"The Implications of HIPAA on Hand Held Clinical Applications", written as a three-part series, covers HIPAA legislation for Privacy and Security, the implications of HIPAA on PDAs, and real life scenarios and solutions of using PDAs in the healthcare environment.
Part 1 of this series provided a basic understanding of HIPAA legislation and its impact throughout the healthcare industry. It defined HIPAA compliance for business transactions, security standards and privacy regulations; and introduced the importance of considering HIPAA implications with the use of new technologies, in particular, Personal Digital Assistants (PDAs).
Part 2 of this series provides an in-depth look at the way HIPAA impacts the use of PDAs in healthcare.
Part 2 - The Implications of HIPAA on PDAs
There are currently over 500 healthcare-specific applications for Personal Digital Assistants (PDAs). The majority of these applications are for the Palm OS platform, although everyday new applications for the PocketPC are appearing. The overwhelming majority of PDA healthcare applications are either reference databases or medical calculators. If these were the only types of applications used, then HIPAA regulations would clearly not apply. However, there are a growing number of applications, both commercial and internally developed, that allow a physician to store, view and interact with patient data on their PDA.
In the simplest form, these applications support patient scheduling or prescription writing. More complex applications include the ability to view laboratory and radiology results, and capture charges. These types of applications certainly involve patient identifiable data and therefore must be evaluated for HIPAA compliance.
The HIPAA security and privacy requirements potentially have a significant impact on how PDAs are used in healthcare. The two key issues are (1) how to protect patient information stored on the device, and (2) how to protect patient information transmitted during a synchronization or wireless transaction.
In addition to all of the standard security issues facing any healthcare application, PDAs are significantly more vulnerable to being lost or stolen. Recent studies have shown that these devices have a 30% loss rate. If these PDAs contain patient data, then the data is at risk. Most PDA healthcare applications that contain patient data utilize user ID/password level security. The user should be required to re-enter their user ID and password every time they enter the application. Ideally the application will also provide a time-out feature that will require re-entering the user ID and password after a period of inactivity. Applications that utilize user IDs and passwords increase the level of security, but often the data stored on the PDA itself is not encrypted. While the casual user may be prevented from accessing patient data by the password protection, someone with reasonable technical skills can easily view the data stored on the PDA. Because the PDA is such a mobile device and the threat of loss very high, it is a necessity that any patient identifiable data stored on the PDA be encrypted.
The control and security of data transmission to the PDA is also of concern. PDAs are by default personal devices. Each comes with its own cradle designed to be connected to a PC and synchronized with personal information. If allowed to synchronize with enterprise applications and the confidential information they contain, then a new method of synchronization should be implemented. There are basically two methods of getting data to the PDA, synchronization and wireless access.
Synchronization transfers information from the enterprise databases to the PDA. The data that will be utilized by the PDA application is retrieved from the enterprise database and stored on the PDA. For example, in the case of a patient management application that allows physicians to view recent lab results, the patient's demographics, room/bed information, and lab results will be stored on the PDA. Appropriate measures should be put in place to ensure that the user and device attempting to retrieve this patient information during the synchronization process are authorized to do so. This requires some kind of user authentication and a validation that the device being synchronized belongs to this user. By using a combination of user and device validation, stolen devices cannot be synchronized without the proper user authentication and a compromised user ID cannot be used without the matching device. An audit trail of who synchronized with what data should also be maintained. Typically, the synchronization security has been built in to the custom conduits provided by the application vendor. Several companies now offer enterprise synchronization servers which allow an organization to control who can synchronize with what data, as well as additional features such as logging synchronization events, audit trails and automated inventory control. The diagram below depicts the synchronization of a PDA application with enterprise applications. In this case the conduit that is running on the synchronization station is responsible for validating the user and device prior to transferring any data.
XXXXXXXXXXXXWireless access to information is of great value in any setting, particularly in healthcare. Without a wireless solution, the information contained on the PDA is only as current as the last time the user synchronized. With a wireless solution, the data can be accessed in real time providing the most current information. This real time access to information also means that significantly less patient data will be stored on the device. Wireless solutions can utilize either a public or private network. HIPAA requires encryption for transmission of data over public networks. However, encryption is optional for networks with access control, such as a secure internal network. For example, the Palm VII, as depicted in the diagram below, utilizes elliptic curve cryptography (ECC) to encrypt communication over Bell South's wireless network. This level of encryption appears to comply with the HIPAA regulations, as long as the path from the Palm.net proxy server to the destination also utilizes encryption. One potential issue is the transition from the encryption utilized for the wireless transaction to the encryption utilized over the Internet. This 'conversion' that occurs at the Palm.net data center is a potential security issue. New technology is being released to further increase the security of wireless transactions by allowing organizations to establish their own wireless VPNs. The use of a wireless VPN will allow PDA users to connect securely from remote locations just as remote users with laptops connect today.
XXXXXXXXXXXXXThe ownership of the PDA itself is another issue to be addressed. If a physician owns a PDA and keeps patient information on it, who is responsible for ensuring that the information is protected? If the information came directly from a hospital system during synchronization, then it would seem that the hospital has some responsibility? Consider this, if physicians enter the information on their own PDA, how can the hospital have responsibility for protecting the data, and how can this be policed?
Conclusion
PDAs and these associated issues are not "coming soon", they are here today. It is time to develop strategies and policies regarding the use of these devices. With proper planning and implementation, we can realize the benefits that these devices offer as well as meet HIPAA imposed requirements.
Some general guidelines to consider:
- If patient identifiable data is stored on the device, data should be encrypted and access should be password protected.
- If patient identifiable data is transmitted during synchronization, then ensure proper user/device authentication before transmitting data and maintain an audit trail.
- If patient identifiable data is transmitted wirelessly, then ensure proper user/device authentication before transmission, encrypt data during the transmission and maintain an audit trail.
- To protect data if the PDA is lost or stolen, utilize user ID and Password level security, user/device validation during synchronization and encryption of the data stored on the PDA.
Part 3 of this series will take a look at scenarios for clinician's using PDAs to assist in the delivery of patient care and each scenario's impact on HIPAA compliance.
Join a discussion about this article
If you would like to join others in chatting about this article or sharing a similar experience, join our discussion board at this thread: www.pdamd.com/vertical/forums/read.php3?num=5&id=285&loc=0&thread=285
Healthlink Authors
Liz Johnson, Executive Vice President, National HIPAA Practice Leader Liz.Johnson@healthlinkinc.com.
Liz Johnson is Healthlink's Executive Vice President and National Practice Leader for HIPAA. Ms. Johnson is a talented author and an extremely dynamic speaker on any level. As a nationally recognized HIPAA expert, she has shared her in-depth knowledge of HIPAA in over 200 presentations across the nation. A partial list of her national HIPAA speaking engagements include, ACHE, CHIM, CHIME, TEPR, RX2000 and HIMSS. Additionally, Ms. Johnson has directed numerous HIPAA consulting engagements, including readiness assessments, offices of project management, HIPAA planning and training.
With over 25 years of healthcare experience, the last 15 serving in executive positions throughout provider organizations, Ms. Johnson understands provider operations from every perspective, and the role IT plays in enabling best practices to be deployed by healthcare providers. Ms. Johnson has served on the Adjunct Faculty at the University of Texas at Arlington and the Texas Women's University. She is currently an Associate of the American College of Healthcare Executives and a member of HIMSS.
Susan Rivers, Service Line Coordinator Susan.rivers@healthlinkinc.com.
Susan Rivers' background in healthcare information systems has been in working with consultants to provide marketing and operational support to clients. In her role with Healthlink as Service Line Coordinator, she provides product and marketing research, documentation support, and service line content for marketing publications.
About Healthlink
Healthlink is the largest privately held services company dedicated to the healthcare information technology industry. Healthlink delivers unmatched expertise in enterprise business and clinical processes, technology integration and implementation, and customized healthcare applications to the healthcare community. This expertise results in total solutions for managing and enhancing healthcare services through technology and process improvement. Healthlink has working relationships with more than 400 leading hospitals and Integrated Delivery Networks (IDNs) nationwide. Responding to the current federal and state legislation affecting healthcare organizations, Healthlink is helping our clients realize cost efficiencies and achieve overall improved quality patient care. Healthlink has worked across the nation for organizations including: large IDNs, academic medical centers, community-based health systems, public hospitals and private not-for-profit organizations. For more information on Healthlink and its services, visit www.healthlinkinc.com.