Smartphone Apps: A Growing Trend in Medicine
A smartphone isn’t just a phone; it’s a miniature computer. We surf the web, email, play games, and use smartphones and other wireless devices as tools for work.
This explosive growth in use has been aided by mobile applications (“apps”). Today physicians can monitor a patient’s vital signs, download patient schedules, access medical records, dictate office notes, and consult with other physicians without entering a clinical setting.
Greater Access, New Risks
As with any new medical device, there are risks to consider. Mobile devices “are considered
one of the most vulnerable areas for [privacy] breaches.”1 This is in part due to security assessments that failed to address the use of mobile devices.2
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires notification whenever a breach of unsecured protected health information (PHI) occurs.3 Additionally, the Department of Health and Human Services requires security of PHI on storage devices (hard drives), transmission media (cyberspace), and portable electronic media (e.g., smartphones).4
Reference guides, such as Epocrates, should not be a HIPAA risk. However, apps that transmit PHI could be intercepted by hackers or corrupted by a virus. Regardless of whether a physician’s mobile device is used to access, transmit, or store PHI, consider all HIPAA and HITECH requirements. HIPAA requires data security and proper destruction, and retention of PHI, when appropriate.
What Can You Do?
- Review potential wireless apps to ensure security of PHI at all levels;
- Limit the type of app that can be used based upon the individual app’s level of security;
- Use encryption software that makes data unusable by intercepting parties;
- Develop a security policy addressing mobile devices and the types of apps that can be used, along with the appropriate use and destruction of PHI data;
- Develop an eDiscovery policy for retaining PHI in the event of litigation; seek assistance from your attorney or your medical professional liability carrier’s risk management staff; and
- Work closely with IT personnel to address all security issues.
Lizabeth Brott, JD, is Regional Vice President, Risk Resource with Proassurance, a national provider of medical professional liability insurance and risk resource services. This article is not intended to provide legal advice.
1Dolan, P. “Large settlement for data breach sends message to lock up laptops and smartphones.”
American Medical News, September 28, 2012, http://www.amednews.com/article/20120928/
business/309289995/8/ (accessed August 27, 2013).
2, 3, 4“Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act.