Clearing the Air on HIPAA for Health and Fitness Apps

HIPAA is complex legislation.  Most people, as well as institutions, don’t have a good grasp on HIPAA.  As a result there is a great deal of misinformation out there.  In my experiences within the healthcare space, many hospitals don’t even a good handle on HIPAA.

HIPAA’s scope extends well beyond data protection.  It includes personnel who must be trained for HIPAA, logging and reporting of privacy violations, and even patients rights in attaining their own healthcare information.  Most of the time the focus is on protected healthcare information (PHI) when HIPAA is discussed.

Who does HIPAA apply to?  It applies to “covered entities”.  A covered entity is a provider of healthcare services that stores healthcare information about its customer (ie. patients).  More specifically, HIPAA was devised to cover transactions between healthcare providers and payers (insurers).   One could interpolate this to mean that HIPAA applies to reimbursable tests.

Hospitals interact with many other businesses that may have access to patient information (or protected health information, PHI).  These may be labs, medical devices companies, etc.  These businesses become “business associates” of the covered entity and HIPAA extends to them as well.  Becoming a business associate is a legal process of signing a business associate agreement (BAA) with a covered entity.

HIPAA does not apply to software or apps storing information on behalf of end users.  In fact, this was Google’s position when Google Health was in existence.  It is the stance of all personal healthcare records (PHR), such as Microsoft Health Vault.

HIPAA does not apply to non-medical information, such as fitness data.  Making the determination as to what is medical information can be blurry at times.  Remember, HIPAA was developed to cover reimbursable tests.  That may be a good litmus testing for categorizing information as medical.  Is the number of steps you took last week medical information?  No.

Even though HIPAA does not apply to many situations, it doesn’t mean privacy should be ignored.  All apps should be designed with data protection included as a primary goal.  Developers should be aware of
common security flaws and follow best practices for data protection.  Apps should contain terms of use and privacy policies.

February 12, 2017 at 12:55 pm Leave a comment

Is Donald Trump the answer?

One potential driving force behind the popularity of Donald Trump for president could be dissatisfaction with The Establishment in Washington D.C.  Polls have shown extremely low satisfaction with Congress over the past few terms.  News is constantly filled with child-like bickering between Speaker John Boehner and President Obama.  While politicians continue to hold party loyalty as higher priority than their constituents and the country at large, they think the voters don’t notice.

This CNN poll shows that voters favor Trump because they are fed up with the way Washington works.

This WSJ article states Iowans favor Trump because he is anti-establishment.

My feeling is that voting strictly for a candidate because he is not part of the existing establishment can backfire.  I can think of two recent examples.

When the U.S. invaded Iran and setup a new government, Baath party members were prohibited from participating.  The Baath party represented Saddam Hussein.  It was believed that allowing former Baath members to participate would increase the likelihood of a return to the type of government being replaced.  This strategy failed because there was nobody to participate in the new government who had any experience – in government and military.

Similarly, in the early 2000s voters here in the U.S. became anti-establishment.  This led to large changes in Congress, with many incumbents losing their positions.  The new politicians consisted largely of Tea Party members.  These rookie politicians were lacking experience and have thus led us to where we are today.  Washington D.C. is completely gummed up due to a lack of key skills required by good politicians.  Partisan politics rules the day.  Constant child-like bickering fills the news.  Compromise is a lost art.  And rather than raise the level of debate and inspire, politicians try to gum up the system until they can achieve a majority and then push their platform through.  Of course, this rarely happens and thus nothing is accomplished.

Unfortunately, I don’t see sending inexperienced politicians to Washington D.C. as the silver bullet.  While it may be more of a reflection of voter frustration.

What could the fix be?  I’m not sure.  But I think it has to start with campaign reform.  The impact of special interests has to be minimized.  In addition, the influence of the DNC and RNC over candidates must be lessened.  As long as the DNC and RNC controls the purse string, candidates’ allegiance to party of constituents and country will prevail.

August 4, 2015 at 11:34 am Leave a comment

Uphill climb for startups in healthcare and medicine

Two recent announcements by the federal government seem to ease the regulatory burden on startups in the healthcare space.

1) Government says it’ll do more to help mobile health developers comply with HIPAA privacy rules

2) General Wellness: Policy for Low Risk Devices from the FDA

These will have limited impact on startups, for a number of reasons.

Policies regarding HIPAA will not change.  The language in the first announcement implies that government will simply communicate the existing policies to startups better.  I see that as having little to no effect.

The fact is that HIPAA is wide in scope and open to interpretation.  Consider some areas that HIPAA covers: encryption of data, monitoring and logging who has access to systems that contain information, monitoring and logging of support personnel, password and access control, monitoring of systems and servers for illegal/unauthorized access, training of personnel in regards to PHI. There are simply too many aspects of HIPAA for start-ups to manage.  I believe that communicating HIPAA’s implications to startups will largely help most start-ups conclude that they don’t want to be in healthcare.

Most startups today contain costs via The Cloud, buying only the IT services that they utilize.  Early on, when there are few customers, IT spending is low.  As customer acquisition ramps up, more services can be purchased as needed.  It is very easy to expand using The Cloud, keeping costs proportional to need.  Amazon Web Services and Google Cloud, among others, make this possible.

However, the September 2013 update to HIPAA included a provision that made it clear that any business that touches private healthcare information (PHI), such as ISPs and SaaS providers (Amazon, Google, etc), must be covered under a Business Associates Agreement (BAA).  Having an ISP sign a BAA is a big deal.  Many ISPs made announcements shortly after Sept 2013 proclaiming their support for BAAs.  However, the reality is that the barriers to having a BAA signed are quite high.   Some examples:

  • The cost of a single server on Amazon increases by about one hundred times.  Amazon will only sign a BAA if a server is run on a “dedicated” instance, which means dedicated hardware.
  • Google is somewhat vague on their support of BAAs.  According to the representative I spoke with, a company must first develop their application on Google infrastructure and then Google will inspect it to make a determination of whether it is worthy of a BAA.
  • I found Microsoft’s story to be quite amusing.  They declare that SQL Server, their own database product, is not HIPAA compliant and will not sign a BAA for an app that uses SQL Server in the Azure cloud environment.

The FDA’s declaration that they will not regulate “general wellness” apps as medical devices is helpful to start-ups.  Consider that many start-ups use iterative development processes, such as Scrum.  The FDA frowns on such methodologies, favoring the waterfall method, for medical devices.  With the FDA’s announcement, iterative development may now be used for apps in the general wellness space. Benefits of iterative techniques are faster releases leading to more innovation via more frequent user feedback.

However, start-ups should not take the FDA’s announcement to mean that quality standards can be relaxed.  Quality processes are still needed, regardless of the type of app.

There are some other key benefits too.  The process to gain FDA clearance can be quite lengthy.  The process is not always consistent and can vary by the representative(s) assigned to the product.  Eliminating delays and uncertainty are important when releasing a product.

However, what I find most helpful is the cost savings.  Because the process can be complex, especially to the first-timer, the need for expensive regulatory consultants is eliminated.

The recent announcements that ease healthcare product development for start-ups is a mixed bag.  There are some benefits to newbies in the space.  However, there are certain minimum standards that must be met by start-ups, particularly in terms of PHI.  And quality can not be sacrificed regardless of FDA’s decision to not regulate wellness apps as medical devices.

 

 

January 28, 2015 at 9:56 pm Leave a comment

What is really happening in Ferguson

Here is another instance of what is wrong in society in the United States. Most problems boil down to the same issue: Failure to take responsibility for oneself.

While emotions run wild and tensions grow, one only needs to look at the parents of Michael Brown for blame. Just fifteen minutes before their son’s death, Michael Brown terrorized a convenience store clerk and took what he wanted from the store. Why did he do it? Because he could. He was six foot five and nearly three hundred pounds. Who was going to stop. He was, by definition, a bully and a thug.

Does anyone believe this is the first incident Michael Brown was involved in? I doubt it. Why isn’t Brown’s history coming out in the press? Hypocrisy. The incident in the convenience store is already overlooked. It is likely that prior incidents have been covered up.

The thing about bullies and thugs is that they don’t typically live long lives. While bullies and thugs often prey on those who are weaker, they eventually encounter someone who is bigger and/or badder. On that fateful day in August, that’s what happened to Michael Brown. If it wasn’t on that day, it would have happened eventually.  In the meantime, Michael Brown would have preyed on more victims.

Who is to blame? I look at the parents. If they didn’t know he was a bully and a thug, then they are ignorant. If they did know, then they are simply negligent. They raised a bully and a thug and either didn’t know or did nothing about it. It is a tragic loss of life and one that could have been avoided through proper parenting.

This is a perfect example of hypocrisy throughout America’s institutions. Those very groups that seize this as an opportunity to promote their causes – in the name of “justice” – are ruining innocent people’s lives – from those in Ferguson who see the truth but simply remain quite, to shop owners in Ferguson, to those affected in other cities, to an innocent police officer and his family. Where is the justice there?

Finally, will the correct lesson be learned through all of this? There is a bit of misdirection. It appears that activists are using this incident to have governments at local, state, and federal levels to re-examine law enforcement practices. But isn’t the real lesson about how to properly raise your own children?

November 26, 2014 at 10:36 am Leave a comment

Sharing of Medical Info and Medical Images

The idea of sharing medical information – electronic medical records and medical images, in particular – between healthcare providers and patients –  is intriguing.  However, there are many, many barriers to sharing being adopted widely.  Here are just a few.

1) There is no business model.  Where will the medical data and images be stored?  Who will pay for it?  Many states have setup Health Information Exchanges (HIEs).  These are largely subsidized by the federal government.  Now that the money is running out we see states shutting down their HIEs.  There is no business model in place to sustain them.

Medical images can be more complex to manage than simply text oriented healthcare data.  Storage costs will be greater.  Transmission of large medical images is more costly.  Who will pick up the cost?

2) There are no established companies addressing image sharing.  Newcomers such as LifeImage, DicomGrid, DELL, and others are not developing healthcare provider to patient image sharing.  These companies sell technology to imaging providers to help them manage images and share images among themselves.  Radiologists and other imaging providers are willing to pay for these services.

The Radiology Society of North America (RSNA), a radiology trade group, has tried to address image sharing.  They provide free (open source) image sharing software for radiologists in the form of a software package called EdgeServer.  This software, however, was initially designed with the goal of moving images from one radiology department to another – and not for sharing with patients.

NIH has agreed to fund EdgeServer for a few years.  Beyond that, they offer no promises.  Some of the newcomers (mentioned above) have agreed to store images on behalf of patients.  But with the history of HIEs, do we really believe one’s images will be available into the distant future?

3) Lack of understanding of HIPAA and privacy will delay the ability of patients to capture and store their data in a meaningful (electonic) way.  Few healthcare providers understand HIPAA and privacy.  Providing healthcare data to a patient scares the boots off of many hospital administrators.  Many administrators will not allow private healthcare information (PHI) to be transferred offsite.  These same administrators don’t understand that HIPAA also requires them to supply a patient’s data upon request.

In particular, the difference between an electronic medical record (EMR) and personal healthcare record (PHR) is lacking.  PHRs are not regulated by HIPAA because PHRs store information on behalf of the patient.  Until PHRs are in wide adoption and thus understood, patients will have difficulty storing their records in a way that they can easily work with.

4) Implementation is complex and costly.  Look at the technologies proposed by various groups involved in establishing “standards” of exchange for medical data and medical images.  These include: XDS, HL7, CDA, Direct, etc.  Old technologies.  Overly complex.

Let’s look at the Blue Button initiative, for example.  Blue Button is the government’s push to provide patients with their medical records easily and electronically.  The idea is that a patient downloads their entire medical record by clicking a “blue button” from their healthcare provider’s patient portal (web site).

Great idea and it sounds easy to use. But, the implementation is bad.  On the surface, one can envision visiting their hospital’s web site, logging in, and clicking the blue button to download a file with all their medical records.  As currently designed, it won’t work that way.  Instead, the medical records are emailed to the patient using “Direct” technology.  Direct is a special type of email with specific safeguards for privacy and security.  Problems with this are numerous.  Here are a few:

a) There are few companies that can implement such technology and those would only be some of the biggest companies out there.  Hence small companies are locked out and innovation is stifled.

b) A special “direct” email account is required by the consumer. It is unlikely that consumers would use a special email account just to capture their healthcare records.

c) Should a consumer actually use a Direct email account, they will likely pull out the data files and store them on their hard drive, which circumvents the security and privacy protections of Direct.

5) Transparency in cost and services is complex.  Wouldn’t it be great to have a Yelp for healthcare and medical imaging.  Go to a site, research doctors, look at reviews, and make a selection.  There are sites that try to do this.  But how valid are the reviews?  Reports claim that 20% of reviews on Yelp are fraudulent.  How are reviews validated?

I strongly believe the fix to healthcare has to come from the consumer side.  Right now their are to many obstacles in place to let this happen naturally.  Regulations, use of old technology, and lack of business model are just some of the roadblocks.

 

June 24, 2014 at 11:47 pm 1 comment

HIPAA and The Cloud from a Startup’s Perspective

As someone who wants to build a great healthcare app I am dumbfounded by the effect of HIPAA.  Of course this app will be built on the latest and greatest technology, such as “The Cloud” and mobile.  But as I navigate the waters of the implications of HIPAA I question if targeting healthcare is really worth it.

Over the years we have seen startups create great apps in a variety of categories from social media to games to navigation.  Much of this was possible due to low startup costs.  Cloud services allowed these innovative companies to buy what they need at very reasonable costs.  The days of paying ten thousand dollars for a couple of servers were gone.  A server could be had for $25/mo.

Recent changes in the HIPAA law become a real challenge to the startup.  Whereas the prior law was somewhat vague as to whether a cloud provider needed to be involved as a business associate (one held responsible for privacy of data), the new law strongly infers that cloud providers are a business associate.  So, if a startup wants to build a healthcare app on Amazon Web Services, the startup must have Amazon sign a business associate agreement (BAA).

That’s all well and good, but I see inconsistencies.  The HIPAA laws are complicated (and I don’t pretend to understand them).  I’m not sure if the cloud providers do either.  As I explored some providers I find a wide range of inconsistencies.   For example, consider encryption of private healthcare information (PHI) as stored in a database.  Some providers require it and some don’t.

So far I have looked into three cloud providers and here are the difficulties of each from a startup’s perspective:

Amazon Web Services (AWS) – Amazon will only sign a BAA if dedicated instances are used.  A dedicated instance is roughly 30 times more expensive than a non-dedicated instance.  This will, by itself, eliminate AWS from consideration by startups as a $50/month server becomes $1500/month.

Our Prior ISP (Navisite) – Navisite was very reliable for us over the years as we used them for managed services.  However, to build a HIPAA compliant system would minimally add thousands of dollars a month in costs.

Google Cloud – Earlier this month (Feb 2014) Google announced a willingness to sign BAAs.  According to a Google rep, Google Compute Engine and Google storage are HIPAA compliant.  However, what I find strange is the process one must go through to have a BAA signed.  The app must first be installed in the Google Cloud and then Google evaluates the app.  This seems a little backwards to me.  Before an app is architected, Google should be able to determine if it meets its requirements.  And since Google has a history of changing its mind (in terms of apps its supports), I would be hesitant to build anything on Google technology without an understanding in advance.

Microsoft Azure  – I still have to check on Azure.  I will update this post when I learn more.

The good news is that we are early in the process and can take the new HIPAA laws into account.  I can see how retrofitting an older application could be very difficult.

We will also have to divert some of our crucial capital to lawyers and consultants to help us navigate the waters of HIPAA.

For those startups that are seeking HIPAA compliance on a cloud platform I have one piece of advice.  Speak to the provider in advance and determine their specific requirements for signing a BAA.  Then you can make the correct decision as to how to proceed.

February 28, 2014 at 2:36 pm Leave a comment

How to get a new iPhone every year

I don’t understand why there is so much confusion in terms of phones and subsidies.  Basic math reveals how to get new iPhone every year for minimal cost and without being locked into a contract.

The key is to buy the iPhone and not rely on a subsidy.  Let’s take a look at the cost comparison.

First there is the cost of the phone.  Let’s use the iPhone 5S (16GB) as an example.

  • iPhone 5S from Apple: $650
  • Subsidized iPhone from AT&T: $200

Second, there is the cost of service.  For purposes of comparison, let’s select common features: unlimited talk, unlimited text, and 2.0 to 2.5GB of data per month.

  • No-contract plan (TMobile with 2.5GB data): $60/mo or $720/yr or $1440/2yrs
  • 2 year contract (AT&T mobile/share plan with 2.0 GB data): $95/mo or $1140/yr or $2280/2yrs

Let’s examine the total costs over one year with each option:

  • No contract plan: $650 (phone) + $720 (service) = $1370
  • 2 year contract: $200 (phone) + $1140 (service) = $1340

And the total costs over 2 years are:

  • No contract plan: $650 (phone) + $1440 (service) = $2090
  • 2 year contract: $200 (phone) + $2280 (service) = $2480

These numbers reveal that the break even point for buying a phone is roughly a year.  During the second year one pays the phone company about $400/yr or $35/mo for the convenience of subsidizing the phone.

There are numerous non-financial advantages with purchasing the phone and going no-contract.

  • One can switch carriers on a whim.  If service is poor in your area you can easily switch.
  • If you leave the country for a while, you can terminate service while you are gone.
  •  One can upgrade their phone every year. If you are a gadget hound, you may find this appealing.
  • Some smartphones retain value. This can be a significant financial advantage when selling your old phone.  You can apply your proceeds from your old phone to a new phone.

Note that there other factors to consider.  Some of the data sharing plans can offer pricing advantages if you have multiple devices.  Shop around to compare these plans.  Also, the numbers will differ based one the number of phones and plans one purchases – with family plans, for example.

The T-Mobile plans typically include tethering, which is a nice feature.  If tethering is important to you then take that into account when comparing plans.

I recently switched from AT&T to T-Mobile after purchasing an iPhone.  I found the process of not having to read over a lengthy contract to be refreshing.

 

UPDATE: 

Here are the current (12/11/2013) rates AT&T prepaid plans.

attplans

 

Here are the current (12/11/2013) rates for Verizon prepaid plans.

verizonplans

Here are current (12/11/2013) rates for Sprint prepaid plans.

sprintplans

December 11, 2013 at 2:21 pm 3 comments

Older Posts


RSS Twitter Timeline

  • An error has occurred; the feed is probably down. Try again later.
July 2017
S M T W T F S
« Feb    
 1
2345678
9101112131415
16171819202122
23242526272829
3031