The success of devices like the iPhone and iPad in healthcare has become so pronounced that the Department of Health And Human Services has begun to single-out the use mobile devices as part of the meaningful use requirements for electronic health records (EHR) systems. In addition to identifying mobile device use, the agency has also taken steps towards explicitly regulating mobile device security needs in the healthcare industry.
The 2009 HITECH Act created a financial incentive system to encourage hospitals, medical practices, and other healthcare service providers to adopt electronic records. Facilities that accept Medicare and Medicaid payments can receive the incentive funds by implementing EHR and related systems like electronic prescribing. To ensure systems are used, HHS has established multiple stages of meaningful use objectives that facilities must meet to receive incentive funds.
This week, the federal agency released the official set of stage two meaningful use requirements, which will go into effect in 2014. A large portion of the stage two requirements focus on mandating more frequent use of EHRs and electronic health information exchange systems. For example, Doctors will be expected use digital systems to order lab work and diagnostic imaging for at least 30% of their patients.
Meaningful use rules for stage two come in two different documents, the CMS and ONC rules. Both documents include frequent references to smartphones, tablets, and mobile apps (the language is by and large generic and doesn’t specify mobile platforms like iOS and Android by name).
Some of the rules impact data security when stored on or accessed from a mobile device.
Requiring health-care providers to assess whether they need to encrypt protected health information data while at rest, in reaction to multiple breaches of PHI from mobile devices.
The general policy we express in this certification criterion requires EHR technology designed to locally store electronic health information on end-user devices to encrypt such information after use of EHR technology on those devices stops
Encryption is required for mobile devices, and EHRs must be able to create an audit log of such encryptions if the system allows local storage of data on the devices.
Other rules stipulate that some of the required use of digital systems can be met using mobile devices.
Requiring providers to use computerized physician order entry – which specifically can include a mobile device — for 60 percent of patients and 30 percent of laboratory and radiology orders.
The provider’s use of computer assistance to directly enter medical orders… from a computer or mobile device.
Still others describe how mobile technologies can be used for engaging patients and providing access to their records (stage two requires hospitals and practices to offer 5% of patients online access to their health data).
[S]ecure email, a secure portal, even some type of mobile application could all be examples for secure messaging methods that could potentially meet this certification criterion.
Vendors may develop mobile patient-engagement apps using technology that meets basic requirements for EHR certification, including secure email, portals and mobile applications using a variety of transport standards.
The frequency of the references and their specificity clearly highlights the increasing role that the iPhone, iPad, and other mobile technologies have in healthcare – on the part of doctors, nurses, and hospitals as well as on the part of consumers. A recent study notes that 40% of mobile apps being developed today are related to healthcare or general health and wellness topics.
A related item that’s worth mentioning is that AirStrip, the company that highlighted remote patient monitoring during Apple’s WWDC keynote in 2009, announced this week that it will offer a tool to help hospitals and medical practices gauge their compliance with meaningful use requirements – a move that will help facilities ensure they receive incentive payments.