Date post: | 04-Apr-2018 |
Category: |
Documents |
Upload: | steveepstein |
View: | 217 times |
Download: | 0 times |
of 16
7/30/2019 mHIMSS Roadmap 6
1/16
6-01mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
ito
St
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldel
dBel
Bel
Beld
TTwTT
i
gg
gSt
Laaw
Sch
S
NU
Upperr
B
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t tttttttttttt
par
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrr
ar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
Privacyand Security 6contentSIntroduction 6-02Overview o Current State 6-02
Medical Device Regulations 6-04
Telehealth 6-04
Health and Wellness Services / Applications 6-05
Bring Your Own Device (BYOD) 6-05
Benchmarking and Potential Goals or Privacy and Security 6-06
Future or Proposed State o Privacy and Security or mHealth 6-06
Current State o Organizational Readiness 6-07
Use Cases, Emerging and Best Practices 6-07
Medical Apps: Denition 6-08
Consumer Sites 6-09
Patient-reported Data: The Integration o Consumer Data into EMR 6-09
Medical Devices 6-09
Telehealth and Monitoring 6-10
Policy Challenges 6-10
Breach Reporting 6-11
Legal Policies and Regulations 6-11
Best Practices/Resources 6-12
mHIMSS Privacy and Security Best Practices 6-12
Other Resources or Best Practices 6-13
Policy, Mandates, and Regulations 6-13
Proposed Future State 6-14
Strategies, Priorities, and Recommendations or Action 6-14
Future Considerations 6-15
Risks and Mitigation Strategies 6-15
Measuring & Benchmarking 6-15
Authors 6-16
Reerences 6-16
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-7/30/2019 mHIMSS Roadmap 6
2/16
6-02mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
ito
St
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldel
dBel
Bel
Beld
TTwTT
i
gg
gSt
Laaw
Sch
S
NU
Upperr
B
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t tttttttttttt
par
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrr
ar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
Overview o Current StateThe terms mobile and wireless are used
interchangeably when reerring to devices, even thoughtheir ormal denitions are dierent Mobile reers to
the ability to provide untethered unctionality A mobile
device is anything that can be used on the move and
unwired, ranging rom WIFI-enabled laptops and mobile
phones, to wireless devices that can communication via
Federal Communications Commission (FCC)- allocated
requency I the location o the connected device is not
xed, it is consideredmobile
When voice and data are transmitted over radio
waves it is considered wireless A mobile device in xed
locations can access the wireless network That is, aphysical connection to the network is not required or
connectivity Wireless devices include anything that
uses a wireless network to either send or receive data
Wireless is a subset o mobile, but in many cases, an
application can be mobile without being wireless The
FCC mHealth Task Force recently dened mHealth:
mHealth traditionally stands or mobile health This
Task Force adopted the term more broadly to reer to
mobile health, wireless health, and e-care technologies
that improve patient care and the eciency o
healthcare delivery1
Mobile smartphone apps (applications) provide many
unctions that require security and privacy (or example,
mobile banking, passwords storage, personal health
records [PHRs], and mobile payments) Legislation,
such as the Sarbanes-Oxley Act, governs corporate
security and privacy The Payment Card Industry Data
Security Standard (PCI DSS) provides guidelines or the
credit card industry The Health Insurance Portability
and Accountability Act (HIPAA) o 1996 and the Health
Inormation Technology or Economic and Clinical Health
Topics covered inthis section o theRoadmap include:
Impact o Medical
Device Regulations
Bring Your Own Device
Concerns
Benchmarking and
Potential Goals
Patient Reported Data
Breach Notifcations
Privacy and securityare the backbone o trust in healthcare. The mHIMSS Road-
map goal is to provide resources to help healthcare organizations and vendors protect
patients privacy and enable a secure environment.
Mobile health (mHealth) data presents a greater challenge to maintain security;
however, it must still comply with HIPAA mandates, Food and Drug Administration
(FDA) regulations, Oce o Civil Rights (OCR)
enorcements, and requirements rom other gov-
erning agencies, as does the non-mobile health
sector. Privacy and security in a mobile environment are, by nature,
more o a challenge than data stored behind rewalls and concrete.
However, many o the same rules apply to mHealth as in the enter-
prise environment. We need to remember that the only dierence or
a personal computer (PC), enterprise server, and a smartphone is size.For the majority o the breaches that are reported today, the thie just
carried the equipment out the door or nabbed the device rom a car seat.
Size plays a very little role in protecting the data.
Privacy and security in healthcare involve a process that must be
navigated to reach our destination o protecting the patient, providers,
organizations, and vendors. The navigation process is complex and ever
changing because o outside infuences, such as legislation, politics,
crime, and technology. The mHIMSS Roadmap is our navigation tool
o goals and the pathway o our organization.
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-7/30/2019 mHIMSS Roadmap 6
3/16
6-03mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
ito
St
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldel
dBel
Bel
Beld
TTwTT
i
gg
gSt
Laaw
Sch
S
NU
Upperr
B
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t tttttttttttt
par
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrr
ar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
Act (HITECH) provide the governance over healthcare
privacy and security These laws and guidelines cross
the boundaries o healthcare and impact compliance
responsibility
As mobile technology emerges in healthcare, it brings
signicant changes in healthcare delivery, increased
engagement o patients, and the nancial eciencies
o healthcare2 Mobile technology can give providers a
closer to real-time view o patients and their conditions
mHealth provides the opportunity to improve medical
system eciencies and clinical outcomes by engaging
patients in chronic disease management and medication
compliance, and by extending healthcare access to the
underserved (ie, closing the Digital Divide)
Handheld devices (pads, tablets, smartphones, tablet
PCs, and handheld scanners) use an array o messaging
techniques, including short messaging service (SMS/
TXT), general packet radio service (GPRS), the global
positioning system (GPS), short-range Bluetooth, ANT+,
and wider-range third and ourth generation mobile
telecommunications known as 3G and 4G
According to a recent industry study,3 38% o
physicians use health-related mobile apps daily on
smartphones or tablets, and that number is expected
to increase above 50% within the next year A study
rom Manhattan Research ound that 71% o physicianssurveyed already consider a smartphone essential to
their practice The remaining 70% o apps are directly
engaging the consumer; this is also reerred to as
consumer acing, according to GlobalData, a New
York-based market research rm
The growing senior population in the US is driving
advances in remote patient monitoring The senior
segment represented 13% o the US population in
2010 and is expected to reach 207% by 20504 Chronic
disease is more prevalent in our senior population
The point o care is shiting and wireless remote patient
monitoring provides the ability to monitor a patient in
his or her own environment, thus giving healthcare
providers an extended, more inclusive view o the patient
Implementing remote patient monitoring can provide
cost-cutting intervention and many benets, especially
when incorporating remote patient-reported device data
with electronic health records (EHRs)
Advances in remote patient monitoring include new
peripherals, real-time audio and video or ace-to-ace
interaction between clinicians and patients, wireless
communication, systems that sort the vast amount
o data collected in order to put it into the context o a
patients condition, portable and ambulatory monitors,
web-based access to the patient record, systems that
transer data to an electronic medical record (EMR),
and ull-service outsourcing that includes a clinician
to evaluate data and send a report to the attending
physician, according to a summary o remote patient
monitoring by a market research rm5
Wireless Patient Monitoring Equipment
Wireless patient monitoring equipment covers a vast
array o products Wireless can be mobile or stationary
Handheld wireless patient monitoring devices include a
wide range o products that provide to physicians datathat supports diagnosis, consulting, monitoring, and
treatment Mobile administrative apps include products to
streamline healthcare workfow and improve eciency or
better patient care Other products include apps available
on pads/tablets, smartphones, personal digital assistants
(PDAs), and tablet PCs Hardware includes passive
and active radio requency identication (RFID) tag and
readers, scanners, and mBan sensors, to name a ew
Active patient monitoring devices are normally
deemed an FDA Class II Medical Device It is
recommended that companies developing these types
o products contact a medical device advisor and/or
the FDA to determine i their product needs Premarket
Notication 510(k) and Premarket Approval Many
o the FDA requirements concern labeling and this
labeling can be the dierence between a needing a 510k
or not For example, a company develops an app to
monitor consumers hearts I the app is marketed as a
device that could assist a doctor in diagnosing a heart
problem, the app will most likely have to have a 510k
classication I the same app is marketed as a device
or personal use or monitoring ones heart and warnings
are provided that this app is not a medical device or
should not replace a doctor, then the app will most likely
not be classied as a medical device by the FDA Note:
The FDA has tools and guidance on their website to
assist developers with these issues
Healthcare Applications on Mobile Devices
The increased use o smartphones, pads, and tablets
to achieve a physicians daily tasks drives adoption
o mobile devices This adoption o devices impacts
providers medical record choices and selections and
ultimately security choices Mobile unctionality is a higher
priority or early-adopter and tech savvy providers, but is
now moving to the more general population o physiciansPhysicians are now using mobile devices or routine oce
activities such as maintaining schedules and signing-o
on prescriptions However, this is quickly changing: a
survey by EHR vendor Vitera Healthcare shows that nine
o ten doctors would like to be able to access EHRs on
their mobile devices The new non-tethered Cloud EHRs
will become more prevalent in the near uture and most
likely replace many rst-generation EHRs
Some EHR vendors are providing secure products
to notiy patients o laboratory results and changes in
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://www.globaldata.com/http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketNotification510k/default.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketNotification510k/default.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketApprovalPMA/default.htmhttp://www.fda.gov/http://www.fda.gov/http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketApprovalPMA/default.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketNotification510k/default.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketNotification510k/default.htmhttp://www.globaldata.com/http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-7/30/2019 mHIMSS Roadmap 6
4/16
6-04mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
ito
St
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldel
dBel
Bel
Beld
TTwTT
i
gg
gSt
Laaw
Sch
S
NU
Upperr
B
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t tttttttttttt
par
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrr
ar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
medications via secure email or secure (not telecom
carrier) SMS/TXT sent directly to patients cell phones
One workfow example: patients receive an email or
SMS indicating that a new message or a lab result is
available to view within the providers secure patient
portal A system that utilizes SMS/TXT must not use
standard telecom delivery systems because they are
not secure A HIPAA-compliant system must be sending
these messages SMS/TXT messages are asynchronous
and do not provide a guaranteed delivery Another
issue that needs to be considered is ambient or vicinity
privacy Many times cellphones are not secure and oten
are shared between riends, acquaintances, and amily
members We must consider the content that is being
delivered to the phone and the environment in which the
phone is used to determine i the content is appropriate
or this type o retrieval
Medical Device RegulationsThe mobile medical device market is experiencing an
explosion o sotware solutions, apps (ie, Smartphone
Applications, see below) that potentially oer new
modalities o care, blurring the distinction between a
more traditional provision o clinical care by physicians,
and the sel-administration o care and well-beingMobile medical devices are reaching the next
generation o development The healthcare industry
recognizes a greater need or a regulatory ramework
that will govern development, promotion, and use
Regulations by which healthcare is regulated are
quite dierent than those or commercial industry
To those unamiliar, medical device regulations can
appear complex and burdensome, even a hindrance to
innovation and product development However, patients
health, well-being, and right to privacy mandate these
stringent regulations
Development o mobile medical applications is
opening new and innovative ways or technology to
improve health and healthcare Apps that allow medical
proessionals and patients to access already publicly
available material, or perorm administrative tasks are not
regulated However, regulators are indicating that other
types o mobile medical apps should be regulated FDA-
classied apps should be developed, manuactured, and
supported in compliance with regulations
On July 19, 2011, the FDA announced its proposed
ocial action, including dening mobile medical
applications (MMA) that are subject to FDA action The
FDA denes MMA as a sotware application that can
be executed (run) on a mobile platorm or a web-based
sotware application that is tailored to a mobile platorm but
is executed on a server, where that sotware already meets
the general denition o a medical device as ound in 210(h)
o the Federal Food, Drug, and Cosmetic (FD&C) Act
There are three categories o apps identied:
Apps or the purpose o displaying, storing ,
analyzing, or transmitting patient specic medical
device data, ie, data that originated rom a
classied medical device, a Medical Device Data
System (MDDS), class 1 Apps that transorm or make a mobile platorm into
a regulated medical device [] or [perorms] similar
medical device unctions
Apps that allow the user to input patient-specic
inormation andusing ormulae or a processing
algorithmoutput a patient-specic result, diagnosis,
or treatment recommendation that is used in clinical
practice or to assist in making clinical decisions
For more inormation the legal denitions o MDDS,
see the policy section o the mHIMSS Roadmap
TelehealthTelehealth, as dened by the Department o Health
and Human Services (HHS), is: The use o electronicinormation and telecommunications technologies
to support remote clinical health care, patient and
proessional health-related education, public health and
health administration Telehealth enables collaboration
o healthcare proessionals to provide healthcare services
across a variety o settings and distances
Telemedicine usage ranges rom synchronous video
chat between a patient and a doctor, to conerencing
between doctors, to conerencing between doctors and
allied health proessionals (eg, nutritionists, physical
therapists), to providing live or recorded presentations togroups o patientsall who are geographically separated
But telehealth, currently being used worldwide, still aces
challenges The primary obstacle to widespread adoption
o telemedicine is provider reimbursement Currently,
each episode o care is monetized; the more visits the
higher the cost The accountable care organization (ACO)
model as illustrated in the American Care Act incentivizes
providers to see patients in a number o convenient ways
(eg, in person or via email, SMS, TXT, video chat, or
data transer) Alternative communication methods can
be helpul or both parties in terms o time, convenience,and care access
Telehealth privacy and security are governed by
HIPAA and HITECH Just as patients are protected in
encounters within the walls o a health acility, so they are
in remote telehealth sessions
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-7/30/2019 mHIMSS Roadmap 6
5/16
6-05mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
ito
St
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldel
dBel
Bel
Beld
TTwTT
i
gg
gSt
Laaw
Sch
S
NU
Upperr
B
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t tttttttttttt
par
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrr
ar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
Health and WellnessServices / ApplicationsCurrently, consumer health and wellness services/
applications are largely based on using mobile phones
as user PCs Historically, the mobile devices processing
power has been slow at the user-interace, producing a
sluggish user experience This is changing with availability
o the aster 3G and 4G communication standards
Smartphones are becoming ubiquitous In January 2012
there were more than 100 million smartphones in the
US alone
The consumer app choices include the ollowing:
Use o mobile platorms (phones, tablets, portable
entertainment devices) to access health and wellness
inormation, track personal health conditions, and
interact with care proessionals and care organizations;
Use o mobile apps and widgets10 or health-related
purposes;
Motivational actors, satisaction, and unmet needs
when consumers use mHealth apps and solutions;
Use o Web 20 tools and mobile social networking
solutions or health-related purposes;
Interest in mobile-based care solutions, services,
and apps, as well as willingness to spend or these
oerings; and
Games are being developed to improve overall health
and well being
These apps are available primarily rom the phone
manuacturers online stores, such as Google Play or
iStore Soon patients will be able to obtain health apps
directly rom their doctors or i nsurance companies via
their own online stores
Bring YourOwn Device (BYOD)Providers and patients initiated the consumerization
o health IT by driving the adoption o consumer
technologies in the healthcare enterprise However,
employees have been bringing devices such as laptops
and mp3 players to the workplace and accessing
company networks or many years The amount and
types o devices are growing at an unprecedented rate
Today there are many dierent types o devices that have
the ability to access the network The volume o guests
requesting access has also changed, rom children with
their own smartphones and electronic game devices,
to retirees with WIFI tablets Bring-your-own-device
(BYOD) is one o the more dramatic results o consumer
preerence, rather than corporate initiative However,
many o these technologies were not developed with
enterprise requirements in mind Currently, health IT sta
may lack the knowledge or experience associated with
enterprise mobile security and privacy The enterprise is
requiring a well-dened risk management strategy with
which to govern devices, application deployment, and
daily management
In recent comments, HHS posted a warning
against employing a BYOD strategy that stated, I IT
administrators dont implement the correct mobile device
or the right job or are slow to integrate [mobile devices]
into the work place, they run the risk that employees may
use their personal mobile devices to perorm their duties
I a healthcare proessional uses a personal device
such as a smart phone, tablet or USB device to access
patient inormation, at risk or thet or accidental loss
o the device is patient inormation on an unencrypted
or protected device that is not password protected
Though this statement is valid, organizations have the
opportunity to preempt security issues with the proactive
approach o enacting policies and procedures to control
access
Organizations BYOD strategy or privacy and security
should include the ollowing:
Device choices: Do you support all devices, and do
you understand the privacy and security implication o
each?
Trust model or risk assessment
Liability
Sustainability
User experience and privacy (eg, agreements,
signature, opt-in)
App design and governance Economics
Internal marketing
Employee (user) training
Cost and budget
Trac and bandwidth considerations
Guest policies
Up-to-date terms and conditions in electronic orm
Priority and preemption
BYOD holds tremendous advantage or organizations
as a way o reducing costs For example, i employees
purchase their own devices and use them at work,
there is saving o capital equipment, support, and
maintenance However, the true value o a well-designed
BYOD program is increasing provider and employee
satisaction, productivity, and rapid adoption o
technology across the enterprise
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-7/30/2019 mHIMSS Roadmap 6
6/16
6-06mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
ito
St
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldel
dBel
Bel
Beld
TTwTT
i
gg
gSt
Laaw
Sch
S
NU
Upperr
B
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t tttttttttttt
par
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrr
ar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
Benchmarking andPotential Goals orPrivacy and Security
The ultimate goal o privacy and security is to provide as
much eort as needed to protect patients PHI rom a
breach or rom being compromised This is a tall order
to strive or; however, technology and policies make it is
possible and highly probable Patient privacy is based
and protected by HIPAA UC Berkeley summarizes PHI
as any inormation in the medical record or designated
record set that can be used to identiy an individual
and that was created, used, or disclosed in the course
o providing a health care service such as diagnosis or
treatment HIPAA regulations allow researchers to access
and use PHI when necessary to conduct research
However, HIPAA only aects research that uses, creates,
or discloses PHI that will be entered in to the medical
record or will be used or healthcare services, such as
treatment, payment or operations
The benchmark or privacy must be 100% secure PHI
Electronic security restraints are always changing as
computers become aster and have a better capability
o breaking encryption As hackers become more
skilled in nding new vulnerabilities in both sotware and
hardware, a once-secure platorm o protection can
be compromised Testing is an organizations tool to
benchmark and locate vulnerabilities in systems
Recommendations
Develop guidelines or protection o PHI;
Develop guidelines and examples o test plans or
testing PHI This should include sotware and hardware
systems and devices; and
Develop Acceptance and regression testing guidelines
Future or Proposed Stateo Privacy and Securityor mHealth
To envision the uture o security and privacy in mHealth,
ollow the money, politics, and culture Although no one
is a good predictor o the uture, privacy and security
remain the same, whether digi tal or paper, stationary
or mobile, or protecting patients PHI The extent o
protection depends on what individuals and cultures
demand The US, France, and others have stringent
demands concerning security, while other countries
are more lax in their eorts There are many issues that
surround this discrepancyeg, political, paymentsystems, and culture There is also the perception o
security that surrounds how we live Most o us get
into cars, or walk down the sidewalk without a second
thought to security However, perceptions do change
without warning, as do security and privacy needs
The point is that privacy and security are a fuid orce
that must be constantly monitored and scrutinized
During a conversation at the StrataRX Conerence
with John Mattison, CMIO o Kaiser, he mentioned
the possibility o utilizing avatars to provide proxies or
identicationa concept o disassociating a personstrue identity or persona with one or more symbols
(avatars) In the event o a breach, the proxy persona
could be deleted
Overview o Current State
In 2011, nearly all o the 164 respondents participating
in the 1st Annual HIMSS Mobile Technology Survey
indicated that clinicians in their organizations accessed
inormation via a mobile device, with laptop computers
and computers/workstations on wheels (COWs/WOWs)
Use Case: Providing Network
Access or Visiting Caregiver
Problem:
On the rst day o the locum physicians
assignment at a local hospital, she brings her
personal laptop, smartphone, and tablet and
requests access to the network
Policies objectives:
Control access; provide access
when appropriate;
Provide terms and conditions o usage;
Mobile device management (MDM);
Secure control access to patients
personal health inormation (PHI)
Multiple guest devices to support
IT objective:
Control access via technology;
Provide caregivers access to do their job;
Protect network and PHI;
Monitor who and what is on the network
Determine locum physicians network needs
as it relates to her job
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://www.mhimss.org/sites/default/files/resource-media/pdf/HIMSS%20Mobile%20Technology%20Survey%20FINAL%20Revised%20120511%20Cover.pdfhttp://www.mhimss.org/sites/default/files/resource-media/pdf/HIMSS%20Mobile%20Technology%20Survey%20FINAL%20Revised%20120511%20Cover.pdfhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-7/30/2019 mHIMSS Roadmap 6
7/16
6-07mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
itoSt
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldeld
Bel
Bel
Beld
TTwTT
iggg
St
Laaw
Sch
S
NUUppe
rrB
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t ttttttttttttp
ar
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrrar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
Additionally, a wide variety o other proessionals,
including executives and support sta, were using mobile
devices to perorm daily activities
Key results o the survey include:
Respondents believed that the mobile technology
environment was very immature
Tools were needed to secure devices
Policies were very wide in coverage, though many were
planning to update policies
Majority o use o mobile in a clinical environment was
to access non-PHI inormation
Two thirds o the respondents noted that they could
access clinical data o-site with approved security
Inadequate privacy and security was the most
requently identied by survey respondents as a barrier
to the use o mobile technology at their organization
About hal o respondents noted that their organization
supported BYOD or daily work activities
Passwords provided the dominate element o system
security
Current State oOrganizational Readiness
According to an mHIMSS annual mobile survey, only
73% o healthcare acilities use data encryption Only
52% utilized remote wiping capabilities on their mobile
devices These results do not provide a clear view
into the readiness o organizations; however, they do
show a trend towards security Organizations indicated
that passwords are used by 92% to protect devices;
however, passwords provide very little protection or
actually securing data The primary method to protect
PHI is by encrypting the PHI This is a major concern
when there are so many storage devices containing PHIthat just disappear rom healthcare acilities, causing
breaches The key survey results show that there is more
work to be done in the area o mobile security at the
organizational level
Mobile technology connecting to the Cloud is
expected to increase as the need to retrieve app and
sensor data increases. These platforms accelerate the
ease of updating remote client software, increasing
deployment of new features and enhancing security of
PHI by storing data in the Cloud rather than on mobile
devices.
Use Cases, Emergingand Best PracticesTechnology Challenges
The challenge that we ace in healthcare today is
the accelerated rate with which mobile technology is
changing healthcare The movement rom paper records
to digitalized records via the EHR has opened the
door to use patient data as never beore This is not a
phenomenon that is exclusive to the US The challenge
is to keep abreast o the latest trends and momentum in
technology
EncryptionEncryption is essential in protecting patients PHI along
the entire chain o responsibility For example, a physician
accepts patient-reported health data via email and
responds to the patient via email The patient-reported
data is now the responsibility o the provider to secure
as protected (covered) PHI The communication o
the provider to the client is also protected and must
be secure I the physician decides to store the PHI
online, the covered organization should consider using
encryption as a means to protect the data in the event
o a breach Encryption is one o the best tools to secure
PHI; in the event that the media that houses the PHI is
compromised, the encrypted PHI is still sae We must
remember that the need to protect PHI is the same
or mobile or o ther systems Many obstacles such as
on-board storage or processing power, present only a
ew months ago, are no longer issues The latest mobile
devices have 4G transmitters that can receive over
20Mbs and house Quad-core 14Ghz processors with
up to 1 GB RAM and 64GB o storage By the time this
document is posted, this may seem obsolete
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://www.mhimss.org/resource/2012-mhimss-mobile-technology-survey-now-openhttp://www.mhimss.org/resource/2012-mhimss-mobile-technology-survey-now-openhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-7/30/2019 mHIMSS Roadmap 6
8/16
6-08mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
itoSt
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldeld
Bel
Bel
Beld
TTwTT
iggg
St
Laaw
Sch
S
NUUppe
rrB
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t ttttttttttttp
ar
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrrar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
To summarize, the power needed in a mobile device is no
longer an issue that needs to be discussed
Recommendations
Develop a recommendation on the type o encryption
that should be utilized (Advanced Encryption Standard
or AES)
Develop recommendations or transmission o PHI
(secure socket layer, or SSL; virtual private network
or VPN)
Dene PHI to clariy what protection is needed and
when
Develop best practices or encryption use
Develop an international approach to security
Develop export recommendation or US companies
It is a violation o the Department o Commerce to
export products with symmetric algorithms with more
than 64 bits keys
Develop guidelines or documenting procedures and
policies or securing PHI data Note: the majority o
encryption guidelines are the same or both mobile
and non-mobile with one exception: export laws It is
illegal to export sotware rom the US that i s stronger
than 64bit, per the Department o Commerce
Medical Apps: DefnitionThough not a denition o a medical app, the FDA states,
Consumers use mobile medical applications to manage
their own health and wellness which in some instances
includes apps Health care proessionals are using these
applications to improve and acilitate patient care These
applications include a wide range o unctions rom
allowing individuals to monitor their calorie intake or
healthy weight maintenance to allowing doctors to view a
patients x-rays on their mobile communications device
Many media sources have mentioned the ever-
increasing number o medical apps on the market today
Though these numbers seem to be staggering, we must
place these ndings into context Companies like Appleand Google create a lot o buzz by tossing out these
public-relations-based statistics Although the app is
sel-proclaimed by the developer to be a health app,
that is not always refective o the unctionality o the
app Currently, there is no consistent ormal denition o
a health app within the industry The FDA does dene a
medical device However, the majority o manuacturer-
classied health apps are not medical devices and
many have little to do with clinical or even personal
health App developers should be versed on the FDA law
on labeling This is an issue that can lead the developerinto problems with the FDA
Code (Sotware) and Architecture: Who Writes
Sotware and What about Security?
Currently, almost anyone rom anywhere, at almost any
age can write and publish an app onto the Web Apples
developer age limit is 13 years old; however, there have
been younger children submitting apps under their
parents accounts A mother o a 12 year old told me
that she set up a developers account with Apple or her
son, under her name We should not be concerned with
the age o the developer; instead, the concern should be
directed at what is produced and the transparency o the
developer Currently, there are no requirements or skill,
age, knowledge, credentials, and cited documents that
support app development
Recommendations
Develop guidelines or developers, including standards
or acceptance specic to healthcare
Develop peer review standards or apps and sotware
Develop standards or proving ecacy
Security
The majority o apps on the market today provide little
or no security and many o the users are unaware o this
shortcoming Some o the leading apps, which display
users PHI, do not even have a password to secure access
Recommendations
Develop guidelines on securing PHI or sotware and
hardware
Develop guidelines or transmitting and storing PHI
Develop testing requirement guidelines
Develop policies and procedures (most important)
Target Market: Consumers
The mHealth consumer market is predicted to explode,
leading to the marketing o more apps to all healthcare
stakeholders
As with the provider market, it is dicult to provide
an accurate count o true medical apps The denition
o a medical app is ambiguous at best For example,
Epocrates is known to be one o the best provider apps
made However, Epocrates is a content app that displays
data, the same data that could be viewed via a mobil e
browser Should this be classied as a medical app or
online documentation?
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-7/30/2019 mHIMSS Roadmap 6
9/16
6-09mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
itoSt
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldeld
Bel
Bel
Beld
TTwTT
iggg
St
Laaw
Sch
S
NUUppe
rrB
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t ttttttttttttp
ar
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrrar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
Consumer SitesMedical apps are available rom many sources including
smartphone manuacturer sites such as Apples iTunes,
Google Play, and Windows Phone Android apps, unlike
the other phones, are available on multiple locations
including Google Play, Amazon, and developers
websites Rules and regulations o distribution, which are
provided by these sites, are produced or all apps and
are not clinical in nature Security and ecacy are the
responsibility o the developer, providing little oversight
except unskilled consumer reviews/opinions There is
no oversight o the reviewer, leaving the consumer very
exposed to biased, unqualied opinions
Education and Monitoring
Consumers awareness and knowledge o privacy
and security vary in many ways, and are infuenced by
the abundance o political and corporate rhetoric that
surrounds healthcare privacy and security Education
and awareness campaigns provide an eective way to
assist consumers in understanding and trusting health
privacy and security measures Monitoring these eorts
serves as a barometer o consumers attitudes towards
these issues
Recommendations Develop ecacy plan/guidelines or consumer apps
An ecacy plan is a means to assist developers
in building apps on cited studies A number o
organizations are looking to establish guidelines to
inorm consumers o 1 The review o apps by an
independent body and 2 The guidelines are readily
understandable by the consumer
Patient-reported Data:The Integration oConsumer Data into EMRElectronic patient-reported data is a new rontier in
patient-centric care and very little work has been done
to address associated issues The majority o apps on
the market today do not provide a method to securely
export the app-collected health data A ew o the apps
do provide a eature which allows the user to insecurely
email their data to a provider One reason that providers
are reluctant to except patient-reported data is because
o HIPAA liability and their responsibility to secure patient
data
One o the primary issues with importing patient-
reported data into an EMR is how to identiy the collector
o the data EMRs are designed to store providers
clinical entered data, not patient-reported data The
Health Level 7 (HL7) organization is working on initiatives
to label patient data, to be able to dierentiate the data
HL7 is also working on modern protocols that are more
suited or the mobile environment: Fast Healthcare
Interoperability Resources (FHIR) The ltering and
aggregating o the possible deluge o incoming patient-
reported data is a topic o concern as more sensors
become available or remote monitoring For example:
the patient is an 85-year-old woman with co-morbidi ty;
she utilizes several health smartphone apps and
connected bio-sensors; ECG, CHF, images, and diabetes
monitor The collected data is automatically uploaded to
the physicians EHR
Recommendations
Provide guidelines or patient-reported data or EMR
integration
Medical DevicesThe FDAdenes a medical device as an instrument,
apparatus, implement, machine, contrivance, implant, in
vitro reagent, or other similar or related article, including a
component part, or accessory which is:
Recognized in the ocial National Formulary, or the
United States Pharmacopoeia, or any supplement to
them;
Intended or use in the diagnosis o disease or other
conditions, or in the cure, mitigation, treatment, or
prevention o disease, in man or other animals; or
Intended to aect the structure or any unction o the
body o man or other animals, and which does not
achieve any o its primary intended purposes throughchemical action within or on the body o man or other
animals and which is not dependent upon being
metabolized or the achievement o any o its pr imary
intended purposes
State laws and regulations must also be considered
when developing medical apps State laws can and do
dier rom FDA rulings, as well as rom other states It is
prudent or developers to understand the laws or states
to which they are marketing
Sotware apps as medical devices are new, untested
ground or medical regulations agencies Several ederal
agencies were vying or the responsibility to monitor
and regulate apps until July 9, 2012, when Congress
gave the FDA jurisdiction over apps in the Food and
Drug Administration Saety and Innovation Act (FDASIA)
Medical Device Data Systems (MDDS) is a newly
identied FDA Class 1 Medical Device, which aects
many o the apps on the market today The classication
covers systems that transport medical data rom a
classied medical device (eg, downloading glucose
monitoring data rom a monitoring device) It also covers
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://wiki.hl7.org/index.php?title=FHIRhttp://wiki.hl7.org/index.php?title=FHIRhttp://www.fda.gov/aboutfda/transparency/basics/ucm211822.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Overview/ClassifyYourDevice/ucm051512.htmhttp://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/SignificantAmendmentstotheFDCAct/FDASIA/ucm20027187.htmhttp://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/SignificantAmendmentstotheFDCAct/FDASIA/ucm20027187.htmhttp://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/GeneralHospitalDevicesandSupplies/MedicalDeviceDataSystems/ucm251906.htmhttp://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/GeneralHospitalDevicesandSupplies/MedicalDeviceDataSystems/ucm251906.htmhttp://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/SignificantAmendmentstotheFDCAct/FDASIA/ucm20027187.htmhttp://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/SignificantAmendmentstotheFDCAct/FDASIA/ucm20027187.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Overview/ClassifyYourDevice/ucm051512.htmhttp://www.fda.gov/aboutfda/transparency/basics/ucm211822.htmhttp://wiki.hl7.org/index.php?title=FHIRhttp://wiki.hl7.org/index.php?title=FHIRhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-7/30/2019 mHIMSS Roadmap 6
10/16
6-10mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
itoSt
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldeld
Bel
Bel
Beld
TTwTT
iggg
St
Laaw
Sch
S
NUUppe
rrB
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t ttttttttttttp
ar
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrrar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
apps that display medical data that is collected rom a
classied medical device (eg, Microsot HealthVault is a
classied medical device [Class 1] and by deault, apps
that connect to HealthVault and display data collected by
HealthVault also all under the classication o a Medical
Device Data System, Class 1 medical device) There are
many apps on the market today that are disregarding
this requirement or classication It is only a matter o
time until the FDA begins to enorce this requirement and
issue nes
Note: The reerence to HealthVault was made to
illustrate that the relationship between Classied FDA
medical devices and consumer apps
Recommendations
Dene within the mHIMSS guidelines the FDA
requirements
Set up a subcommittee to monitor FDA activity
as it pertains to mHealth
Telehealth and MonitoringIMS Research orecasts that more than 50 million
wireless health monitoring devices will ship or consumermonitoring applications during the next ve years, with
a smaller number being used in managed telehealth
systems (ie, associated with managed care) Active
patient monitoring requires an FDA Class 2 certication
and 510k clearances Certication is a costly and time-
consuming process
Integration o Patient-reported Data into EMR
Patient-reported datainormation that is not collected
by a physician or a licensed medical provideris an
important part o patient-centric care Several EMRvendors claim to have integrated telehealth data into
their EMR Little is known about the ormats o these
stored les Many EHRs can import les into a patients
electronic records; it is possible to utilize this acility to
store telehealth systems exported les (audio/video)
Recommendations
Follow and report on the standardizing o
A/V les and ormats
Develop a standard or transerring and storing o les
Policy ChallengesBring Your Own Device (BYOD)
BYOD is not a new concept: employees have been
bringing their laptops to their work places or many
years The clear impact to organizations is the number
o devices that require access to the healthcare network
No longer is it just employees demanding access
patients, visitors, and guests are now vying or network
resources As more devices are added to the network,
the more exposure an organization has to intrusion
The challenge is to provide a balanced solution or all
stakeholders BYOD policies need to be crated explicitly
or the acility and its users Smartphone apps usage can
also increase liability, compromise privacy, and add load
to the network
In the soon-to-be-published (March 2013) HIMSS
book on security and protecting organizations, Je Brandt
illustrates the ollowing guidelines or BYOD policies:
Access and authorization:
WhoWho are you allowing on the network?
WhatWhich devices are you allowing on the
network (this will be a moving target as new devices
are introduced)? What apps will have access to the
network?
WhereWhat are the boundaries and ar-reaching
arms o remote networks (eg, can providers reach the
network rom remote sites on their own devices)? How
powerul is the WIFI signal and how ar away rom the
building can it be accessed? Is there video capability in
the operating room or emergency department?
WhenConsider time-o-day usage per user prole
(eg, the human resources department has access
rom 9:00am-6:00pm only) Are visitors allowed access
to the network beyond visiting hours?
How manyConnections have real cost associated
with them, such as support and bandwidth Your plan
needs to consider limiting the number o guest users
on your network at one time, permitted usage
(eg, streaming music, and video)
Recommendation
Develop guidelines and best practices to
support BYOD policies
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://imsresearch.com/press-release/Consumers_Not_Telehealth_Patients_to_Drive_Adoption_of_Wireless_Technology_in_Medical_Devices&cat_id=175&type=LatestResearchhttp://imsresearch.com/press-release/Consumers_Not_Telehealth_Patients_to_Drive_Adoption_of_Wireless_Technology_in_Medical_Devices&cat_id=175&type=LatestResearchhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-7/30/2019 mHIMSS Roadmap 6
11/16
6-11mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
itoSt
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldeld
Bel
Bel
Beld
TTwTT
iggg
St
Laaw
Sch
S
NUUppe
rrB
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t ttttttttttttp
ar
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrrar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
Medical Apps Policy Challenges
Medical apps, and apps in general, have the opportunity
to expose protected data and compromise anorganization Since smartphones are employees
property and many times their only telecommunications
device, the phones present an ongoing challenge in
the workplace Currently, smartphones have storage
capability up to 64GB, providing the opportunity to
quickly upload a signicant amount o inormation Many
organizations limit what an employee can download onto
company-owned devices Organizations may want to
consider developing a white list o apps that have been
declared sae or use
Storage o PHI
Secure storage o PHI is the legal mandate that
patients and their amilies have entrusted to healthcare
organizations It is the duty o developer, vendors,
and organizations to extend this trust relationship and
guarantee that patients health data is not compromised
The process o securing PHI goes lockstep with strong
policies and procedures, as well enorcement The
second part o securing PHI is the use o technical
barriers and security solutions such as encryption, the
best and only way to ensure that PHI is sae
Recommendations
PHI should be encrypted utilizing AES128
PHI should remain encrypted at all times (except when
in use), regardless i it is on a device or not
Breach ReportingThe Breach Notication Rule is covered by the HITECH
Act (see below) The regulations and notication
instruction can be ound on the HHS website
Legal Policiesand Regulations
This section o the Roadmap covers laws and regulations
as they pertain to the privacy and security o healthcare
IT Though not an extensive list, we are ocusing on
highlighting the recent ederal drated legislations
Individual state policies, regulation, and legislation are
beyond the scope o this document
HIPAA
HHS states: The Oce or Civil Rights enorces the
HIPAA Privacy Rule, which protects the privacy o
individually identiable health inormation; the HIPAA
Security Rule, which sets national standards or the
security o electronic protected health inormation; and
the condentiality provisions o the Patient Saety Rule,
which protect identiable inormation being used to
analyze patient saety events and improve patient saety
There is a lot o conusion around HIPAA guidelines
and who has to abide by them The HIPAA Privacy and
Security Rules apply only to covered entities These
entities include healthcare providers (doctors, clinics,
etc), health plans, and healthcare clearing houses
(processors o non-standard health data) I an entity is
not a covered entity, it does not have to comply with the
Privacy Rule or the Security Rule
The University o Miami Miller School o Medicine
states that HIPAA has two main goals, as its name
implies:
Portability: ensuring that health insurance is portable
when persons change employers; and
Accountability: making the healthcare system more
accountable or coststrying especially to reduce
waste and raud (ie, save money)
HIPAA states: To amend the Internal Revenue Code
o 1986 to improve portability and continuity o health
insurance coverage in the group and individual markets,
to combat waste, raud, and abuse in health insurance
and health care delivery, to promote the use o medical
savings accounts, to improve access to long-term care
services and coverage, to simpliy the administration o
health insurance, and or other purposes Be it enacted
by the Senate and House o Representatives o the
United States o America in Congress assembled
It is the purpose o this subtitle to improve the
Medicare program under title XVIII o the Social Security
Act, the Medicaid program under title XIX o such
Act, and the eciency and eectiveness o the health
care system, by encouraging the development o a
health inormation system through the establishmento standards and requirements or the electronic
transmission o certain health inormation
HITECH
The HITECH Act, enacted as part o the American
Recovery and Reinvestment Act o 2009 (ARRA), was
signed into law on February 17, 2009, to promote the
adoption and meaningul use o health inormation
technology Subtitle D o the HITECH Act addresses
the privacy and security concerns associated with the
electronic transmission o health inormation, in part,through several provisions that strengthen the civil and
criminal enorcement o the HIPAA rules:
Consent (inormed)
HIPAA Consent ruling
Standards or Privacy o Individually Identiable Health
Inormation [45 CFR Parts 160 and 164]
International standards
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.htmlhttp://privacy.med.miami.edu/glossary/xd_consent.htmhttp://aspe.hhs.gov/admnsimp/final/pvcguide1.htmhttp://aspe.hhs.gov/admnsimp/final/pvcguide1.htmhttp://aspe.hhs.gov/admnsimp/final/pvcguide1.htmhttp://aspe.hhs.gov/admnsimp/final/pvcguide1.htmhttp://privacy.med.miami.edu/glossary/xd_consent.htmhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.htmlhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-7/30/2019 mHIMSS Roadmap 6
12/16
6-12mHIMSS Roadmap
New Care ModelsstaNdards aNd
INteroperabIlItyroI payMeNtteChNology legal aNd polICy
Temp le
Park
eP
Te
Blu ch er
Blu
n sark
C h r i s t u s S
p o h
H o s p i t a l - M
e m O l d B a y v i e w
C e m
e t e r y
C
e r y
Bu
rnetSt
et
Loritte
Burne t
St
TwSCa
moSt
LanieerrDr
Colem
anA
BBurnet S
tt
Bluc herSt
c her
16thStSt
t
Ke
ys
rezSt
TreW T
MMa r y
S t
J u J u W
Andr ew
sDr
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t
G r i s h
a m C t s
G r i s h
a m C t s
anJac
into
g C t
g C
t
N o
g a l e
Elizabeth St
B o l i
Wa
inwrig
M o
n t g
o m e
G u
a d a l u
P re rr
s
H
alsey
LakeSt
BetelS
H a
w t h
or
Go
liad
H o w a r d S
t
H o
Nim
Riggan St
i t t
Waco St
King
TracySyS
Prescott Ste
17thSt
CrewsSts
S t a r r
rescottS t
re
T
H o s p i t a l B l v d
P e o
gg
C C
F r a n
c is
S t
itoSt
SamRanmR
dleySt
ann
anSt
St
NLoweLowe
B e
u n
b a
r St
12thSt
oraSt
7
10thS SS
S19th
St
ElizabethSt
S t
eldeld
Bel
Bel
Beld
TTwTT
iggg
St
Laaw
Sch
S
NUUppe
rrB
SStt
NCa
NCul
NCul
NCulT
a r l
t
p
ankinS
t ttttttttttttp
ar
ar
aar
ar
ar
ar
arrr
aar
arrrr
arrrrr
arr
aaar
arr
ardd
SdddS
ddddS
dStttt
rrrar
ar
arrr
arr
arr
arr
ar
arrr
Privacy and
Security
Laws that govern providers worldwide may dier in
many ways International organizations set uniormed
guidelines or providers One example is consent Ater
World War II, the Nuremberg Code o 1947 set guidelines
on inormed consent ollowed by the Declarations o
Helsinki
Breach Notifcation Rule
The Federal Trade Commissions (FTC) Breach
Notication Rule on improper access o PHI has been
extended to EHR and PHR vendors and services that
connect to PHRs in their nal rule PHR vendors or
connected vendors are required to notiy the FTC and all
individuals whose inormation is the subject o a breach
no later than 60 days ater discovery There are alsoadditional obligations or PHR vendors (see Final Rule)
Recommendation
Develop a subcommittee to track international health
laws and guidelines as they pertain to mHealth
Best Practices/ResourcesHealthcare best practices provide consistently well
perorming guidelines and methods that can serve astrusted benchmarks to develop and evaluate systems
HIMSS Mobile Toolkit
The HIMSS Mobile Security Toolkit assists healthcare
organizations and security practitioners in managing
the security o their mobile co