Explanations & Tutorials

Why HIPAA Matters in IoT

While it may seem daunting when in comes to developing IoT technology in healthcare, HIPAA is an important facet of keeping patient data secure in the industry.

Building IoT Solutions in Healthcare

There’s no question that IoT will radically shift the healthcare experience. There are examples available on the market today that are simplifying chronic care management and moving care outside the four walls of the traditional medical office. Collecting data in consumer’s homes or workplaces will help healthcare providers understand an individual’s health more holistically, select appropriate treatment plans, change plans as time progresses, and predict future health events. Healthcare can utilize technology to cut ever-rising costs while improving health outcomes in patients, which benefits consumers and the industry alike. In fact, about 60% of healthcare organizations have introduced IoT into their infrastructure by some means.

As more digitized data become available for analysis or tracking, the number of healthcare IoT solutions will rise exponentially. But with the buzz around security for IoT in all industry verticals, there has been a huge focus on regulation and standardization.

Healthcare is no stranger to these terms; in fact, some of the most comprehensive regulations exist in healthcare to protect patients in this era of digitalization. Healthcare IoT solutions then must tackle these additional security layers unique to healthcare. These “layers” have a name that even non-healthcare organizations will recognize: HIPAA.

A Lesson on HIPAA

The Health Insurance Portability and Accountability Act of 1996, also lovingly known in the industry as HIPAA, is one of the most broadly referenced government legislations regarding healthcare. The intent of this act was to standardize all electronic transmission of transactions  in healthcare (such as electronic medical records and insurance claims) in addition to bettering access to long-term healthcare and insurance coverage.

The act itself covers a large range of subjects and regulations, but when most people mention HIPAA-compliance, they are specifically referencing the HIPAA Privacy Rules which sets standards to protect patient health information and the Security Rules which sets standards for securing patient data (both rules are detailed under Title II of HIPAA.)

The Privacy Rule addresses the use and disclosure of protected health information (PHI) and individuals’ privacy rights to understand and control how their health data is being used. A major goal of the Privacy Rule is to assure that individuals’ PHI is protected accordingly while “allowing the flow of health information needed to provide and promote high quality healthcare.”

The Security Rule requires that covered entities must place safeguards, both physical and electronic in nature, to “ensure the secure passage, maintenance, and reception of PHI.” Essentially, a patient’s health data must be confidential and available to authorized individuals or entities both in storage and in transmission.

Decoding PHI

So what is and isn’t protected health information? According to HIPAA, PHI refers to all personally identifying health data, or data that is linked to an individual.  All forms of PHI, including digital, paper, and oral, are protected. There are currently 18 criteria that define what information linked to health data makes it PHI, as opposed to health data not covered under HIPAA. You can read all 18 criteria of PHI here.

As an example, an individual might use a FitBit to help track hours of sleep a night. The sleep data alone (i.e. Monday night - 7 hours, Tuesday night - 6 hours) is not PHI. Once that dataset is linked to an individual, it becomes PHI (i.e. Jane Doe who lives in Bethesda, Maryland slept 8 hours on Monday night.)

Consequences of Breaching HIPAA Regulations

Complying with HIPAA is not a suggestion; The Department of Health and Human Services made this clear in 2013 when they expanded the act to increase penalties for violations. The exact amount ranges based on the level of negligence, from $100 to $50,000 per violation, up to $1.5M a year for identical violation provisions. If a violation is ruled as “Willful Neglect,” the incident can result in jail time for the culpable party.

HITECH and Why It Matters to IoT

President Obama signed the HITECH Act into place in 2009, which is a complementary act to HIPAA. Two of the major requirements are:

  1. Technologies and technology standards created under HITECH will not compromise HIPAA privacy and security laws; and,
  2. business associates and service providers are held responsible for upholding HIPAA and disclosing breaches in addition to healthcare organizations.

So why is HITECH important to IoT? Under HITECH, an associate (any person or company acting on behalf of covered healthcare entities such as hospitals or health plans) is directly liable for breaches of HIPAA rules, such as the improper use of PHI.

Companies interested in entering the healthcare IoT space need to be aware that if they plan on working with healthcare entities, any technology used or created for this purpose will fall under HITECH regulations.

While it may seem daunting and a monumental pain when in comes to developing new technology in healthcare, HIPAA is an important facet of keeping patient data secure as well as building trust between consumers and the healthcare industry.

Though HIPAA gives strong parameters around what can and can’t be put in place to keep a healthcare entity compliant, there is a bit of a grey area when it comes to IoT devices and platforms. Those that are working in a partnership or some sort of relationship with a covered entity, such as a health system, are clearly covered under HITRUST and HIPAA and require stringent regulation.

For consumer goods that deal with health data but are not directly linked to healthcare entities under the HIPAA Act (think: a FitBit purchased at Best Buy and used to loosely monitor activity levels without any relation to a healthcare provider or payer,) these lines blur a bit. As it stands, HIPAA and HITRUST do not cover these consumer goods when they are solely in the hands of the consumer, even though they handle PHI.

This does not mean that they should ignore industry-standard regulations. Companies whose technologies and platforms that are not HIPAA-compliant cannot work in a partnership in any capacity with a covered entity. Those that are not looking to partner with covered entities though should also build with stringent regulations in mind. All healthcare technology, especially IoT, should be built from the ground-up with the highest HIPAA security regulations in mind. There is no doubt as health technology grows its market share, legislation will be passed that will specifically include IoT regulation, regardless of association with HIPAA-covered entities, so it’s best to act now and not worry later.

More From the Blog