The healthcare industry is only one of many fields that has begun using mobile applications and other technology to improve communications and the use of data. Many American biobanks, for instance, are now investing in software that allows them to manage and share the more than 300 million tissue samples in their systems, increasing the chances the information can be used to create new therapies and treatments.
As interesting as this is, however, you will likely be more familiar with how doctors are using mobile apps and technology to interact with their patients and promote healthier choices. Whether your doctor has recommended that you buy a Fitbit to help you track your exercise or you have noticed your doctor jotting something down on Evernote, there is no doubt that smart technology is becoming a common tool for people concerned with their health. But what if those devices and apps fell under the protection of the Health Insurance Portability and Accountability Act (HIPPA)? Would this change how we were able to use them, or even how they were created?
HIPPA is designed to safeguard protected health information, or PHI. PHI is defined as information that must be personally identifiable data, which is created, used or disclosed during the process of health care, such as a diagnosis or treatment. For this reason, covered entities, which include doctors, clinics, and insurance companies, are naturally required to be compliant with HIPPA standards. However, following an update in September 2013, people or entities that perform certain functions or activities which assist covered entities are also subject to HIPPA. As a result, application developers may fall into this group without even being aware.
Take Evernote as an example: if a patient uses the app to take notes on their diet, exercise, medication or other information and then shares the information with their physician to help them make changes, the app is technically being used for PHI and must be HIPPA compliant, even if it was not intended for that purpose. This would require the application developers to adhere to a number of physical, technical and administrative safeguards to avoid substantial penalties.
But following these guidelines isn’t as easy as it might sound. While other data security standards, such as those for payment cards, specifically list what individuals and businesses must do to be compliant, HIPPA generally requires entities to follow certain steps where “reasonable and appropriate.” This makes it difficult to determine which steps should be followed in different situations. To make matters worse, there is no official certification for HIPPA compliance, which means companies cannot be recognized as adhering to the standards. Thus, even accidental violations will likely only be discovered if the entity is audited by the U.S. Department of Health and Human Services, the same group that imposes the fines.
In response to this uncertain terrain, application developers are turning to a number of different options to ensure their products are HIPPA-compliant. Many are choosing to hire services like TrueVault, a protected database that has been designed to meet HIPPA standards. Similarly, companies like Google and Apple have begun designing their own usage terms, protocols and policies to keep PHI off of their databases; the App Store even states it will reject apps that attempt to use the HealthKit programming interface to store users’ health information on iCloud. Unfortunately, this can make it difficult for developers who use APIs like Google and Apple to create health-based apps that are HIPPA-compliant.
Currently, applications developers, healthcare providers, and policy experts are trying to determine the best ways to ensure modern technology follows security standards set for medical information. How can compliance be shared between databases and companies, for example? How can users be protected? The answers aren’t always clear or easy. But as apps and devices continue to appear, the need for new decisions and innovation is clear.