When HIPAA applies to mobile applications

By: admin | Jun 16, 2011        

Tags: | |  |

Adam GreeneBy Adam H. Greene, JD, MPH, former Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT, now a partner in the Health IT/HIPAA practice of Davis Wright Tremaine.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules can be a daunting challenge. Sometimes, the biggest question facing mobile application developers is not how to comply with (or make sure users are complying with) HIPAA, but rather whether HIPAA even applies. To understand whether software falls under the HIPAA rules, a developer must answer two questions: (1) Who will be using the application, and (2) What information will be on the application?

The HIPAA Rules only apply to HIPAA “covered entities” and their “business associates.” They do not apply to health care consumers or to other types of entities. Covered entities include health plans (including employer-sponsored group health plans), entities known as health care clearinghouses (which convert health care claims and other administrative transactions into or from a standard format), and health care providers — but only if the health providers electronically conduct certain transactions, such as submitting claims to health plans electronically. A business associate is an entity that handles “protected health information” on a covered entity’s behalf, such as a health information exchange organization sharing health information on behalf of a health care provider, or a pharmacy benefit manager operating a health plan’s prescription benefit.

Additionally, the HIPAA rules only apply to “protected health information,” information that identifies an individual and that relates to an individual’s physical or mental health, health care services to the individual, or payment for such health care services. There are exceptions for employment records and records of educational institutions. The fact that an individual has received services from a covered entity is itself protected health information. Accordingly, the name or address of an individual, although publicly available, is protected health information when residing on a covered entity’s computer if the presence of the information suggests that the individual is or was a patient or enrollee of the covered entity. Protected health information also includes otherwise anonymous information that includes a date of service (anything more detailed than a year). Accordingly, an e-mail referring to “the patient who was in last week” is protected health information, because it includes a date of service that can be used to identify the patient.

A mobile application developer will need to analyze whether the software will be used by a covered entity, such as physician, hospital, or health plan, and whether it will include any protected health information: individually identifiable information about health, health care services, or payment for health care services. An application that assists a physician with following up with patients would need to be designed to allow the physician to comply with HIPAA. Likewise, a mobile application for use by health plan employees to obtain an individual’s enrollment information remotely would need to be designed in accordance with HIPAA.

In contrast, an application that is for use by patients is not going to fall under HIPAA; an application on a person’s smartphone that assists the user with following a medication schedule would not fall under HIPAA because there is no covered entity involved. Even if the application permitted the user to send information to her physician, the application would not be subject to HIPAA, although the information would become subject to HIPAA once the HIPAA-covered physician received it.

An application that is to be used by a covered entity but does not involve protected health information would also not be subject to HIPAA; an application that provides a nurse with “de-identified” influenza statistics would not be subject to HIPAA because it does not use individually identifiable health information. Note that if the application allows the nurse to add information about the hospital’s influenza patients (such as that an individual came in with H1N1 symptoms today), then the patient information will be subject to HIPAA.

Other types of entities, such as public health authorities, are not covered entities either — an exception may be if they are also providing a health plan or providing health care services. Accordingly, a mobile application for a local government epidemiologist that assists with a public health investigation would generally not fall under HIPAA.

In determining whether an application falls under HIPAA, the developer should focus on the user, rather than the distribution channel. If a health plan provides enrollees with an application that allows them to track their weight on their smartphone, the application is not subject to HIPAA (since it is used by a non-covered entity – the enrollee – on the enrollee’s smartphone). If the application stores data on the health plan’s server, however, the information on the health plan’s server would be subject to HIPAA.

It is worth noting that, while health-related applications that are not used by covered entities or business associates are not subject to HIPAA, they may be subject to other privacy and security laws. For example, if the software is sharing user information in violation of a privacy notice, this could represent a deceptive trade practice subject to the Federal Trade Commission’s enforcement authority.

Tomorrow, in part two of this series, we will look at what an application developer should do if their application is subject to HIPAA.

Adam H. Greene previously served as the Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT, and now is a partner in the Health IT/HIPAA practice of Davis Wright Tremaine. Mr. Greene’s full bio is available at http://www.dwt.com/People/AdamHGreene


By 2016: 80M wearable wireless fitness sensors

By: Brian Dolan | Jun 15, 2011        

Tags: | | | |  |

Garmin wireless sensorAccording to a new report from ABI Research, wearable wireless sensors for fitness and wellbeing will surpass 80 million devices by 2016. This figure will eclipse other wireless sensors markets, including professional and home healthcare monitoring. In its report, ABI notes a range of factors will influence the uptick in devices: wireless protocol standardization, new device availability, as well as changing social patterns that encourage people to record and share fitness performance data.

“There is real and strong growth potential for wearable wireless devices in the consumer market today,” said ABI Research principal analyst Jonathan Collins in a press release. “These devices don’t require the same level of complexity and regulation to deploy that healthcare devices do.”

The new wireless standards that are spurring this growth include M2M (cellular-enabled) and short range connectivity (i.e. Bluetooth or ANT+). This market will have an estimated 46 percent compound annual growth rate from 2010 to 2016.

“Enabling online fitness data collection and sharing will drive key new revenue streams,” said Collins. “Online applications also bring the promise of a social networking effect, with participants sharing their results with friends or new groups formed within the application, thus spurring further adoption.”

ABI Research reported back in 2009 that 400 million wireless sensors would reach the market by 2014.

Read the full press release after the jump. Keep reading>>

HHS offers SMS toolkit for disaster response

By: Neil Versel | Jun 15, 2011        

Tags: | | | |  |
Photo Credit: James Gathany, Centers for Disease Control and Prevention

Photo Credit: James Gathany, Centers for Disease Control and Prevention

Acknowledging the power of text messaging to spread information fast, the Department of Health and Human Services has produced a toolkit of prepared messages for state and local authorities to disseminate during a disaster response.

A collaborative effort of five HHS divisions, the messages are meant to complement television and radio public-service announcements produced by the Centers for Disease Control and Prevention, according to government officials.

“During a disaster, the state or local agency can download and distribute the new public health messages using their existing cell-phone emergency message distribution systems. Community residents should contact their local emergency management agency to learn whether text message alerts are available in their community and to register if available,” according to an HHS press release.

Sample messages include: “To help care providers, keep a list of drugs and dietary supplements with you. More info from CDC 800-232-4636 or http://go.usa.gov/jvZ“; and “Prevent child drownings. Keep kids from playing in or around flood water. More info from CDC 800-232-4636 or http://go.usa.gov/bGa.”

Though the texts have not been tested in a real disaster situation yet, HHS spokeswoman Elleen Kane says that the messages are based on existing PSAs. “We felt pretty confident that they will be effective,” Kane tells MobiHealthNews. HHS reports that more than 400 entities have expressed interest in using the messages.

Public health agencies seem to be receptive to the idea. “It’s efficient, because a lot of times you just need to send very simple messages, and sometimes you need to send messages to a lot of people,” Dr. Georges Benjamin, executive director of the American Public Health Association, says.

Benjamin says that the association convened a meeting at its Washington headquarters two years ago to discuss risk communication via social media. “It’s just beginning, but we’re seeing it more and more,” he said.

Benjamin noted that the Food and Drug Administration used text messaging and Twitter during the 2009 recall of peanut products and said that since the 2007 mass shooting at Virginia Tech, many schools have been working with local authorities to develop plans for text communication for future emergencies. “There’s no question there’s a lot of interest in this and that [texting for disaster response] is going to explode,” he said.

HHS limited each message to 115 characters so users can add local details as necessary. Standard SMS texts have a capacity of 160 characters, including spaces.

HHS says the department worked with state and local agencies to develop the messages. In addition to the CDC, other participating HHS branches include the FDA, the HHS Office of the Assistant Secretary for Preparedness and Response, the HHS Office of the Assistant Secretary for Public Affairs and the Substance Abuse and Mental Health Services Administration.

Nebraska Medical Center taps Voalte for iPhone deployment

By: Brian Dolan | Jun 15, 2011        

Tags: | | | | |  |

nebraska-medical-centerThe Nebraska Medical Center, the state’s largest healthcare facility, announced that it will soon be equipping clinicians and nurses with iPhones after inking a deal with Voalté to deploy its custom healthcare application. The Nebraska Medical Center is the first academic-based medical center in the country to use the Voalté software, according to the company.

“Communication is an essential ingredient for excellent patient care,” said Dawn Straub, Director, Nursing Professional Practice and Development at The Nebraska Medical Center in a press release. “We recognize the importance of smartphone technology and how it can give our nurses more time with their patients.”

Voalté is an iPhone application that combines voice, alarm and text features, and was chosen by the Medical Center after a year-long assessment. Nurses and clinicians will be able to send and receive presence-based text messages and make high-definition voice calls across the hospital VoIP system on one device. The hospital-wide installation will integrate hundreds of iPhones with the hospital’s PBX and WiFi system in order to improve communication between the patients and staff.

Voalté’s growing list of customers includes Texas Children’s, Heartland Health, Huntington HospitalSarasota Memorial and more.

Check out the press release after the jump. Keep reading>>

New crop of mobile health executives

By: Brian Dolan | Jun 15, 2011        

Tags: | | | | |  |
Alan Portela

Alan Portela

A handful of new executives have taken executive roles at a couple of well known mobile health companies.

Earlier this month, Alan Portela took the reins at AirStrip Technologies as CEO. Portela replaced Gene Powell, who will stay on as a senior advisor and chairman of the board at the company. This week, Dan Blake was appointed Chief Development Officer at AirStrip. The company is known for having one of the very first FDA approved iPhone apps, AirStripOB. It also now offers AirStrip RPM Critical Care and AirStrip RPM Cardiology apps.

“Dan knows how to develop mobile software and infrastructure solutions that address critical enterprise-level issues. That is a perfect fit as we work to grow our suite of mobile healthcare monitoring solutions globally,” Portela said in a press release. “AirStrip is gradually rolling out its solutions to include mobile access to patient monitoring in virtually any care setting, from the hospital to home monitoring. Dan has the experience and skills needed to keep AirStrip stationed at the forefront of the mobile-enabled health revolution.”

Before joining AirStrip Technologies, Blake was president of ArchiStrat Consulting, Inc., Chief Technology Officer of Nightrader Ltd., Chief Technology Officer of Aon Group, and President/CEO of Aon Risk Technologies.

Interestingly, the day before AirStrip announced Portela as its new CEO, Diversinet announced that the it had appointed Portela to its board of directors.

Meanwhile, PatientSafeSolutions appointed Joseph Condurso President and CFO. Condurso was previously VP of strategy, innovation and business development at CareFusion Corp, and before that in senior operational and entrepreneurial roles at companies that eventually became Cardinal Health. PatientSafe (formerly named Intellidot) is headed up by James Sweeney, who founded one of the few public, pure-play wireless health companies, CardioNet. Sweeney explained PatientSafe’s new iPod touch-centered strategy to MobiHealthNews last fall.

“There is no doubt in my mind that PatientSafe Solutions is poised to deliver extraordinary innovation and growth,” said Condurso in a press release. “Given the demand for smart care management and care coordination technology such as PatientTouch, I look forward to the opportunity to position our company as a leader in point of care mobile health solutions, sustain our momentum and build even further success with our customers and industry partners.”

In related news, Awarepoint CEO Jay Deady has been pushing new initiatives since his appointment to the company seven months ago, reports Xconomy. The company, which focuses on real-time location technology (RTLS) for hospitals & other healthcare providers, received $9 million from investors after Deady arrived. Deady expects their final round of venture capital to occur in August.

Deady faced the challenge of a healthcare industry slow to adopt their real time tracking-services. To combat this, he decided to use the company’s acquisition of software company Patient Care and make the company more of a full-service provider of health IT products and services. “My perspective, both offensively and defensively, was to go to market with a broader software portfolio,” Deady says. “Today we can still sell them millions of dollars in software and services.”

Check out the press releases after the jump, and read the Xconomy article here Keep reading>>

Virtual pet app encourages diabetes management

By: Brian Dolan | Jun 15, 2011        

Tags: | |  |

DiabetesMine-Grand-Prize-WinnerThis week popular diabetes blog and community, DiabetesMine announced the winners of its annual 2011 DiabetesMine Design Challenge. Started in 2008, the Design Challenge tasks participants with finding creative new ways to improve the lives of those with diabetes. Perhaps unsurprisingly, one of this year’s winners developed an iPhone/iPad app.

The three grand prize winners, who each received $7,000 cash plus free consulting from IDEO Design health and wellness experts are as follows:

Pancreum, by Gil dePaula, is the most “futuristic” of the three, an “artificial pancreas” that combines tubeless insulin pumping and continuous glucose monitoring with a glucagon-delivering agent that works as an antidote to low blood sugar. The computer aspect of the system is a Bluetooth-enabled CoreMD, designed to “create a flexible, open platform, and common architecture design that would allow for medical devices to be more affordable than what is available in the market today.” Pancreum is already in the early stages of development.

Blob, by Luciana Urruty, is a portable insulin-delivery device that is small enough to be carried in a pocket or worn on a neck-chain. The device includes a coolant for inhabitants of warmer climates. It is seen as an efficient way to transport insulin around.

DiaPETic, by Emily A. Ellen, is an iPhone/iPod Touch application designed for teenage girls to help put a personal touch on glucose level management. The application allows users to creates a pet avatar that interacts with them to encourage glucose testing and suggest strategies for control. Successful monitoring of levels grants users points that can be redeemed for “accessories” for their avatar.

Check out our coverage of the 2009 winner, the LifeCase & LifeApp.