Sharing PHI with Third Party Applications
The FTC has been warning third-party healthcare applications to tighten up their security, and that they are watching. This follows reports from Ponemon Institute and Verizon Data Breach Investigations Report highlighting the healthcare sector experienced more breaches than any other sector. It also follows the massive 2018 data breach experienced by healthcare application MyFitnessPal that exposed the records of over 150 million users.
The allure of these applications is their ability to effectively collect and manage our healthcare on an ongoing basis. Blood sugar fluctuations, weight management, heart rhythms, and much more, are all available to the general public through wristbands, watches, and other personal portable devices. The information they gather is helpful to doctors, so they’re looking for ways to access this information in the service of providing better care.
This nexus is literally the reason we got into HIPAA compliance almost a decade ago. We understood then the critical link between the collection of this data and the importance of its security. As providers interface with these devices and download this information into their records, it’s more important than ever that these systems be maintained securely.
If you’re a provider and you’re looking to incorporate or interface with these third-party healthcare applications, then we applaud you, but let’s get it done right. Before you start, recognize that once your facility and a patient’s name are connected, that becomes PHI, whether you created the connection or not. Preferably, it’s your patient entering the information and creating the connection, thereby alleviating your HIPAA obligations. Additionally, right now there are no security requirements or validations required of these applications, so the burden of confirming they have proper security in place falls upon you. Don’t put yourself in a position where your patient records are in an application at your request, and that application has a breach. You may not have a HIPAA violation on your hands, but your reputation with your patients would take a hit.
First, we suggest getting written authorization from your patients if you plan to set them up with an application and access their data. Second, if you’re going to import that data into your EHR, then we recommend establishing a one-way pull of the data, as opposed to a bilateral interface where you would also be sharing patient data with the application. Third, have a clearly defined program for how you will use the information you’re collecting. Internally, this information should be treated much like lab results, where a sign-off is required upon review.
With the FTC increasing scrutiny of healthcare applications, we expect to see them increasing their accountability when it comes to security, and this is good for users and providers alike.
We continue to move forward towards a world of real-time healthcare management and responsiveness, and that’s going to save lives and improve the quality of care. Don’t let security concerns hold you back. Do it right and you and your patients will benefit.
Thank you and if we can provide any assistance, please feel free to contact us.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.