HIPAA and Mobility

The Health Insurance Portability and Accountability Act (HIPAA) provides federal regulations regarding the privacy and security of patient data, as well as standardized formats for exchanging electronic information. Healthcare organizations were required to be in compliance on privacy regulations by April 2003 and must comply with common, security rules by April 2005. These deadlines have been posing a unique challenge to the healthcare industry, in which unregulated PDAs are being used by doctors in great numbers.

Although mobile computing technology has been adopted quickly in the healthcare industry, handheld devices have mostly remained personal devices, unsupported by the institutions. While most institutions have implemented only what is blatantly required, this mandatory technological revamp is the perfect opportunity to implement and deploy mobile solutions that can truly impact long-term efficiency, productivity, and the quality of the healthcare services they provide.

High usage of PDAs in healthcare

The Health Information Management Systems Society (HIMSS) recently published the results of a survey in which 72 percent of responding medical practices had at least one physician who had used mobile computing for business purposes. These numbers demonstrate a very high usage rate within the healthcare industry but, unlike most other enterprise technologies, PDAs have often been brought into the workplace by the workers themselves. This has allowed for a very widespread, rapid adoption of the technology, but has not allowed any time for the healthcare organizations to adjust. In the meantime, HIPAA compliance efforts have drained budgets and manpower that would normally be used to help with this adjustment. That has caused many organizations to simply ignore mobile computers for now. While that may be a legitimate option for some, the prevalence of the technology within their own organization requires that the issues created by PDAs are immediately addressed in order to comply with HIPAA privacy and security regulations.

The PDA: a potential liability

The basic problem is that if the device is personally owned by a physician who happens to take patient-related notes or dictation on the device, then the hospital has a potentially severe HIPAA liability. Because the device is personally owned by the physician, the hospital might not even be aware of how the physician is using his or her own device. Unfortunately, some organizations have gone so far as to ban mobile devices completely, but that prevents the use of many highly beneficial time-saving applications.

Recommended strategies

I recommend the following strategies to healthcare organizations and institutions:

• Centralized security and auditing policies for mobile and wireless devices should be implemented, possibly including such methods as power-on passwords, data storage encryption, data self-destruct mechanisms upon breach, and biometric fingerprint authentication mechanisms (Fig. 1).

  Fig. 1. Fingerprint identification for biometric authentication.

• Usage guidelines should be developed and issued that offer limitations on the type of functions that can be performed on the device, as well as on the type and format of any data stored on the device.

  Fig. 2. Procedure entry screen for health information system.

• Maintenance and support should be centrally offered for mobile and wireless hardware and software to prevent third-party access to handheld devices.
• Wireless networks should not be installed or maintained by anyone other than authorized IS personnel, and must at least offer authentication and encryption technologies.
• Procedures and mechanisms for reporting lost or stolen devices should be implemented, so that access from a stolen device to all wireless networks and databases can be blocked.