PDA

View Full Version : Is the iPhone HIPAA compliant?




HollandX
Jul 10, 2009, 01:50 PM
I've been tasked with buying Blackberries for my team since they are HIPAA compliant. I'm trying to get my group to choose the iPhone instead, but I can't find any whitepapers or information on the Internet that state the iPhone is HIPAA compliant.

Any ideas?

Thank you!



vinay427
Jul 10, 2009, 02:28 PM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16)

I have no clue what HIPAA is but if the iPhone isn't then I recommend the BB Curve 8900 or the Bold if 3G is necessary. If you're on AT&T, that is.

samcraig
Jul 10, 2009, 02:32 PM
I know what HIPAA compliance is and I think that's a question for Apple tech/corporate specifically.

-aggie-
Jul 10, 2009, 02:34 PM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16)

I have no clue what HIPAA is but if the iPhone isn't then I recommend the BB Curve 8900 or the Bold if 3G is necessary. If you're on AT&T, that is.

Should I google that for you? :)

Anyway, I would think the iPhone would be HIPAA compliant, since they were demonstrating some Medical apps at the WWDC, but I'm not sure. I would just try googling iPhone and HiPAA and maybe you'll find something. You could also search the Apple site.

nikhsub1
Jul 10, 2009, 02:40 PM
The iPhone has all the needed security to be HIPAA compliant. HIPAA compliance is more of a set of rules and procedures and not a hardware based issue.

Kadman
Jul 10, 2009, 02:43 PM
The biggest question would be around local device encryption, enforcement of passwords with auto-lock, and possibly (depending on the institution) ability to remotely destroy data. We work in a HIPAA/CFR Part 11 validated environment and we have our BES (Blackberry Enterprise Server) enforce local encryption, lock on holster or 10 minutes of inactivity, and destruction of data on the device after 10 consecutive incorrect passwords. This configuration has passed many external audits (including government medical audits) so I would assume they would be key elements to an iPhone passing such scrutiny. That said, I have no idea if the data at rest on the iPhone is encrypted or not. :confused:

diabolic
Jul 10, 2009, 02:48 PM
A quick google search showed me what look like HIPAA compliant apps available on the iPhone right now, so I'd guess the answer is yes.

pdjudd
Jul 10, 2009, 02:49 PM
That said, I have no idea if the data at rest on the iPhone is encrypted or not. :confused:


You might want to look at this (http://www.apple.com/iphone/iphone-3gs/more-features.html) page for some information on that kind of stuff. A lot of the rest of those items can be sent via the deployment agent.

vansouza
Jul 10, 2009, 03:10 PM
I've been tasked with buying Blackberries for my team since they are HIPAA compliant. I'm trying to get my group to choose the iPhone instead, but I can't find any whitepapers or information on the Internet that state the iPhone is HIPAA compliant.

Any ideas?

Thank you!

With all the Doctors using the iPhone to track patient vitals and using apps to diagnose and prescribe, of course it is HIPPA compliant... I think.

samcraig
Jul 10, 2009, 03:18 PM
"of course it is HIPPA compliant... I think. "

LOL.. funny

vansouza
Jul 10, 2009, 03:19 PM
"of course it is HIPPA compliant... I think. "

LOL.. funny

Thank you, I try.

EatMyApple
Jul 10, 2009, 03:32 PM
The iPhone was approved for me to use in my MD/PhD program and we had to list what phone we used in our ID card/badge/key paperwork. So I would assume it passed my HIPPA compliance.

HollandX
Jul 10, 2009, 03:45 PM
With all the Doctors using the iPhone to track patient vitals and using apps to diagnose and prescribe, of course it is HIPPA compliant... I think.

I know that you can make a specific iPhone App HIPAA compliant, but I don't know if the whole phone itself is.

For HIPAA compliancy, I know that we can...
-access our e-mail securely over Exchange
-password protect the phone
-enable remote wipe
-use only HIPAA compliant Apps when using medical Apps

Is that "what else am I missing" that I don't know, and if that stuff is enough to deem the phone HIPPA compliant.

Thank you everyone so far for your responses.

vinay427
Jul 10, 2009, 03:53 PM
Should I google that for you? :)

Anyway, I would think the iPhone would be HIPAA compliant, since they were demonstrating some Medical apps at the WWDC, but I'm not sure. I would just try googling iPhone and HiPAA and maybe you'll find something. You could also search the Apple site.

No, thanks but actually I'm one of the exclusive few who can go to www.google.com and type a search term. By the way, I just did. :cool:

emt1
Jul 10, 2009, 03:56 PM
I know that you can make a specific iPhone App HIPAA compliant, but I don't know if the whole phone itself is.

For HIPAA compliancy, I know that we can...
-access our e-mail securely over Exchange
-password protect the phone
-enable remote wipe
-use only HIPAA compliant Apps when using medical Apps

Is that "what else am I missing" that I don't know, and if that stuff is enough to deem the phone HIPPA compliant.

Thank you everyone so far for your responses.

If you also use the encrypted backup on iTunes, then yes, it is HIPAA compliant.

EDIT: forgot to mention, data transmission on an unsecured wifi network is a violation

The General
Jul 10, 2009, 04:24 PM
3G S has hardware encryption for the entire filesystem.

ZipZap
Jul 12, 2009, 08:19 AM
What medical product is this....eClinicalWorks (only one with an iphone interface I am aware of).

This is about what gets left behind on the phone as much as its about 2 factor authentication, encryption, policies and procedures.

You must be 100 percent sure that no unauthorized person can pick up your phone and gain access to patient records. They should not be able to see the data either by looking over your shoulder. Further, you must be 100% sure that the application leaves no patient data or any kind on the phone unless that data is encrypted so that it can only be access by the doctor.

If you can say yes & yes...you are hippa compliant.

HollandX
Jul 12, 2009, 11:48 AM
What medical product is this....eClinicalWorks (only one with an iphone interface I am aware of).

This is about what gets left behind on the phone as much as its about 2 factor authentication, encryption, policies and procedures.

You must be 100 percent sure that no unauthorized person can pick up your phone and gain access to patient records. They should not be able to see the data either by looking over your shoulder. Further, you must be 100% sure that the application leaves no patient data or any kind on the phone unless that data is encrypted so that it can only be access by the doctor.

If you can say yes & yes...you are hippa compliant.

Hey ZipZap--

It's not for a specific product, but a medical company in general.

ie, We will have e-mails, files saved on the phone, etc.

So I was wondering about the whole phone itself...

Thanks

Roller
Jul 12, 2009, 06:10 PM
I've been tasked with buying Blackberries for my team since they are HIPAA compliant. I'm trying to get my group to choose the iPhone instead, but I can't find any whitepapers or information on the Internet that state the iPhone is HIPAA compliant.

Any ideas?

Thank you!

Devices aren't HIPAA-compliant per se. However, covered entities (such as hospitals and health plans) must have policies and procedures in place that safeguard against unauthorized release of Protected Health Information. Many facilities require that PHI stored on portable devices be encrypted and that access to the data be password-protected, both of which can be done at the application level. A method to remotely erase the device is often required, as well. PHI must also be encrypted while in transit to or from the device. The iPhone is capable of satisfying all these requirements.

dseig001
Jul 12, 2009, 09:57 PM
Devices aren't HIPAA-compliant per se. However, covered entities (such as hospitals and health plans) must have policies and procedures in place that safeguard against unauthorized release of Protected Health Information. Many facilities require that PHI stored on portable devices be encrypted and that access to the data be password-protected, both of which can be done at the application level. A method to remotely erase the device is often required, as well. PHI must also be encrypted while in transit to or from the device. The iPhone is capable of satisfying all these requirements.

+1 UCLA MS3 here using the iPhone everyday

The Californian
Jul 12, 2009, 10:12 PM
Medical facilities and orginizations are leaning towards communication devices that can be LOCKED into a "HIPPA SAFE" mode as to prevent someone from accidently engaging in a HIPPA violation. You can make any device HIPPA SAFE by monitoring your transmissions, it all depends on how much the company trusts it's employees. I'm at Loma Linda University Medical Center and most of the physicians and clinicians use iPhones, we also have data encrypted pagers to ensure highly sensitive information stays secure.

Your company must no trust you guys that much, haha

HollandX
Jul 15, 2009, 02:28 PM
Hey everyone-- I've spent the last few days doing some intensive research on this subject. It was all new to me, so I'm glad I spent the time to learn about it. Your comments were all so very helpful. I just needed to verify some stuff on my own.

Here is what I came up with.

Devices themselves cannot be "HIPAA compliant." HIPAA compliancy is set by internal IT guidelines and procedures. Some are pre-defined in practice, some are pre-defined in theory, and some you can decide on your own. However, the device must allow for you to implement these guidelines, or it will not work allow you to reach HIPAA compliancy. This is all to prevent patient data from falling into the hands of unauthorized users.

The iPhone can:
- securely access e-mail
-be protected by a password
- be remotely wiped (even by the user from Outlook Web Access, or through Exchange server controls. In fact, the iPhone will instantly brick unlike the Blackberry)
- run HIPPA-compliant Apps
- be backed up with encryption through iTunes

AND the iPhone 3GS is the first iPhone that offers an encrypted backup of the whole hard drive.

Thus, the iPhone 3GS offers everything to allow us to maintain HIPAA compliancy.

I have convinced my CEO to allow the iPhone as our mobile device as long as we choose the iPhone 3GS (or any other later model in the future I presume).

This is the document that was tremendous to me in my research and the most helpful thing I saw (other than your comments): http://images.apple.com/iphone/business/docs/iPhone_Security_Overview.pdf There is so much more information in it than what I posted. I highly recommend anyone interested in this topic read it.

Thank you all again for your time and your postings. This was a wonderful learning experience for me. I hope this thread serves to benefit others as well.

-Mark

Saroku
Oct 28, 2010, 08:56 AM
I just came across this... I hope you don't believe the same as you did back in 2009.

If you can recover raw data from a device in clear text, it should not be used in your environment.

Case in point:
http://www.youtube.com/watch?v=kHdNoKIZUCw

Stephen.

nefan65
Oct 28, 2010, 09:13 AM
I've was in IT Healthcare for over 12 years. Recently changed, had enough...lol. Anywho, anyone who states that a device is/is not HIPAA compliant is crazy. There's no such thing. It's all policy, and processes. If you allow clinical staff to send/receive PI Information via email, and it's not encrypted at the server level, then that's an issue with policy allowing it. If you allow laptops to hold PI Information, and the drive isn't encrypted, then it's policy that needs to be addressed. I'd first check all IT policies to see what they state. That includes email, files, etc. All of our policies clearly stated that NO PI information could reside on any PC, Laptop, or mobile device, including thumb drives, etc. ONLY the clinical system could be utilized for PI Information, such as notes, diagnosis, etc. Any remote access to those systems had to be done via a secure VPN connection, and nothing else.

If you're accessing clinical applications via the phone, and the data does not reside on the phone, then you're fine. Also, if you use Exchange 2007 or newer, you have the ability to remote wipe if needed. However, if you're not storing PI Info on the device, you're fine.

Someone in your org should be the HIPAA Guru. I'd find them, and sit and discuss this specifically with the guidelines, as well as your internal policies on data use/storage, etc...

THENIZZZEIL
Oct 28, 2010, 10:22 AM
We use it without any issue at our facility, it helps for on the fly searching and if you just follow basic rules by putting pt initials rather than John Smith when transporting text messages I think its okay. We havent had any issues or complaints so far, i know a few Dr's use the BB or a few droids but thats probably preference vs anything else.

ItsJustafnPhone
Oct 28, 2010, 10:28 AM
the short answer is that it depends on the hospital/ software you are using

you will not find your answer here

what works at a county hospital may not work at a VA hospital etc

GoCubsGo
Jul 6, 2012, 07:05 AM
The iPhone has all the needed security to be HIPAA compliant. HIPAA compliance is more of a set of rules and procedures and not a hardware based issue.

Exactly. I don't think it has to do with hardware so much as it has to do with software.

And nikhsub1, I dig your location. :D My beer is indeed yummy!

iceterminal
Jul 6, 2012, 08:25 AM
The iPhone can be set up to be HIPAA compliant according to its standards and requirements.
A few small settings to do so:
Have the passcode enabled.
Set security to wipe phone after 10 incorrect attempts.
Find my iPhone enabled.
Email account passwords not saved automatically.

These are generic for the phone itself. If you use apps, and they pass data, it has to be secured in some fashion such as only on an internal network, etc.

We have iPhone usage in many many hospitals and VA centers (gov't)

ReallyBigFeet
Jul 6, 2012, 09:12 AM
Using just the stock iOS apps, it's not HIPPA compliant. But there are many enterprise apps that make the entire iPhone compliant. Unfortunately, they all pretty much turn your iPhone into a less-functional Blackberry, lock them down, disable iTunes synching, disable the App store, etc.

But specific apps can be designed to enforce HIPPA compliance, leaving everything else alone outside that applications secure sandbox.. Most of these just enforce that all data storage be done on remote servers that can be locked down.