What you need to know about HIPAA and technology
HIPAA is technology-agnostic, and it doesn't prescribe specific techniques or technologies an organization must take. It's about ensuring consistent outcomes, relying on hospitals and their staffs to figure out the best way to do that. Mobile devices are no different in HIPAA's eyes than computers, mainframe terminals, or paper records. HIPAA has three basic requirements to ensure patient information privacy:
- Patients must give consent for their information to be shared with those who provide their care, and that consent must be documented. We've all signed that form at the dentist's, optometrist's, and doctor's offices. (Consent is not required for certain emergencies, such as for the ambulance's medical tech or the doctor who gives you the Heimlich at a restaurant.)
- Access to the patient information must be limited to those who need it for those medical purposes. That means locking paper files at night and restricting access during the day to health providers. For electronic records, it means requiring a password for access and encrypting the data on any client device, including backup media. Most medical providers that use EHR (electronic health records) systems don't store the data on PCs, but instead use VPN-secured Web access so the data is never local (what health care folks call "connected access").
- Changes to the information must be tracked. On paper and electronic systems, that happens when notes are added by a nurse, technician, or doctor. EHR systems also log any access, such as when someone looks up a name or medical condition; in the paper world, this is rarely done, but it will soon be required through an access log in the file that everyone must use each time they open the file. The federal government has mandated the use of EHR systems by most providers (and there are good free cloud-based ones for small offices), so the auditing is increasingly automated through the complex back-end systems where the technological heavy lifting occurs for both vendors and health care IT staff.
The iPad and HIPAA get along great
For the last several years, larger hospitals and county medical systems have been feverishly implementing EHR systems mandated by the federal government (those that don't implement the systems will lose some Medicare reimbursement). It's been a gargantuan effort on the scale of the Y2K fix in the late 1990s and the adoption of ERP in most businesses in the 2000s.
Those back-end systems are now coming online, so health care IT is beginning to turn its attention to the client devices used by medical staff and even patients (such as what they use to fill out their health histories while in the waiting room).
Current deployments use PCs, but they present some real challenges. In the wards, the COWs need to be near a power source, which also increases the risk of people tripping as the carts move. And they're more movable than actually mobile. (These aren't issues for the desktops that doctors use in their offices, admin staff members use at their desks, and nurses use at their stations.)
On the technical side, these EHR front ends tend to use Internet Explorer, relying on Java as the client presentation technology. COWs are typically run in kiosk mode so that they can be used only for EHR access, whereas work PCs run a gamut of apps, including IE for EHR access. That raises issues because many health care apps are sensitive to the version of Java used, as well as the version of IE. That has created a nightmare of compatibility issues as different apps use different versions of Java and IE -- a nightmare compounded by Java's ongoing client security flaws. The solution, of course, is to go browser-neutral and either drop Java or rewrite the apps to be non-version-specific -- which costs a lot of money and time.
Here's where the iPad comes in.