Handheld computers, also known as personal digital assistants (PDAs), are being used increasingly in the clinical setting by healthcare professionals. But if you use a personal digital assistant when providing patient care, you and your PDA may be subject to the privacy and security standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), for which the final regulation was published Aug. 14, 2002.
Today’s PDAs Are Used for Much More Than Scheduling
Today’s PDAs not only can be used for the typical scheduling and contact information tasks, they can access the Internet and carry software, including valuable clinical reference guides. They also frequently are being used as a mechanism to conveniently record and store patient-specific data. This data may later be downloaded into a healthcare provider’s computer network system for inclusion in each patient’s medical record. The article “A Typical Day With A PDA,” which appeared in the Summer 2002 issue of the AANS Bulletin, described the PDA habits of a technology-savvy physician who, among other things, uses his PDA as a portable device to record patient treatment information and later, to print out these notes for inclusion in a patient’s paper medical record. Another example of PDA use in the healthcare setting is provided by a new Concentra Health Services program. Concentra is a Texas-based occupational therapy group, which is conducting a pilot program in which 1,000 of its physicians and physical therapists are using wireless technology devices to electronically record patient care data and complete patients’ medical notes for downloading into the provider’s main computer systems.
Handy Devices Don’t Circumvent HIPAA
PDAs are handy devices. HIPAA, however, requires any healthcare provider, clearinghouse, or health plan-each known as a “covered entity” under HIPAA-involved in a patient’s care to take reasonable efforts to limit the amount of personally identifiable health information it uses, discloses or requests to the minimum extent needed for accomplishing the intended purpose. HIPAA also requires that:
- computers and data containing protected health information (PHI) are protected from compromise or loss;
- audit trails of access to PHI are kept; and
- electronic transmissions of PHI are authenticated and protected from observation or change.
The HIPAA privacy standards are described in more detail in “Privacy Rules” by John A. Kusske, MD, in this issue. Briefly, however, HIPAA is designed to protect PHI that could be used to identify an individual relating to his physical or mental health condition, the provision of healthcare to that person, or the payment for his healthcare. Protections are extended to PHI that is transmitted electronically, maintained electronically, or transmitted or maintained in any other form or medium.
How Is Your PDA Used?
For purposes of assessing the privacy and security requirements imposed on the use of a PDA to store and retrieve personal health information, it is helpful to consider the use of the PDA on several different levels.
First, the security of the data contained on a PDA itself is regulated by HIPAA, and the PDA must be guarded against unauthorized use. Generally, PHI may only be accessed and used by covered entities for appropriate treatment, payment or healthcare operations purposes. For example, physician-to-physician consultation for patient treatment purposes, such as sharing patient data stored on their PDAs, would be a valid use of PHI. Moreover, a PDA’s small size makes it easy to misplace and a popular target for thieves. With respect to the security of the PHI contained on a PDA that is used and stored exclusively in the physician practice setting, there may be fewer risks of the data falling into the hands of unauthorized individuals who are not involved in the patient’s care. The risk that PHI willlll be compromised, however, increases in a clinic or hospital setting or even in a health system that involves many people and organizations sharing PHI while providing healthcare in several geographically distinct settings.
Second, the transmission of data from a PDA to the provider’s computer network is regulated. Networked PDAs carry the risk that someone may intercept a PHI data transmission while transferring PHI to the main computer system. For wireless data transmission, information may even be intercepted by someone with a rogue wireless system outside of the health facility’s walls. According to Dyane Genovese in Computer Bits, the greatest risk for a wireless security breach (that is not provider-controlled) can happen when data is transferred from a wireless system to a wired system. In addition, a PDA user may accidentally “beam” PHI via the PDAs infrared port to an unintended recipient or transmit more data than was intended. Thus, wireless transmission of PHI from a PDA to a mainframe should not be considered unless a secure transmission is guaranteed.
Third, the transmission of PHI from a PDA to any person other than the provider (which is the custodian of the PHI) is a transmission subject to the security requirements of HIPAA. While appropriate encryption and data set requirements can be met for PDA user transmissions, a physician using a PDA should not transmit PHI to a third party, such as a health insurance plan, unless such transmission is coordinated with the providers HIPAA compliance program.
Securing Patient Data on Your PDA
Although HIPAA does not set forth any specific requirements for PDAs, HIPAA does require that reasonable steps be taken to protect PHI in electronic form. Certain steps for securing PHI stored on a PDA include:
- Activate the password protection that comes with your PDA (or purchase the more robust password protection software sold by third-parties).
- Keep track of your PDA to ensure it is not misplaced and that unauthorized individuals do not have access to it.
- If you transmit PHI from your PDA to your facility’s computer systems via a network or wireless network, ensure that proper network security measures (including device authentication and data encryption) are in place.
- Encrypt the PHI on your PDA via the included software or through third-party software.
- Ensure that the caretaker of the PHI has set in place procedures to handle the security of PHI and that software exists to create an audit trail of system activity, including login attempts, security incidents and attempts to access files containing PHI.
- When your PDA has become obsolete, use disk-wiping software to clear out or overwrite the PHI.
While PDAs seem to have endless potential to provide convenience, efficiency, improved documentation, ease of data entry, and the ability to have a portable medical record, use of a PDA, like any other medium, must comply with HIPAA requirements to protect a patient’s privacy.
Kara M. Friedman, JD, and Morgan G. Moran, JD, are attorneys in the Health Care Group at Ross & Hardies, Chicago, Ill.
| With PDAs, Cooperation Is Key to Maintaining Privacy For purposes of assessing the privacy requirements imposed on the use of the personal digital assistant (PDA) to store and retrieve personal health information, PDAs can be viewed as little more than portable computer terminals. Thus, while a physician could use a PDA in a clinical setting for retrieving reference material without adhering to a standard PDA protocol imposed by the provider, if the technology is used for storing and retrieving personal health information, it is in the interest of the healthcare provider (e.g., medical practice owner, hospital or outpatient clinic) to require that thee PDA’s use and functionality be coordinated with the healthcare provider’s health information system. In the hospital setting, it may very well be the case that the more innovative physicians on staff will solicit hospitals for their assistance in making PDA software and documentation practices compatible with the hospitals’ systems. Some hospitals will be more amenable to creating wide functionality for these PDA users. In the hospital setting, however, it is the hospital itself that is regarded as the custodian of the patient’s health information. Thus, most hospitals will rightly first develop hospital information systems that comply with HIPAA and then accommodate PDA use. For example, a hospital may be urged to create a wireless interface that allows physicians to tap into the hospital’s main systems without ever connecting the PDA to another computer, much as they would make a telephone call using a cell phone. Protection of information transmitted to the mainframe, however, may be susceptible to interception, and cradle transmission (as opposed to infrared transmission) may be the first step toward PDA-to-mainframe integration when the privacy of patients is a key priority. On the other hand, the probable documentation benefits of lessening the time between clinical inquiry and documentation of the information gathered based on such inquiry present hospitals with the incentive to develop the capability for full integration of PDA activities. Before investing significant expense and energy in developing optimal clinical use of a PDA, it would be wise to approach the medical staff coordinator(s) at the hospitals to ascertain the facilities’ ability and willingness to accommodate PDA users. – Kara M. Friedman, JD, and Morgan G. Moran, JD |
]]>
