Learn about membership options orRegister for a non-member account
Log in / Register
Login / Register
mHIMSS recently had the opportunity to insert mHealth comments of relevance into the request for comments related to Meaningful Use Stage 3 and Consumer Engagement, to include mention that expanding the umbrella of health information technologies to include other technology aside from EHRs as well as mobile and wireless devices, could advance the role of technology in providing quality care.
The Application Privacy, Protection and Security Act of 2013 ("APPS Act") was released, with a focus on the privacy and security considerations for consumers in use of apps.
The Mobile Medical Homeless Health Improvement Act of 2013 was introduced. I recently posted an MMHIA blog policy brief, which highlights how mobile provider visits come at a much lower cost than visits to the Emergency Department.
The FCC posted its new website, www.fcc.gov/health, which lists all of its health-related initiatives and its search for a dedicated healthcare director (two of its mHealth Task Force Findings and Recommendations from September 2012).
Additionally, The Federal Communications Commission an open meeting on January 31, with the agenda comprised of two items: A report and order to "revise and streamline its rules to modernize the Experimental Radio Service by creating a more flexible environment to accelerate innovation and promote the introduction of new products, including medical devices, to the marketplace" and a presentation on the agency's ongoing work to expand broadband access and spectrum availability for healthcare uses, including a presentation by the Georgia Telehealth Partnership.
The FCC unanimously approved the report and order to revise the Experimental Radio Service, which will allow the creation of new licenses for innovators creating medical devices that use spectrum to operate. The order also streamlines FCC rules, placing them in one place for ease of understanding, and makes market testing less cumbersome. This action was one of the many recommendations put forth by FCC's mHealth Taskforce. The commissioners' statements are available to the public. It was also noted that FCC will soon announce the release of a proposed rule regarding the equipment authorization process. The goal is to update the approval process so medical devices can enter the market more quickly. Finally, the commission hosted a telemedicine demo in collaboration with the Georgia Telehealth Partnership.
Of course, we'd be remiss without mentioning the release of the HIPAA Omnibus Rule. The HIPAA/HITECH Act Privacy, Security, Breach Notification and Enforcement final rules (also called the "HIPAA Omnibus Rule") were released on Jan. 17, 2013, and published in the Federal Register in Volume 78, No. 17. The date for covered entities, business associates and subcontractors of business associates to comply with these amended rules is Sept. 23, 2013. These final rules do not change original compliance dates for HIPAA Privacy Rule (April 14, 2013) or HIPAA Security Rule (April 20, 2005) or the HITECH Act interim final rule for breach notification (Sept.r 23, 2009).
Under the HIPAA Omnibus Rule, any impermissible use or disclosure of protected health information ("PHI") is presumed to a breach and notification is required, unless an entity can demonstrate a low probability that the PHI has been compromised by evaluating the following:
If the risk assessment does not demonstrate that there is a low probability that the PHI has been compromised, then the entity must provide notification of the breach.
Specifically with reference to the impact on mHealth, the HIPAA Security Rule (even as amended by the HIPAA Omnibus Rule) still applies no matter what the mobile technology actually is (e.g., form factor, type of device, etc.). The HIPAA Security Rule (also as amended) was designed to be flexible, scalable and technology-neutral. Therefore, regardless of whether your organization issues mobile devices or your organization's personnel use their own mobile devices (i.e., BYOD), these HIPAA Security Rule requirements must be followed. This includes mobile devices (i.e., portable electronic devices) that are used to create, receive, maintain and/or transmit electronic PHI ("EPHI").
By the same token, your organization must also comply with the HIPAA Security Rule with respect to network communications (whether wired, wireless, Bluetooth, etc.) to the extent that ePHI is in transit through such networks and cloud computing (e.g., whether the "cloud" is used for backup of ePHI or used for pulling on demand information, application data and/or applications which contain ePHI).
With increased adoption of mobile technology (including personnel bringing their own devices) are also increased threats. In fact, 2013 is predicted to be the year of mobile attacks according to many cybersecurity experts. That is why it is essential for organizations to ensure that mobile devices have appropriate anti-malware/anti-virus software, operating systems are updated and patched, "rogue" software that leaks data is not downloaded or used, users do not click on suspicious web links, encryption is used on the device and with respect to data in transit via wireless networks, and solutions such as mobile device management software are used (Note: The foregoing is not an exhaustive list, but rather touches upon significant issues involving mobile device security).
Lee Kim, Esq.,, is an attorney at Tucker Arensberg, PC. Her practice areas include healthcare, health information technology and intellectual property. She is admitted to practice in Pennsylvania, the District of Columbia and before the United States Patent and Trademark Office as a registered patent attorney. She is currently president-elect of the Western Pennsylvania Chapter of the Healthcare Information and Management Systems Society and Chairperson of the mHIMSS Legal and Policy taskforce.
More information about formatting options