In developing policies for managing data handled by and stored on mobile devices, healthcare organizations should look beyond privacy and security and consider the legal ramifications of mobile health information, the American Health Information Management Association (AHIMA) says.
"While much has been written stressing how extremely important security and privacy issues are in the use of mobile health technology, a question much less explored is how health information that is captured on mobile devices relates to the management of the health record," Lydia Washington, a director of practice management at AHIMA, writes in the July issue of the Journal of AHIMA.
AHIMA has long been emphasizing the importance of the "legal health record" in the context of electronic health records, essentially the official documentation of healthcare services provided from an organization to an individual. Information captured by or transmitted over a mobile device is part of this, according to Washington.
"It is widely accepted that any health information captured or stored by clinicians using either a personal mobile device or one provided by the healthcare organization becomes part of the HIPAA-designated record set if that information is used to make decisions about a patient. The same is true when health information that is collected or captured by an individual or patient is transmitted or communicated to a provider who uses it in the provision of care," Washington writes.
"Most likely, this information is also part of an organization's legal health record and is subject to requests for disclosures, subpoenas, and e-discovery. Conceivably, the health information generated by a mobile device could also be useful for many non-clinical applications that use medical records—such as audits, health research, and information reporting. The problem for HIM professionals is how to track and preserve these records when they reside on mobile devices."
No fewer than six federal agencies – the Office of the National Coordinator for Health IT, the Federal Communications Commission, the Food and Drug Administration, the Federal Trade Commission, the HHS Office for Civil Rights and the National Institute of Standards and Technology – have shown interest in monitoring and perhaps regulating mobile devices in healthcare, according to the journal article. (Washington cited a September 2011 MobiHealthNews story to illustrate the FTC's involvement.)
"While each agency has a different approach to monitoring healthcare mobile device use, each reported a specific emphasis on privacy and security," Washington says. That, according to the AHIMA practice management specialist, is inadequate.
"In addition to privacy and security policies, healthcare organizations would need to have policies that outline the conditions and acceptable uses of mobile devices that capture and store clinical information since that information may become part of a health record," Washington recommends.
"Policies would need to address how mobile devices are handled when the information they contain may become involved in potential litigation (legal holds) as well as methods for monitoring and tracking mobile devices that contain health information that is part of the organization's legal health record. The use of mobile devices that access health information and health records, whether personally owned or provided by the healthcare organization, need to be addressed in security risk assessments, litigation response plans, and human resources policies."
Washington further advises health information management professionals to "develop internal policies aimed at protecting the integrity and privacy of patient records."