"The Implications of HIPAA on Hand Held Clinical Applications", written as a three-part series, covers the Health Insurance Portability and Accountability Act of 1996 (HIPAA) legislation for Privacy and Security, the implications of HIPAA on Personal Digital Assistants (PDAs), and real life scenarios and solutions of using PDAs in the healthcare environment.
Part 1 of this series provided a basic understanding of HIPAA legislation and introduced the importance of considering HIPAA implications with the use of new technologies such as PDAs.
Part 2 provided an in-depth look at the way HIPAA impacts the use of PDAs in healthcare. It identified areas where PDAs are vulnerable to security and privacy violations and provided reasonable precautions to avoid the risk of noncompliance. Issues and best practice solutions were provided for transmitting data to the PDA and for ensuring the security and privacy of the data residing on the PDA.
Part 3 of this series looks at scenarios for using PDAs to assist clinicians in patient care, the impact of HIPAA on each scenario, and potential solutions for best using PDAs in compliance with HIPAA regulations.
Part 3 - Scenarios and Solutions of PDA Use
Physician owned PDA
Scenario 1
The physician keeps personal patient schedules, takes notes on patients, and uses a prescription writing tool that prints prescriptions via an infrared port.
In evaluating this scenario, first the implications related to the HIPAA security and privacy regulations should be reviewed. The physician activities as described, indicate that the information is being stored in the physician's personal device as a result of his/her knowledge; it is not being downloaded from another source such as a Healthcare Information System (HIS). This clearly illuminates that the responsibility for both the security and the privacy of such data is the physician's responsibility. The HIPAA regulations would then require that the physician take reasonable and prudent steps to protect any protected health information (PHI). In this instance, it is assumed that although the schedule may not contain sufficient information to breach the privacy of the patient, the patient notes and prescription information would. Based on this assumption, a number of precautions should be employed by the physician. First, the data should not be available without use of an individual ID and password. Second, the PDA should have a lockout that requires re-entry of that password on a predetermined schedule. The physician should also ensure that the PDA is stored in a fashion that does not allow inadvertent access by any other party not directly involved in the care of the patient.
When evaluating the risk associated with the use of the infrared port, it should be noted that minimal exposure of the data being 'picked up' by another device exists. This is a result of the short distance that a signal may be received from an infrared source. The risk with the prescription writing activity instead lies in how the data is managed from the printer to the hands of the patient. As these types of activities continue in the future, it will become critical for the physician and their staff to recognize that the data that is now sitting on the printer is protected and must be handled in a secure fashion.
It is not the intent of the HIPAA regulations to interfere with safe, quality care of the patient, but instead to ensure that the data used in that care is disclosed in an appropriate manner. In this particular scenario, the physician can utilize a password and ID, store their PDA with cognizance of access and assist their staff in evaluating and modifying where PHI is 'laying around' in their office environment.
Physician owned PDA
Scenario 2
The physician synchronizes to the ADT and Lab system with a hospital provided application to view patient demographics and recent lab results.
In scenario 2, the data, which is being viewed by the physician, originated from the hospital provider system. This data is considered to be PHI and requires appropriate privacy and security precautions. The first assumption one would make is that the data is being utilized for the treatment or billing of the patient and is an appropriate disclosure in accordance with the HIPAA regulations. Given that the disclosure is appropriate, as in scenario 1, it now becomes imperative that the data is secure in the physician's PDA.
Synchronization transfers information from the enterprise databases to the PDA. The data that will be utilized by the PDA application is retrieved from the enterprise database and stored on the PDA. For example, in this scenario involving a patient management application that allows physicians to view recent lab results, the patient's demographics and lab results will be stored on the PDA. Appropriate measures should be put in place to ensure that the physician and their device are authorized to retrieve this patient information during the synchronization process. This requires user authentication and a validation that the device being synchronized belongs to this user. Another concern is that once the data has been downloaded into the PDA, precautions must be taken to ensure that the device is secure from access of others not involved in the patient's treatment or billing. By using a combination of user and device validation, devices cannot be synchronized without the proper user authentication and a compromised user ID cannot be used without the matching device. An audit trail of who synchronized with what data should also be maintained.
As health care organizations continue to support clinicians with this type of information, it becomes imperative that the security precautions are in place and understood by those to whom the data is disclosed. Again, reasonable and prudent judgment should be used and the clear intent to in no way obstruct care be foremost in the decision-making process around the data disclosure in the future.
Hospital provided PDA
Scenario 3
Physicians are provided standard reference tools, medical calculators, hospital provided applications that synchronize with patient demographics, scheduling, Lab, Radiology and Pharmacy systems as well as applications for note taking and prescription writing.
As one evaluates this scenario, it is apparent that the information being provided is PHI and is subject to the HIPAA regulations. First, it should be determined that all the information being disclosed is being used for treatment and billing of the patient. Should the disclosure meet that criteria, then the disclosure is appropriate. The same precautions as above are required for user authentication, validation of device ownership, and security of information. There is not a need to be concerned with provision of reference tools or calculators because those tools do not contain PHI.
Following the very strict (black and white) interpretation of the privacy regulations, responsibility for data management and ensuring the security of information resides with the hospital. Given the difficulty related to managing information that is now out of the hospital's control, careful consideration should to be given to continuing this practice.
Conclusion
PDA use is growing because of its portability, easy storage and access to information. HIPAA Privacy and Security legislation will effect how providers use PDAs. The challenge to use PDAs within the Security and Privacy boundaries set by HIPAA can and must be met.
It is imperative that clinicians understand HIPAA standards, and the affects these standards have on their environment. HIPAA must be considered whether assessing current applications or looking for new products.
Join a discussion about this article
If you would like to join others in chatting about this article or sharing a similar experience, join our discussion board at this thread: www.pdamd.com/vertical/forums/read.php3?num=5&id=285&loc=0&thread=285
Healthlink Authors
Liz Johnson, Executive Vice President, National HIPAA Practice Leader Liz.Johnson@healthlinkinc.com.
Liz Johnson is Healthlink's Executive Vice President and National Practice Leader for HIPAA. Ms. Johnson is a talented author and an extremely dynamic speaker on any level. As a nationally recognized HIPAA expert, she has shared her in-depth knowledge of HIPAA in over 200 presentations across the nation. A partial list of her national HIPAA speaking engagements include, ACHE, CHIM, CHIME, TEPR, RX2000 and HIMSS. Additionally, Ms. Johnson has directed numerous HIPAA consulting engagements, including readiness assessments, offices of project management, HIPAA planning and training.
With over 25 years of healthcare experience, the last 15 serving in executive positions throughout provider organizations, Ms. Johnson understands provider operations from every perspective, and the role IT plays in enabling best practices to be deployed by healthcare providers. Ms. Johnson has served on the Adjunct Faculty at the University of Texas at Arlington and the Texas Women's University. She is currently an Associate of the American College of Healthcare Executives and a member of HIMSS.
Susan Rivers, Service Line Coordinator Susan.rivers@healthlinkinc.com.
Susan Rivers' background in healthcare information systems has been in working with consultants to provide marketing and operational support to clients. In her role with Healthlink as Service Line Coordinator, she provides product and marketing research, documentation support, and service line content for marketing publications.
About Healthlink
Healthlink is the largest privately held services company dedicated to the healthcare information technology industry. Healthlink delivers unmatched expertise in enterprise business and clinical processes, technology integration and implementation, and customized healthcare applications to the healthcare community. This expertise results in total solutions for managing and enhancing healthcare services through technology and process improvement. Healthlink has working relationships with more than 400 leading hospitals and Integrated Delivery Networks (IDNs) nationwide. Responding to the current federal and state legislation affecting healthcare organizations, Healthlink is helping our clients realize cost efficiencies and achieve overall improved quality patient care. Healthlink has worked across the nation for organizations including: large IDNs, academic medical centers, community-based health systems, public hospitals and private not-for-profit organizations. For more information on Healthlink and its services, visit www.healthlinkinc.com.