of the Rule, but also to ask the following questions before deciding to use an app:
- Does the app creator have a privacy policy for how the app handles data?
- What data are collected by the app?
- Does the app purport “HIPAA compliance,” and does this require a Business Associate Agreement (BAA) with the vendor?
- Are personal data de-identified?
- Can the clinician or patient opt-out of data collection?
- Can data be deleted within the app?
- Are cookies placed on the mobile device where the app is stored?
- Who are data from the app shared with? What data are shared? Can the user control whether data is shared, and to whom?
- Are data maintained locally, on the mobile device, or does the app also send data to “the cloud” for remote storage?