First Healthcare Compliance CONNECT September 2019
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Q&A: HIPAA and Health Apps By Catherine Short<br />
Rachel V. Rose, JD, MBA, presented the<br />
webinar “HIPAA and Health Apps.” Rachel<br />
returned to answer many commonly<br />
asked questions on our blog.<br />
How has HIPAA evolved to address mobile<br />
technology?<br />
HIPAA was signed into law in August 1996. Subsequently,<br />
the Privacy Rule and Security Rule were implemented.<br />
In 2009, the HITECH Act passed and with it came an<br />
increased focus on security of protected health information<br />
(PHI) and breach notification. Finally, on January 25, 2013,<br />
the Final Omnibus Rule was published (78 Fed. Reg. 5566<br />
(Jan. 25, 2013)). In general, the U.S. Department of Health<br />
and Human Services – Office for Civil Rights has primary<br />
jurisdiction over HIPAA enforcement for covered entities,<br />
business associates and subcontractors. Other agencies<br />
such as the Federal Trade Commission (FTC) and the Food<br />
and Drug Administration (FDA) also play a role.<br />
In terms of mobile technology and health apps in particular,<br />
HHS recently published FAQs – a series of five questions<br />
and answers that target a covered entity’s liability when<br />
transferring a patient’s data to an app. Additionally, over the<br />
past couple of years, the FDA has released guidance on<br />
mobile medical apps – specifically those medical apps the<br />
8<br />
FDA will regulate and those that it won’t, which depends on<br />
the app’s function.<br />
What is covered under ePHI?<br />
ePHI, which is also known as electronic protected health<br />
information, is protected health information that is<br />
produced, saved, transferred or received in an electronic<br />
form. This can include USB drives, CD-ROMS, email, apps<br />
and VoIP technology. The management of ePHI is covered<br />
under the Security Rule.<br />
What steps can companies take to ensure<br />
compliance?<br />
One can think of compliance as an inverted triangle –<br />
start with a broad base at the top and narrow the focus<br />
into different departments and the relevant technical,<br />
administrative and physical safeguards set forth in the<br />
Security Rule. The top should include forming an enterprise<br />
risk management team and conducting an annual,<br />
comprehensive risk analysis that every team member<br />
reads. From there, understanding the ingress and egress<br />
of protected health information, the vulnerabilities and<br />
compliance solutions identified in the risk analysis can be<br />
addressed.<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2019</strong>