AMT Blog

It seems that this question has now been answered. According to Apple, calls made via FaceTime can be HIPAA-compliant with the appropriate security configuration. The news that this ubiquitous, free communications platform meets these rigorous standards has potentially wide implications for how patients, physicians, and others in healthcare communicate.

To be fair, its not quite as simple as just opening FaceTime and calling your patient. Specifically, the WPA2 Enterprise configuration provides an extra level of authentication when establishing a wireless connection. WEP does not provide the appropriate level of security, and WPA and WPA2 personal settings are questionable. FaceTime calls are fully encrypted as well.

According to an email from Apple to ZDNet:

iPad supports WPA2 Enterprise to provide authenticated access to your enterprise wireless network. WPA2 Enterprise uses 128-bit AES encryption, giving users the highest level of assurance that their data will remain protected when they send and receive communications over a Wi-Fi network connection.

In addition to your existing infrastructure each FaceTime session is encrypted end to end with unique session keys. Apple creates a unique ID for each FaceTime user, ensuring FaceTime calls are routed and connected properly.

FaceTime has numerous potential applications in healthcare. Simple applications include a primary care provider communicating with his or her patients or a hospitalist checking in with a patient when they can’t get to the room. It also opens the door to more complex apps utilizing the iPad and iPhone 4 forward-facing cameras as part of telemedicine systems.

This is favorable from a financial standpoint, since only HIPAA-compliant devices are eligible for government grants. As such, the iPad may now find further use in telemedicine programs, particularly those seeking to back up their interventions with data. With the prospect of increased federal funding and the growing popularity of telemedicine, the timing of this announcement could prove to be particularly fortuitous.

One interesting question, particularly in light of the recent FDA meeting, is what kind of regulatory attention this may attract for FaceTime. Intended use, a heavily debated topic at that meeting, could prove to be particularly complex here – a consumer app with healthcare applications that are, to some extent, being promoted by Apple.

FaceTime has the potential to broaden the exchange of information among physicians, provide greater convenience to patients, and improve the quality of patient care. The assurance of a secure connection may prompt more physicians to adopt iPads in practice for communication as well as other uses, though it may be prudent to await confirmation from a regulatory body.

Related Links:

ZDNet
MacRumors

As information technology pervades every aspect of healthcare, complying with federal regulations on patient privacy and security is becoming an even bigger issue.

More often than not, it's human error and process mistakes--not the technology itself--that have caused the biggest HIPAA violations. Earlier this year, the Department of Health and Human Services began listing health data breaches affecting 500 or more individuals on www.hhs.gov. As of late August, 306 HIPAA violations were listed on HHS's "Hall of Shame" site, most of them involving stolen or lost computers, USB drives, or documents, not hacking or snooping.

In one of the largest penalties so far since the revised HIPAA rules were signed into law under the HITECH Act in 2009, Massachusetts General Hospital in February was fined $1 million to settle what HHS called "potential HIPAA violations" related to the loss of paper documents listing names, appointments, and other information for 192 patients of Mass General's infectious disease outpatient practice. A Mass General employee commuting to work left the documents on a train.

According to HHS, the government's investigation of the incident indicated that Mass General "failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General's premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule."

The revised HIPAA regulations have forced IT organizations to put more emphasis on data in transit, says Mony Weschler, director of ancillary informatics at Montefiore Medical Center in New York. When it comes to electronic communications with patients, "it's not just as simple as cutting a report and emailing it. You can't do that," Weschler says. Rather, healthcare providers need to set up secure passwords and IDs, and then provide patients with links to patient portals to pull reports up, he says.

Securing patient data on mobile devices--which are at the center of many of the data breaches reported on the HHS site--isn't an issue for Montifiore. "We don't store patient data on devices like smartphones and iPads."

Unfortunately, securing doctor-patient communication isn't the only HIPAA issue keeping IT managers up at night. Any data exchanged among clinicians also has to be secure.

Dell, through its Perot services unit, offers products and services to address those needs. Its cloud-based services, for instance, can encrypt medical images "three ways, before, during, and after" transmission, says Dave Marchand, Dell's health and life sciences CTO.

Read the complete story…

What are the other challenges your IT department is facing due to the revised HIPAA regulations? & How do you cope with all of that? Share your thoughts in comments section below.

The HIPAA Eligibility Transaction System (HETS) is intended to allow the release of eligibility data to Medicare Providers, Suppliers, or their authorized billing agents for the purpose of preparing an accurate Medicare claim, determining Beneficiary liability or determining eligibility for specific services. Such information may not be disclosed to anyone other than the Provider, Supplier, or Beneficiary for whom a claim is filed.

There are two ways to inquire for eligibility. CMS offers an Extranet-based X12N 270/271 Eligibility System (HETS 270/271) for high volume Providers who frequently check Medicare eligibility. CMS also is currently pilot testing an internet-based User Interface (UI) System (HETS UI) for Providers who check Medicare eligibility infrequently.

The HETS Help site is designed, in conjunction with the MCARE Help Desk, to provide technical System support to CMS business partners for the initiation, implementation, and operation of the Medicare HETS UI Internet application and the HETS 270/271 application - Extranet Transaction Submission. This information is provided to assist external business partners with connectivity, testing, and data exchange with CMS and to keep users informed of any system issues that may arise.

HETS 270/271

The HETS 270/271 application allows Providers or Clearinghouses to submit HIPAA compliant 270 eligibility request files over a secure connection. All HETS 270/271 submitters must obtain a secure connection to the Medicare Data Communication Network (MDCN). HETS 270/271 submitters must also develop or acquire a mechanism to construct and send 270 eligibility request files and receive and deconstruct 271 eligibility response files in a real-time environment. The HETS 270/271 application supports real-time transactions only; the application does not accept batch transactions.

If you are interested in the HETS 270/271 application, your organization must obtain an AT&T Global Network Service (AGNS) connection to the MDCN network. An AGNS connection can be obtained from one of the authorized AT&T Resellers: IVANS or McKesson. More information on how to connect (including contact information for IVANS and McKesson) is available on the "How to Get Connected – HETS 270/271" page.

NOTE:  If you are an insurer inquiring about how to submit 270 transactions to Medicare for Medicare Secondary Payer (MSP) Mandatory Reporting purposes, please refer to the Mandatory Insurer Reporting website link found under the "Related Links Inside CMS" section below.

HETS UI

The HETS UI Internet application provides users with a direct front-end interface to submit Beneficiary eligibility information requests. The user is able to submit transactions by entering Beneficiary information and receive a real-time response online. Thus, the user does not need to be concerned with X12 formatting, any transaction set formulation, or an AGNS connection to the MDCN network.

Click here to download:

HETS270271CompanionGuide.pdf (672 KB)

(download)

Click here to download:

HETS270271CompanionGuide.pdf (672 KB)

Read more…

Are you thinking about building HIPAA Compliant Apps for your business? Contact AMT here.