Experts: mHealth poses privacy challenge

Despite the potential of mobile healthcare, experts say they worry about the added risks of security breaches, privacy violations and other concerns that come with the increasing use of mobile technology.

Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society (HIMSS), says the biggest privacy concern with the use of cell phones in healthcare is lost or stolen phones that contain unencrypted patient data.

Erin McAlpin Eiselein, an attorney and a partner at Davis, Graham & Stubbs, LLP in Denver, says one of the primary concerns for physicians engaging in mHealth is maintaining patient privacy of electronically stored protected health information or “ePHI.” 

“There are federal and state laws governing ePHI privacy and substantial penalties can be imposed for even inadvertent violations of these laws,” Eiselein warns.

“In addition to privacy, the other main concern for physicians engaging in mHealth is security. The federal government requires all ePHI to be secured in a manner that protects it against unauthorized access. This requires physicians to take steps such as using passwords and encrypted files to protect ePHI,” Eiselein says. “Often, devices such as iPhones, blackberries, and iPads and the apps that physicians are using on those devices are not compliant with the security standards. Physicians who electronically store information directly on their smartphones have the greatest risk of running afoul of these privacy and security laws. Simply losing a smartphone can have important and expensive consequences.”

In the past couple of years, the federal government has very clearly put the healthcare community on notice that it is increasing its enforcement efforts in this area, according to Eiselein. The Department of Health and Human Services Office of Civil Rights (OCR) has issued a document called HIPAA Security Guidance stating that physicians and other covered entities should be “extremely cautious” about allowing remote or mobile access to ePHI. Enforcement has moved to the state level as well, and state attorneys general now have the authority to enforce HIPAA. In fact, the OCR is providing HIPAA enforcement training to state attorneys general in order to further this goal.