Is the iPhone HIPAA compliant?

Discussion in 'iPhone' started by HollandX, Jul 10, 2009.

  1. macrumors newbie

    Joined:
    Aug 17, 2003
    #1
    I've been tasked with buying Blackberries for my team since they are HIPAA compliant. I'm trying to get my group to choose the iPhone instead, but I can't find any whitepapers or information on the Internet that state the iPhone is HIPAA compliant.

    Any ideas?

    Thank you!
     
  2. macrumors 6502a

    vinay427

    Joined:
    Sep 18, 2008
    #2
    Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16)

    I have no clue what HIPAA is but if the iPhone isn't then I recommend the BB Curve 8900 or the Bold if 3G is necessary. If you're on AT&T, that is.
     
  3. macrumors G5

    Joined:
    Jun 22, 2009
    #3
    I know what HIPAA compliance is and I think that's a question for Apple tech/corporate specifically.
     
  4. macrumors P6

    -aggie-

    Joined:
    Jun 19, 2009
    Location:
    Where bunnies are welcome.
    #4
    Should I google that for you? :)

    Anyway, I would think the iPhone would be HIPAA compliant, since they were demonstrating some Medical apps at the WWDC, but I'm not sure. I would just try googling iPhone and HiPAA and maybe you'll find something. You could also search the Apple site.
     
  5. macrumors 68000

    nikhsub1

    Joined:
    Jun 19, 2007
    Location:
    mmmm... jessica.'s beer...
    #5
    The iPhone has all the needed security to be HIPAA compliant. HIPAA compliance is more of a set of rules and procedures and not a hardware based issue.
     
  6. macrumors 65816

    Kadman

    Joined:
    Sep 22, 2007
    #6
    The biggest question would be around local device encryption, enforcement of passwords with auto-lock, and possibly (depending on the institution) ability to remotely destroy data. We work in a HIPAA/CFR Part 11 validated environment and we have our BES (Blackberry Enterprise Server) enforce local encryption, lock on holster or 10 minutes of inactivity, and destruction of data on the device after 10 consecutive incorrect passwords. This configuration has passed many external audits (including government medical audits) so I would assume they would be key elements to an iPhone passing such scrutiny. That said, I have no idea if the data at rest on the iPhone is encrypted or not. :confused:
     
  7. macrumors 68000

    Joined:
    Jun 13, 2007
    Location:
    Austin, Texas
    #7
    A quick google search showed me what look like HIPAA compliant apps available on the iPhone right now, so I'd guess the answer is yes.
     
  8. macrumors 601

    Joined:
    Jun 19, 2007
    Location:
    Plymouth, MN
    #8

    You might want to look at this page for some information on that kind of stuff. A lot of the rest of those items can be sent via the deployment agent.
     
  9. macrumors 68000

    vansouza

    Joined:
    Mar 28, 2006
    Location:
    West Plains, MO USA Earth
    #9
    With all the Doctors using the iPhone to track patient vitals and using apps to diagnose and prescribe, of course it is HIPPA compliant... I think.
     
  10. macrumors G5

    Joined:
    Jun 22, 2009
    #10
    "of course it is HIPPA compliant... I think. "

    LOL.. funny
     
  11. macrumors 68000

    vansouza

    Joined:
    Mar 28, 2006
    Location:
    West Plains, MO USA Earth
    #11
    Thank you, I try.
     
  12. macrumors 6502

    Joined:
    Dec 2, 2008
    #12
    The iPhone was approved for me to use in my MD/PhD program and we had to list what phone we used in our ID card/badge/key paperwork. So I would assume it passed my HIPPA compliance.
     
  13. thread starter macrumors newbie

    Joined:
    Aug 17, 2003
    #13
    I know that you can make a specific iPhone App HIPAA compliant, but I don't know if the whole phone itself is.

    For HIPAA compliancy, I know that we can...
    -access our e-mail securely over Exchange
    -password protect the phone
    -enable remote wipe
    -use only HIPAA compliant Apps when using medical Apps​

    Is that "what else am I missing" that I don't know, and if that stuff is enough to deem the phone HIPPA compliant.

    Thank you everyone so far for your responses.
     
  14. macrumors 6502a

    vinay427

    Joined:
    Sep 18, 2008
    #14
    No, thanks but actually I'm one of the exclusive few who can go to www.google.com and type a search term. By the way, I just did. :cool:
     
  15. macrumors 65816

    Joined:
    Jan 30, 2008
    Location:
    Wisconsin
    #15
    If you also use the encrypted backup on iTunes, then yes, it is HIPAA compliant.

    EDIT: forgot to mention, data transmission on an unsecured wifi network is a violation
     
  16. macrumors 601

    Joined:
    Jul 7, 2006
    #16
    3G S has hardware encryption for the entire filesystem.
     
  17. macrumors 68040

    Joined:
    Dec 14, 2007
    #17
    What medical product is this....eClinicalWorks (only one with an iphone interface I am aware of).

    This is about what gets left behind on the phone as much as its about 2 factor authentication, encryption, policies and procedures.

    You must be 100 percent sure that no unauthorized person can pick up your phone and gain access to patient records. They should not be able to see the data either by looking over your shoulder. Further, you must be 100% sure that the application leaves no patient data or any kind on the phone unless that data is encrypted so that it can only be access by the doctor.

    If you can say yes & yes...you are hippa compliant.
     
  18. thread starter macrumors newbie

    Joined:
    Aug 17, 2003
    #18
    Hey ZipZap--

    It's not for a specific product, but a medical company in general.

    ie, We will have e-mails, files saved on the phone, etc.

    So I was wondering about the whole phone itself...

    Thanks
     
  19. macrumors 68000

    Joined:
    Jun 25, 2003
    #19
    Devices aren't HIPAA-compliant per se. However, covered entities (such as hospitals and health plans) must have policies and procedures in place that safeguard against unauthorized release of Protected Health Information. Many facilities require that PHI stored on portable devices be encrypted and that access to the data be password-protected, both of which can be done at the application level. A method to remotely erase the device is often required, as well. PHI must also be encrypted while in transit to or from the device. The iPhone is capable of satisfying all these requirements.
     
  20. macrumors member

    Joined:
    Apr 28, 2009
    #20
    +1 UCLA MS3 here using the iPhone everyday
     
  21. macrumors 68040

    The Californian

    Joined:
    Jan 17, 2009
    Location:
    Surfers Paradise
    #21
    Medical facilities and orginizations are leaning towards communication devices that can be LOCKED into a "HIPPA SAFE" mode as to prevent someone from accidently engaging in a HIPPA violation. You can make any device HIPPA SAFE by monitoring your transmissions, it all depends on how much the company trusts it's employees. I'm at Loma Linda University Medical Center and most of the physicians and clinicians use iPhones, we also have data encrypted pagers to ensure highly sensitive information stays secure.

    Your company must no trust you guys that much, haha
     
  22. thread starter macrumors newbie

    Joined:
    Aug 17, 2003
    #22
    Hey everyone-- I've spent the last few days doing some intensive research on this subject. It was all new to me, so I'm glad I spent the time to learn about it. Your comments were all so very helpful. I just needed to verify some stuff on my own.

    Here is what I came up with.

    Devices themselves cannot be "HIPAA compliant." HIPAA compliancy is set by internal IT guidelines and procedures. Some are pre-defined in practice, some are pre-defined in theory, and some you can decide on your own. However, the device must allow for you to implement these guidelines, or it will not work allow you to reach HIPAA compliancy. This is all to prevent patient data from falling into the hands of unauthorized users.

    The iPhone can:
    - securely access e-mail
    -be protected by a password
    - be remotely wiped (even by the user from Outlook Web Access, or through Exchange server controls. In fact, the iPhone will instantly brick unlike the Blackberry)
    - run HIPPA-compliant Apps
    - be backed up with encryption through iTunes

    AND the iPhone 3GS is the first iPhone that offers an encrypted backup of the whole hard drive.

    Thus, the iPhone 3GS offers everything to allow us to maintain HIPAA compliancy.

    I have convinced my CEO to allow the iPhone as our mobile device as long as we choose the iPhone 3GS (or any other later model in the future I presume).

    This is the document that was tremendous to me in my research and the most helpful thing I saw (other than your comments): http://images.apple.com/iphone/business/docs/iPhone_Security_Overview.pdf There is so much more information in it than what I posted. I highly recommend anyone interested in this topic read it.

    Thank you all again for your time and your postings. This was a wonderful learning experience for me. I hope this thread serves to benefit others as well.

    -Mark
     
  23. macrumors newbie

    Joined:
    Oct 28, 2010
    #23
    iPhone: Encryption Farse!

    I just came across this... I hope you don't believe the same as you did back in 2009.

    If you can recover raw data from a device in clear text, it should not be used in your environment.

    Case in point:
    http://www.youtube.com/watch?v=kHdNoKIZUCw

    Stephen.
     
  24. macrumors 65816

    nefan65

    Joined:
    Apr 15, 2009
    #24
    I've was in IT Healthcare for over 12 years. Recently changed, had enough...lol. Anywho, anyone who states that a device is/is not HIPAA compliant is crazy. There's no such thing. It's all policy, and processes. If you allow clinical staff to send/receive PI Information via email, and it's not encrypted at the server level, then that's an issue with policy allowing it. If you allow laptops to hold PI Information, and the drive isn't encrypted, then it's policy that needs to be addressed. I'd first check all IT policies to see what they state. That includes email, files, etc. All of our policies clearly stated that NO PI information could reside on any PC, Laptop, or mobile device, including thumb drives, etc. ONLY the clinical system could be utilized for PI Information, such as notes, diagnosis, etc. Any remote access to those systems had to be done via a secure VPN connection, and nothing else.

    If you're accessing clinical applications via the phone, and the data does not reside on the phone, then you're fine. Also, if you use Exchange 2007 or newer, you have the ability to remote wipe if needed. However, if you're not storing PI Info on the device, you're fine.

    Someone in your org should be the HIPAA Guru. I'd find them, and sit and discuss this specifically with the guidelines, as well as your internal policies on data use/storage, etc...
     
  25. macrumors member

    Joined:
    Dec 22, 2009
    Location:
    Cerritos, Ca
    #25
    We use it without any issue at our facility, it helps for on the fly searching and if you just follow basic rules by putting pt initials rather than John Smith when transporting text messages I think its okay. We havent had any issues or complaints so far, i know a few Dr's use the BB or a few droids but thats probably preference vs anything else.
     

Share This Page