10 Ways To Strengthen Healthcare Security

Mobile app developers want government healthcare agencies to make HIPAA regulations more flexible and current to meet consumer, technology, and provider needs.

In a letter sent Monday to Representative Tom Marino (R-PA), ACT, the association for application developers, in conjunction with AirStrip, Aptible, AngelMD, CareSync, and Ideomed, asked Department of Health and Human Services to "take a fresh look" at the Health Insurance Portability and Accountability Act (HIPAA) to ensure the regulation fits today's world, consumer requirements, and technological offerings.

"This is not pontification. This is about proactive changes to the guidance. That's why it is so tactical and so specific. We've all seen those letters that are broad and beautiful and ultimately unsuccessful. We need change and we need it now," said Morgan Reed, ACT's executive director, in an interview. "We are actively working with other members of Congress on both sides of the aisle to get to the expected outcome. I fully expect a bipartisan effort to move this forward to affect HIPAA."

[Smartwatches as cancer treatment devices? Read Intel Points Wearables, Big Data At Cancer Research.]

Too often, providers and consumers are dissatisfied with the user experience they encounter with electronic health records (EHRs), he said. Thirty percent of hospital executives are dissatisfied with their EHRs, a recent Premier study found. Consumers are concerned about privacy and security, surveys show. Although 83% of 3,687 people polled this spring expect hospitals to use EHRs, only 53% trusted their information was safe, according to The Morning Consult. Those who distrust EHR security were five times more likely to withhold information from their providers, an Office of the National Coordinator for Health IT (ONC) study found earlier this year.

Rep. Marino told InformationWeek:

We are seeing a boom in innovation and technological advances in the healthcare space, but unfortunately our regulatory environment has not kept pace with this progress, and is now hindering growth and leaving job creation hanging in the balance. I would like to see the Department of Health and Human Services, as well as other governmental departments that enforce and regulate the implementation of Health Insurance Portability and Accountability Act standards, revamp the way in which they provide information and interact with the public, including large and small healthcare companies. A company should not be forced to staff up with a dozen lawyers simply to ensure they are in compliance with the law. Rather, the burden should be on a transparent and responsive government to provide clarity and guidance, so companies can focus on growing their businesses and providing better and more innovative products and services to the public.

To improve communication between providers and consumers and simplify the process for developers to enter the healthcare market, ACT and other letter signatories made the following requests:

Make existing regulation more accessible to technology companies.
A dearth of user-friendly resources makes entering healthcare a challenge for technology companies. Without assistance from expensive third-party consultants or the ability to understand "inside the Beltway" tools such as the Federal Register, startups and smaller developers in Silicon Valley and other high-tech regions operate at a disadvantage, said Reed. Like other agencies that work with software companies, the ONC should give developers the information they need to write mobile health apps on a website that features directories, appendices, technical documentation, and searchable databases, as well as updated FAQs, so app developers can learn from others' examples. 

Improve and update guidance on acceptable implementations.
The remote use documentation on HHS's website pre-dates Apple's iPhone rollout. Last updated in December 2006, it does not include information on any new Apple iOS or Android phones or tablets, making it challenging for developers that want to ensure their apps meet HIPAA regulations. ACT recommends that the Office of Civil Rights (OCR) provide implementation standards or examples of standard implementations that would not begin an audit. For example, the group requests clarity regarding cloud and compliance: Currently, it is unclear what is needed when encrypted data is stored in the cloud and the cloud provider has no access to the encryption key.

Enhance outreach to new players in the vertical.
Rather than focus primarily on existing healthcare organizations, HHS and its agencies should expand their reach and presence to non-traditional players that want to enter this vertical. It should encourage existing mobile app developers to consider healthcare as an option, in part by participating in events far beyond Washington, ACT said.

Without changes, healthcare app developers must limit improvements to their software, Reed told us.

"We see many thousands who've foregone improvements on their products because they see a regulatory morass around HIPAA that they don't understand."

Although there are currently about 35,000 health and fitness apps on the market, the number, quality, and usefulness would increase if HIPAA were more understandable and less complex, Reed added.