Maintaining PHI Security with Specialized mHealth App Usage

Executive Summary

Came across a great article written by Elizabeth Snell that we are sharing below on the topic of maintaining privacy and security. 

New studies stress the need to maintain personal health information in light of the increased use of specialized health care mobile messaging apps. Providers must ensure that patient privacy is a priority.

The HIPAA Security Rule does not require “specific technology solutions when it comes to mobile device technical safeguards,” instead requiring “reasonable and appropriate security measures be implemented.”

The HIPAA Security Rule is also “flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments.”

While secure messaging apps help connect patients with healthcare professionals, patient privacy and potential vulnerabilities must be considered first.

Contact Person: Elizabeth Snell, esnell@xtelligentmedia.com, Health IT Security

We are interested in generating some discussion on this topic in our Global Healthcare Innovation Community. Please visit this space to join the conversation.

Maintaining PHI Security with Specialized mHealth App Usage

Secure messaging has the potential to aid groups of patients in receiving proper care, but PHI security cannot be overlooked in the process.

Source: Thinkstock

By: Elizabeth Snell 

August 23, 2017 - Healthcare secure messaging is an increasingly popular way for clinicians to communicate with patients, even offering patients the chance to better manage chronic conditions. PHI security cannot be compromised with the technology though, and providers must ensure they prioritize patient privacy.

One recent study indicated that secure messaging use could positively impact diabetes patients, with individuals who communicate in this manner being more likely to have frequent visits with their provider.

Seventy-two percent of patients with diabetes reported they used secure messaging, according to a study published by the American Diabetes Association (ADA). 

Researchers studied patients with diabetes who were enrolled in an online portal of an outpatient healthcare organization in 2011 to 2014.

“Patients with diabetes frequently used secure messaging for medical advice in addition to routine visits to care providers,” the team explained. “Messaging was positively associated with better diabetes management in a large community outpatient practice.”

READ MORE: How Healthcare Secure Texting, Messaging Impact the Industry

For those who used secure messaging, additional messages were associated with better outcomes.

In 2014, 65 percent of respondents reported any type of patient-initiated message. Sixty-three percent stated they had any provider-initiated message.

A study published in the Journal of Medical Internet Research (JMIR) earlier this year also found that provider secure messaging levels can predict their patients’ communicative behavior.

Patients who had providers that were highly responsive to other patients’ messages initiated 334 percent more secure messages than patients with providers who did not personally respond to other patients’ messages.

“Secure messaging could facilitate the development of deeper relationships by increasing interaction time, making patients more comfortable about asking questions and discussing embarrassing issues, and allowing physicians to provide better advice and education,” the research team wrote. “However, such benefits are likely to be realized only if patients and providers are both committed users of the technology.”

READ MORE: BYOD Security in the Healthcare Setting

Even with increased provider usage, PHI security must be maintained in healthcare secure messaging. Specialized care is no exception, and certain patients might be more vulnerable to lackluster privacy settings.

McLean Hospital researchers found that there are lacking privacy measures in apps designed for dementia patients.

Of 125 reviewed iPhone apps that matched to the search terms of “medical + dementia” or “health & fitness + dementia,” 33 had available privacy policies.

Seventy percent of the apps described safeguards on data, and nearly three-quarters differentiated between protections for individual versus aggregate data, the researchers explained.

“No one using an app for a mental health-related reason should assume that privacy and security measures are in place,” said McLean Geriatric Psychiatry Outpatient Services Medical Director Ipsit Vahia, MD.

READ MORE: Top 4 Key Concerns in Healthcare Mobile Security Options

Vahia added that the research “represents a note of caution to researchers, clinicians, as well as patients and their families” who might be considering mHealth options for managing certain conditions.

The research team pointed out that dementia patients could be particularly vulnerable because their “cognitive impairment puts them at increased risk of privacy breaches.”

Patients and caregivers must “pay attention to the type of information that they provide to the app, and try to understand what can be done with that information,” Vahia explained. “[Dementia patients] using the app may be suffering from the disease and not fully understand privacy policies, even when they exist.”

Both healthcare providers and companies creating mHealth applications can utilize federal guidelines to ensure that they are remaining HIPAA compliant, and are working toward patient privacy.

The HIPAA Security Rule does not require specific technology solutions when it comes to mobile device technical safeguards but does require reasonable and appropriate security measures be implemented.

With secure messaging for example, an organization should potentially consider an option that utilizes data encryption. If a network was accessed, a mobile device was stolen, the translation card or key would also need to be taken.

“HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan,” HHS states on its website. “Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.”

Tools must be chosen that are innovative, but also able to maintain PHI security. Failing to consider privacy and security measures could lead to a data security incident, or even heavy federal fines.

Secure messaging can help connect providers with patients, and may even encourage patients to take a greater interest in their personal healthcare. However, entities must consider their potential vulnerabilities and risks before implementing new technology.