Developers, users and patients--already confused about the privacy and security standards under the Health Insurance Portability and Accountability Act (HIPAA) and what they mean for mobile technology--are now more confused with the release of the U.S. Department of Health and Human Services' Omnibus Final Rule.
To clarify the confusion, Zachary Landman, M.D., chief medical officer at DoctorBase, an m-Health-as-a-service-provider, debunked common myths about HIPAA in a mHealthNews article. Here are five:
HIPAA doesn't apply to me because I'm not a medical provider or part of a healthcare institution. Landman pointed out that the Omnibus rule now includes enforcement to any business or vendor that "creates, receives, maintains or transmits personal health information (PHI)."
HIPAA applies to all health data. Actually, it only applies to data held by a patient's physician or care team, Landman explained. So if you record your weight and diet on an app and then don't share it with a physician, HIPAA doesn't apply.
Data is secure, so that means it's private. Data transmission must be highly encrypted, or it is subject to third-party attacks, like stolen laptops, Landman said.
Being HIPAA-complaint is only an IT problem. It's everyone's problem, Landman said--something as small as putting a note with your username and password on your monitor is a HIPAA violation.
A smartphone's PIN makes it secure. They're too easy to crack, plain and simple, he said.
While Monday was the first day that healthcare organizations and their business associates will need to be in compliance with the HIPAA omnibus rule unveiled in January, the U.S. Department of Health & Human Services is already making exceptions and delaying certain aspects of the rule.
An announcement from HHS states that the Office for Civil Rights (OCR) will delay its enforcement of the requirement that "certain HIPAA-covered laboratories revise their notices of privacy practices (NPPs) to comply with the modifications made to the HIPAA Rules published in the Federal Register on January 25, 2013, commonly known as the 'Omnibus Rule,' until further notice."
OCR, earlier this month, estimated that healthcare organizations will spend 32.8 million hours complying with the modified HIPAA omnibus rule.
To learn more:
- read the post in mHealthNews
Health group tackles business associate contracts for HIPAA
CIOs: Patient data segmentation will be one of HIPAA's biggest challenges
HHS to provide more HIPAA guidance to covered entities
HHS unveils final HIPAA omnibus rule
HIPAA business associate compliance by EHR vendors not optional