HHS, ONC, OCR, FDA, and Your Smart Devices

Smart phones are, well, smart. They are little hand held supercomputers. They have more computing power than my first home built computer; I think they can do more than my first two or three “store bought” computers as well. Indeed, NASA engineers would have loved to have something so powerful back when they used pencil, paper, and the slide rule to put a man on the moon.  (If you are like my kids, scratching your head and muttering “Slide rule? What is a slide rule?” click here for a well done piece by Elissa Nadworny at NPR.)

Phones are not the only thing getting smarter. Today we are confronted with a variety of smart devices. We can wear watches that communicate with our phones (after all, they are smart!) to track our heart rate, blood oxygen saturation, activity level, blood glucose, and sleep patterns, to name but a very few of the possibilities.  We can wear other monitors that communicate with our phones, sending even more information to the cloud – and from there we can share information with fitness rivals, friends, neighbors, and, yes, even providers. These devices can serve as motivators, trainers, record keepers, and more – all in a small package that is convenient and simple to use.

It seems only logical that we try to develop these devices to their fullest. Imagine having a device that will allow you to assess your health and well-being in your jacket pocket? That would be the epitome of personalized medicine, right? What risks are there? Aren’t we talking about something that will make medical care cheaper, faster, and more convenient? We have so many choices, surely it is a simple matter for each of us to pick the right one for our needs.

The solution is not quite as complex as the inner workings of my phone, but it is not as simple as we might think.  We have a myriad choices of apps that do a variety of incredible things. But there lies the issue; it is not the quantity of offerings, it is the quality of the offerings that is concerning.

Just as, shocking to some, everything found on the internet is not true, not every app delivers the same quality. And some have crossed a threshold that will have implications for the entire industry. Anytime we discuss quality, the conversation will invariably segue to regulation, and the opportunity for regulation gets regulators all excited. This is where we find ourselves these days; regulators ready to reach into your pocket to decide what apps you can use on your phone.

What does this mean? It could be trouble for medical app developers who have grown accustomed to little or no regulation. The industry has known this day would come. FDA, for example, has spent the better part of five years contemplating what to do in this sector.  Part of the challenge is that mobile health apps are subject to various existing laws written back in the day of the slide rule. Federal agencies have been wrestling with how to apply these laws to current technology. The US Department of Health and Human Services (HHS), the Office of the National Coordinator for Health Information Technology (ONC), the Office for Civil Rights (OCR), and the Food and Drug Administration (FDA) have produced an interactive tool that aims to allow app developers to determine what laws might apply to mobile health apps.  The tool is not perfect, but it does give some general guidance. It is a good place to start before you wade through this FDA guidance regarding mobile medical applications, this FDA portal regarding medical apps, and the OCR’s web portal addressing questions relevant to HIPAA – and the list goes on.  

The Enemy Within - "Homegrown" HIPAA vulnerabilities

Just yesterday I briefly discussed the electronic vulnerabilities facing hospitals and health practitioners. Much of that note focused on hackers attacking the systems and holding them for ransom.  It is a major problem confronting the healthcare sector, and will continue to be for long to come.

Other threats linger, and this week we learned about one of the potential hazards we must guard against – the hazard that we hire bring to the table ourselves. In short, we can be our own worst enemies.  Such is the case at the University of Mississippi Medical Center and the Oregon Health & Science University.

At the University of Mississippi Medical Center (UMMC), staff allowed a party to “borrow” a hospital laptop while in the ICU. The borrowed laptop was not returned. While that fact is curious enough, this is when it gets really interesting.

The Mississippi hospital had secured its network, but on the laptop there was patient data that was protected with only the minimum “generic” of security safeguards. Apparently, no access tracking software was in place.

One wonders if the laptop itself had location software in place.  In other words, the equivalent of the “find my phone” application we all use (I know I do) to locate phones and tablets may not have been there.  Most of these tracking applications allow a user to wipe all data from a lost device – quite handy in the event a piece of hardware is lost. 

The folks at UMMC compounded the issue when they failed to notify patients’ whose data was breached of the potential exposure. We must ask – if they had no access tracking software in place, how do they know whose data was purloined and whose was not?

The OCR summarized UMMC's failures in its press release:

  • implement its policies and procedures to prevent, detect, contain, and correct security violations;
  • implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
  • assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI; and
  • notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

The UMMC settled with the HHS Office of Civil Rights, paying a penalty of $2.75M while not admitting any liability.  UMMC is working to overhaul its security standards as well.  Read the entire HHS OCR press release here   You can read the actual text of the settlement here.  

Oregon Health & Science University also felt the ire of the HHS OCR, paying a similar fine for breaches involving unsecured laptops and stolen USB thumb drives.  While OHSU self-reported, the OCR lamented OHSU's failure to respond appropriately to these breaches. 

This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.
— HHS OCR Director Jocelyn Samuels, discussing the OHSU settlement

The Oregon facility paid a fine of $2.7M and entered a three-year corrective action plan. Read the HHS OCR's press release here, and you can read the settlement text here.

These two actions underscore the aggressive stance of the OCR in the face of ever more common data breaches. They also demonstrate how we are often our own worst enemies.

And CEOs, Risk Managers, Compliance Officers, and IT professionals - please take these compliance matters seriously.  

For more on how to deal with these issues, contact the Spiers Group today.