WhatsApp, A Healthcare Panacea: Not So Fast

texting-1490691_640A recent article on Forbes, “Why WhatsApp Could be a Game-Changer for American Health Care” caught my eye and attention. The article focuses on a commonly reported desire among professionals in the healthcare industry to have and use text messaging. Texting is used in everyday life, so why not in healthcare. The quick, but incomplete answer is HIPAA. HIPAA is used as an excuse or barrier for many proposals in healthcare, but it does not tell the entire story.

The Forbes article chooses to focus on WhatsApp because WhatsApp includes end-to-end encryption. It is argued that this form of encryption addresses privacy and security concerns in healthcare by helping to lock down the messages being transmitted, including the information contained in the message. Encryption is only a piece of ensuring that communications comply with applicable HIPAA requirements. As the article rightly points out, issues of recipient verification and maintenance of information present challenges under HIPAA. These are definitely relevant and valid concerns.

While WhatsApp and its end-to-end encryption may be appealing to healthcare, the application practically is not ready to be used in healthcare. Even though WhatsApp may claim it does not access messages or information sent through its network, the question of whether WhatsApp stores the data remains. If WhatsApp stores data, then it is not a conduit and any covered entity utilizing the service would need a business associate agreement with WhatsApp. Additionally, if data is stored on WhatsApp servers, it would be necessary to gain insight into the measures ensuring the privacy and security of information stored on those servers.

Another issue related to WhatsApp is the lack of enterprise level account creation capabilities and just the overall lack of enterprise level options. As currently constituted, WhatsApp is designed for individual use. Companies cannot gain control over accounts created by employees or otherwise create a corporate account that employees can work under. As recently as May, I directly asked individuals at WhatsApp whether the application would be expanded to commercial use and in particular for the healthcare industry. At that time, WhatsApp indicated that it was in the very early stages of incorporating or developing a commercial based product/option, but had not progressed very far or given special consideration to usage in the healthcare industry. The absence of consideration by WhatsApp itself further demonstrates that it is not ready for real use in healthcare this time.

Another recent announcement by WhatsApp should further dampen any potential usage in healthcare. In a shift from previous stances of zealously protecting privacy, WhatsApp announced that it will begin sharing some information about users withs its parent, Facebook. While users can opt-out of some amount of the data sharing, the mere fact that data will move outside of WhatsApp to another entity should cause pause for any healthcare provider that would consider using WhatsApp. Even if WhatsApp asserts that only some basic metrics will be shared, this suggests that information is being accessed and policies could continue to shift in the future.

The face value promise of WhatsApp and the speed with which publications or others seem to have jumped on potential uses underscores why healthcare needs to develop a solution that allows everyday functionality to come in. While easing communication and incorporating basic technology is a recognized and desired goal, healthcare and HIPAA present challenges. These challenges are not insurmountable, but demonstrate why healthcare specific solutions often need to be created. A quick look around the internet can find some healthcare specific messaging applications and the solutions continue to be refined so they more closely mirror applications such as WhatsApp or iMessage. However, the applications likely will need to be healthcare specific, at least at this point, to help ensure that individuals and entities within the healthcare industry can satisfy applicable regulatory requirements.

Posted in Business, Health IT, Regulations | Tagged , , , | Leave a comment

Why Do We Want Interoperability?

pattern-1013507_1280A lot of time and attention has been put into the notion of interoperability by almost every stakeholder in the healthcare system. Those interested in the issue include patients, providers, vendors and the government. Why has interoperability received so much focus, though? It may be possible to answer that question by stating that interoperability contains a large element of the common good.

Defining interoperability can be challenging, but a definition adopted by HIMSS in 2013 offers a good, comprehensive version: “the ability of different information technology systems and software applications to communicate, exchange data, and use the information that has been exchanged.” Putting that into even plainer English, interoperability is the movement of data as expected and without hindrance. Ultimately, that likely expresses the expectation of many, individuals want data to be where it needs to be without a hassle.

Depending upon an individual’s role within the healthcare system, that individual may have a different perception as to the importance of interoperability. Patients want data moving without thought because patients expect seamless transitions in care. If a patient is traveling or goes from one provider to another, the medical data should be there. Other industries have mastered the ability to allow data to move around, but healthcare is still working on that issue. As such, the patient viewpoint on interoperability is that it should just exist.

Providers, much like patients, likely want to have all information about a patient available. For example, if a medication has been administered in one setting and a patient presents elsewhere, the subsequent provider wants and needs to know what has already been done in order to avoid a very easily preventable error. Additionally, providers want to know a patient’s full history, which may be more easily obtained from previous records than from the patient. The provider viewpoint on interoperability is that it forms a basis for good care and ensuring all data is available.

Electronic medical record and other healthIT vendors may see interoperability as either a product challenge or potentially an impact on business. Clearly, the healthcare industry relies on vendors of products to build those products in a manner that permit interoperability. All the wishes for interoperability will go for naught if the tools being used are not set up to support it. That being said, are the right incentives in place? That question may be a bit unfair to the vendors because, optimistically, vendors are not necessarily trying to create public harms. Accordingly, the vendor viewpoint on interoperability may be a bit muddled, but at the end of the day should be favorable.

Given those potential viewpoints on interoperability, why is it so important? Interoperability is considered an essential element to succeeding with value-based care and/or population health, the government is turning its attention to the matter, and increasing patient demand. From the industry perspective, the value-based care and population health reasons are likely the most compelling drivers for wanting interoperability. Value-based care forms the basis for many alternative payment models, which is where the healthcare industry is quickly heading. If the right data are not available to understand how a provider is performing, then the likelihood of success decreases and in turn puts financial pressure on the provider. The government is also related to the push toward alternative payment models. The government, specifically the federal government through Medicare, is causing a seismic shift in the reimbursement system. The government wants these efforts to work, which means that all tools must be aligned. Rumblings have suggested that if interoperability is a problem, then the government may force the outcome it wants.

Ultimately, interoperability, to a large degree, comes down to having a fully unified healthcare system where data is always available. Thinking of the banking industry, this is true of account information because an individual can readily access it through an online account or at an ATM, for example, and then be able to access that money from almost everywhere too. Similar examples can readily be pulled from numerous other industries. The question continually comes back to why should healthcare be any different.

As suggested above, solving the interoperability conundrum comes down to a common good. Arguably everyone wants patients to be able to receive the best care possible. That means having data available and on hand.

Hopefully, this post results in an open dialogue about the issue of interoperability. I will be presenting at VITL Summit 16 on this same topic and welcome comments and thoughts that I can incorporate into my presentation. Please post in the comment section, email me, or engage on Twitter. If we can all focus on the issue and begin to reach a consensus understanding, that would be a good outcome.

Posted in Business, Health IT, EHR, EMR | Tagged , , , | 2 Comments

HIPAA and Ransomware: OCR Guidance

After promising to provide guidance and insight for a breaking issue, the Office for Civil Rights (“OCR”) came out with ransomware guidance under HIPAA. One major issue for debate was whether a ransomware attack constitutes a HIPAA breach. This issue among others is addressed by OCR. Overall, the guidance provides insight into where OCR is coming from and what it expects the industry to do in response to a ransomware attack.

As indicated, the primary question up for debate was whether a ransomware attack constitutes a breach under HIPAA. As expected, the answer is it depends. As with most instances potentially resulting in a breach, examining the specific facts of each scenario is necessary. That being said, OCR suggests that the act of a ransomware attack encrypting protected health information by itself constitutes an unauthorized disclosure. As such, the impacted entity will then need to demonstrate a low probability that the impacted protected health information was compromised. As such, the entity needs to run through the breach risk assessment and disprove the assumption of a breach. As such, a ransomware attack is not really different from any number of other types of potential or actual breaches.

Leading to the breach question, OCR goes to great lengths to imply that the HIPAA Security Rule aids entities in preventing and/or responding to ransomware attacks. This perspective is not necessarily overstating the potential benefit from HIPAA. HIPAA requires entities to conduct a comprehensive risk analysis that examines all angles of protected health information and the vulnerabilities or weaknesses of that protected health information. Once the risk analysis is conducted, an entity then needs to implement the full panoply of technical, administrative and physical safeguards. When taken as a whole, this establishes a good baseline for security, whether paper of electronic.

However, as has been said many times and in many places, “the Security Rule simply establishes a floor, or minimum requirements, for the security of ePHI.” This statement is very accurate and should be followed. While the HIPAA Security Rule does have flexibility, the bare requirements of the rule do not constitute current or comprehensive security policies. The world of threats is changing too quickly for a static rule to fully set forth everything that an organization should do.

The ransomware guidance, on the whole, is helpful. It provides insight into OCR’s thought process when it comes to the intersection of HIPAA and ransomware. Healthcare entities can no longer use a lack of guidance as an excuse or “defense” for their response to an attack. There is too much at risk and it is important to have a baseline set of rules. Now, it is necessary for organizations to take cybersecurity seriously and proactively put protective measures into place.

Posted in Health IT, HIPAA, Regulations | Tagged , , , | Leave a comment