HIPAA-Compliant vs HIPAA-Secure in Mobile Health Technology
Austin, Texas, January 30, 2013; Posted by Tracey Haas, DO, MPH, Co-founder and Chief Medical Officer of DocbookMD
This terminology is undergoing a bit of a revamp as the subtleties come into question. Simply put, HIPAA-compliant is an action, and HIPAA-secure is an adjective. Compliance includes active, on-going choices that a physician (or other covered entity) makes in order to keep protected health information (PHI) safe. It is the covered entity’s responsibility to protect this.
An application or device can only be considered HIPAA-secure, or otherwise facilitate the achievement of compliance, but is not HIPAA-compliant itself. To clarify - if a physician takes a photo of a patient through a HIPAA-secure application, and they hand the device over to another person to view this information, only that physician can be held responsible for the HIPAA breech – they have strayed from being HIPAA-compliant. An app cannot control what is done with PHI once in the doctor’s hands.
It turns out – not everyone who deals with PHI is concerned about how compliant you are. For example, if your answering service sends you a message that shows any information about that patient at all – they consider you the one who is ultimately responsible if the PHI leaks out. Many answering services consider themselves HIPAA-secure – and they are- right until the message leaves their server. They may or may not encrypt the message, which must now travel from their server through two phone companies to your device. In this case, it is not entirely clear who is responsible if a breech happens outside of the answering service, but many answering services believe it is the recipient – the physician.
To contrast, a HIPAA-secure smartphone app, like DocbookMD is considered secure through the many ways it verifies your credentials and those with whom you are communicating, and the high-degree of encryption it uses, even after the message arrives on your device. A message never “pops-up, ” but rather an alert about the message does. Once the DocbookMD app is opened (and you have the choice to password protect your phone and the app itself), you can read the message – which never rests on the device. Although DocbookMD does a lot to help you achieve it, you as the end-user still have some responsibility for remaining HIPAA-compliant. The company offers the choice of a pin lock, and also can remotely disable the app if you report your device lost or stolen - but again, it is the user who must take steps to ensure their device remains safe.
Take-home message: ask any company who claims to be HIPAA-secure exactly how they keep PHI protected – and you as the end-user.