The costs of not complying with HIPAA (the 1996 Health Insurance Portability and Accountability Act), which includes self-reporting of data breaches, can be steep. Blue Cross Blue Shield of Tennessee recently finalized a settlement with the Department of Health and Human Services for $1.5 million for a recent breach (on top of a $17 million price tag for the investigation and remediation actions). HHS seems to be making a a show of high profile enforcement as a way to encourage better compliance among smaller organizations, including hospitals and individual medical practices.
This raises the question of whether or not using the iPad in healthcare increases the risk of privacy violations. If so, will a show of force on the part of HHS dampen the enthusiasm for the iPad in healthcare?
The Blue Cross case isn’t related to mobile devices at all. It’s related to 57 unencrypted hard drives containing voice recordings that the company left in a data closet when it moved out of a leased facility. In addition to being a HIPAA violation, the case is also one of the first to fall under a 2009 law known as Health Information Technology for Economic and Clinical Health Act (HITECH) that tightens the electronic records aspects of HIPAA.
The high profile nature of the case and the fact that it’s one of the first large cases involving violations that fall under HITECH provisions has healthcare industry observers and experts believing that it’s a warning shot to the entire industry when it comes to compliance and enforcement of privacy regulations. Whether or not that’s a goal of HHS, the impact is certainly there. In its wake, law firms that work with health related business have issued alerts to their clients reminding them of the financial and legal consequences of noncompliance. Wilson Sonsini Goodrich & Rosati, a firm with offices throughout the U.S. and abroad even pointed out that organizations that normally don’t fall under the health insurance or provider rubric can fall under HIPAA.
What this means for the fate of the iPad in healthcare isn’t immediately clear. HIPAA compliance is one of the challenges that the iPad faces in this industry, but those same challenges are faced by laptops and other portable devices. In many situations, medical groups and hospitals turn to virtual desktop solutions as an answer. The encrypted connection to a server hosting a desktop or application ensures no data ever resides on the device. This is one reason that Citrix is a popular tech company in healthcare. The platform-agnostic approach of virtual desktop infrastructure (VDI) means that Citrix supports the iPad along with other devices. Citrix also offers XenApp, which creates dashboard-style interfaces that make applications available without providing a complete Windows desktop – a good option for mobile devices.
Even outside of VDI solutions, the goal is almost universal when supporting the iPad in medicine: don’t allow data to be stored on the device. If patient records are never on the device itself, then a lost or stolen device has nothing doesn’t immediately create a major security concern, particularly if two factor authentication is employed.
Ultimately, healthcare IT professionals have been aware of the potential security and privacy issues with the iPad (any mobile device really) for quite a while. It’s one reason some medical groups are hesitant to support the iPad. The new rulings may add weight to arguments against the iPad, and it probably will make some organizations rethink their mobile strategy (and even their overall data management practices). Enthusiasm from doctors, nurses, and other healthcare workers probably won’t be killed by this latest news, however. In the end, the rulings may simply give hesitant IT organizations a reason to support and entrench their positions while organizations embracing the iPad will continue to do so, but with a bit more security awareness.