The HIPAA Conundrum in the Era of Mobile Health and Communications

C. Jason Wang, MD, PhD; Delphine J. Huang, MS

In January 2013, the US Department of Health and Human Services released the Omnibus Final Rule (Final Rule).1 The final rule significantly modified the privacy and security standards under the Health Insurance Portability and Accountability Act (HIPAA). These new regulations were driven by a perceived need to ensure the confidentiality, integrity, and security of patients’ protected health information (PHI) in electronic health records (EHRs) and other formats. The final rule addresses these concerns by expanding the scope of regulations and increasing penalties for PHI violations.

The final rule was mandated by the $25.9 billion Health Information Technology for Economics and Clinical Health (HITECH) Act, which aimed to encourage the development of interoperable health information technology (HIT) and health information exchanges.2 The final rule redefined which organizations would be covered under HIPAA. Originally, HIPAA only applied to “covered entities,” which include “health care providers who conduct health care transactions electronically, health plans and health care clearinghouses”1; the final rule expanded HIPAA compliance to include any vendor that “creates, receives, maintains or transmits PHI.”1 Thus, many businesses such as data transmission and cloud server providers, such as Amazon Web Services and Rackspace, are now considered “business associates” of covered entities and are required to comply with all of the HIPAA security rules and some of the HIPAA privacy rules.3 More importantly, a business associate now can be held civilly and criminally liable.

Navigating these new mandates may pose administrative and technical challenges for covered entities and for business associates. The Department of Health and Human Services has estimated that the cost of implementation ranges from $114 million to $225 million in the first year and approximately $14.5 million each year thereafter.1 Many companies, however, maintain that the amount reported by the Department of Health and Human Services significantly underestimates the actual compliance costs.4 This conundrum is particularly true for mobile health companies in a rapidly expanding HIT industry. Although there is much interest in potential partnerships between innovative companies and health care organizations to leverage new mobile technologies (eg, smartphones, tablets, mobile monitors), the final rule may impose an unfunded mandate for organizations, which ironically may impede adoption of innovation in mobile health.

TECHNICAL AND IMPLEMENTATION CHALLENGES

In theory, HIPAA-compliant organizations can take “reasonable steps for adequate PHI protection” that are appropriate to their circumstances, depending on the size, function, and need.3 In practice, organizations find this guidance too vague and often implement numerous security controls (eg, PIN numbers, encryption, accessibility controls) to ensure HIPAA compliance. Moreover, business associates are now required to secure PHI content that may be stored in servers or transmitted over the Internet, even though they may not have direct access to the PHI (as is the case, for example, with data storage companies).

Furthermore, actual security will rely on the user’s behavior. Although security technologies exist, their implementation in personal mobile devices that access PHI can be especially difficult; many physicians and patients use their own unsecured personal devices to access EHRs. A recent report showed that from September 2009 to December 2012, 53.4% of HIPAA breaches were attributable to loss or theft of unencrypted computers or portable electronic devices, exposing the PHI of more than 8.4 million people.

ADMINISTRATIVE AND REGULATORY BARRIERS

Although the technical challenges can be overcome, the most important hurdles may come from costly, time-intensive efforts needed to comply with regulations on data protection. Previously, a breach did not occur unless significant risk or harm to an individual was demonstrated. The final rule significantly modified this definition to “presume” that PHI is breached whenever there is an improper use or disclosure of unsecured PHI, unless the organization is able to prove a low risk for PHI compromise.1 All organizations are required to perform a risk assessment of their security safeguards. The National Institute of Standards and Technology created the HIPAA Security Toolkit, which guides organizations on how to assess their operational security. However, this self-help guide is often insufficient for most organizations that handle PHI, especially those in the mobile sphere that cross state lines and are subject to different state regulations. Therefore, employing HIPAA consultants to certify an organization’s electronic infrastructure and draft protocols is becoming the norm. Depending on the size and complexity of the organization’s involvement with PHI, the annual review can be costly.

LEGAL CHAIN OF ACCOUNTABILITY, COSTS, AND PENALTIES

The final rule creates a chain of accountability that includes the covered entities as well as their business associates and any downstream subcontractors. Every organization is responsible for the actions of any partnerships that work with them. As a result, covered entities seek to prevent liability from any vendor by mandating stringent technical and liability requirements that shift the risk of penalties onto the business associates. Many business associates will also try to impose the same obligations on their own subcontractors; however, some subcontractors, especially large service providers (eg, Internet transmission companies), may refuse to accept any liability terms. Less established business associates may find themselves trapped by these complex and time-consuming negotiations with covered entities and other business associates—negotiations in which impassable requirements from the various stakeholders can lead to outright failure of any deal.

In addition, because of poor guidance on how to become HIPAA compliant, many companies may not realize that they have violated HIPAA until they are penalized. The tiered penalties can be as high as $1.5 million annually,1 creating further disincentives likely to deter innovation in health care before it even begins.

EVOLVING TECHNOLOGICAL USE OF PHI

A primary goal of the HITECH Act is to support “meaningful use” of EHRs and promote accessibility, accuracy, and patient empowerment.2,6 Many innovative companies are developing new ways of accessing and analyzing health records, such as those using Big Data analytics for precision medicine. Yet control over patient data has become a contentious issue. In the face of the final rule, smaller businesses may not have enough resources to compete with large, established EHRs in signing business associate agreements with covered entities or other vendors. As a result, improvements of large EHR systems may become even slower.

Moreover, HIPAA was originally designed to regulate more traditional frameworks such as EHRs. Yet the mobile HIT landscape is rapidly evolving, with new innovations on the horizon. Smartphone applications and wearable remote devices that have diagnostic capabilities are becoming readily available, allowing patients to transmit information, such as electrocardiographic abnormalities or elevated blood glucose levels, directly to a physician. Recently, there has been interest in devices that move beyond telephones and computers, such as the potential for Google Glass to quickly access medical records and improve health communications. Moreover, as individuals gain more sovereignty over their own health data, they also may perceive the use of passwords and log-off features as a nuisance if they do not see some of their health information (eg, exercise data, weight) as sensitive.

CONCLUSIONS

In the dynamic digital age, mobile health may transform health care and health promotion. Justifiable concerns over the sufficiency of HIPAA protections have led to the expansion of regulatory measures for electronic PHI. Striking a delicate balance between protecting patient privacy and unleashing the power of innovation in mobile HIT is challenging and uncharted. The California attorney general called for open dialogue to discuss better integration of mobile innovation and consumer protection. Partnerships, such as the University of California Hastings College of the Law’s Privacy and Technology Project, are bridging the gap between lawmakers and technologists to provide more compatible solutions and informed industry standards. It remains to be seen whether the final rule can achieve its intended goals of protecting patients’ privacy and improving care or if the administrative and legal challenges will impede innovation, particularly for small companies. The Department of Health and Human Services may need to reevaluate and adapt its regulations to keep up with the advent of new mobile technologies and take a more progressive and innovation-friendly approach to privacy and security.