Much has changed in the years since HIPAA was first passed into law, not the least of which is the use of mobile technology in healthcare. As a physician, patient, and healthcare technology business leader, I have experienced numerous frustrations and inefficiencies resulting from practices struggling to adhere to the letter of the HIPAA law rather than embracing its spirit.
Over the past year, the perception of mobile technology in healthcare has changed dramatically. mHealth is now being recognized as a tool that can help address the challenges our healthcare system is facing, including a shortage of caregivers, an influx of newly insured patients, decreased reimbursements and readmission penalties. Historically, there have always been barriers that kept hospitals from making the leap to mobility – lack of infrastructure, costs, or the fear of security breaches, among other reasons. Yet as mobile technology becomes deeply ingrained in our day-to-day work and social lives, healthcare is following suit and migrating toward mobility as a component of care delivery.
However, concerns about security remain at the forefront. According to data from the Department of Health and Human Services (HHS), more than 41 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach. Additional data from the 2014 Healthcare Breach Report from Bitglass suggests that 68 percent of all healthcare data breaches are due to device theft or loss and 48 percent of breaches involve a laptop, desktop or mobile device.
The Office of the National Coordinator for Health Information Technology (ONC) just released what it calls “A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure.” The directive generating the most attention calls for “a common set of electronic clinical information…at the nationwide level by the end of 2017.” According to ONC, the common data set would consist of about 20 basic elements, such as patient demographics and lab test results.
At first blush, the ONC directive is a small step in the right direction, but sets the bar awfully low. Rest assured that vendors will consider 20 basic elements the maximum data set, not the minimum. A more effective approach would, for example, specify vocabularies (LOINC, RxNORM), document types (JSON, XML) and transport mechanisms (HTTPS or other TLS) to be used when sending or receiving data instead of focusing on the data elements themselves.