• Did you order new AirTags? We've opened a dedicated AirTags forum.

HollandX

macrumors newbie
Original poster
Aug 17, 2003
10
0
I've been tasked with buying Blackberries for my team since they are HIPAA compliant. I'm trying to get my group to choose the iPhone instead, but I can't find any whitepapers or information on the Internet that state the iPhone is HIPAA compliant.

Any ideas?

Thank you!
 

vinay427

macrumors 6502a
Sep 18, 2008
701
0
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16)

I have no clue what HIPAA is but if the iPhone isn't then I recommend the BB Curve 8900 or the Bold if 3G is necessary. If you're on AT&T, that is.
 
Comment

samcraig

macrumors P6
Jun 22, 2009
16,637
41,619
USA
I know what HIPAA compliance is and I think that's a question for Apple tech/corporate specifically.
 
Comment

-aggie-

macrumors P6
Jun 19, 2009
16,795
51
Where bunnies are welcome.
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16)

I have no clue what HIPAA is but if the iPhone isn't then I recommend the BB Curve 8900 or the Bold if 3G is necessary. If you're on AT&T, that is.

Should I google that for you? :)

Anyway, I would think the iPhone would be HIPAA compliant, since they were demonstrating some Medical apps at the WWDC, but I'm not sure. I would just try googling iPhone and HiPAA and maybe you'll find something. You could also search the Apple site.
 
Comment

Kadman

macrumors 65816
Sep 22, 2007
1,216
0
The biggest question would be around local device encryption, enforcement of passwords with auto-lock, and possibly (depending on the institution) ability to remotely destroy data. We work in a HIPAA/CFR Part 11 validated environment and we have our BES (Blackberry Enterprise Server) enforce local encryption, lock on holster or 10 minutes of inactivity, and destruction of data on the device after 10 consecutive incorrect passwords. This configuration has passed many external audits (including government medical audits) so I would assume they would be key elements to an iPhone passing such scrutiny. That said, I have no idea if the data at rest on the iPhone is encrypted or not. :confused:
 
Comment

diabolic

macrumors 68000
Jun 13, 2007
1,572
1
Austin, Texas
A quick google search showed me what look like HIPAA compliant apps available on the iPhone right now, so I'd guess the answer is yes.
 
Comment

vansouza

macrumors 68000
Mar 28, 2006
1,735
3
West Plains, MO USA Earth
I've been tasked with buying Blackberries for my team since they are HIPAA compliant. I'm trying to get my group to choose the iPhone instead, but I can't find any whitepapers or information on the Internet that state the iPhone is HIPAA compliant.

Any ideas?

Thank you!

With all the Doctors using the iPhone to track patient vitals and using apps to diagnose and prescribe, of course it is HIPPA compliant... I think.
 
Comment

EatMyApple

macrumors 6502
Dec 2, 2008
380
1
The iPhone was approved for me to use in my MD/PhD program and we had to list what phone we used in our ID card/badge/key paperwork. So I would assume it passed my HIPPA compliance.
 
Comment

HollandX

macrumors newbie
Original poster
Aug 17, 2003
10
0
With all the Doctors using the iPhone to track patient vitals and using apps to diagnose and prescribe, of course it is HIPPA compliant... I think.

I know that you can make a specific iPhone App HIPAA compliant, but I don't know if the whole phone itself is.

For HIPAA compliancy, I know that we can...
-access our e-mail securely over Exchange
-password protect the phone
-enable remote wipe
-use only HIPAA compliant Apps when using medical Apps​

Is that "what else am I missing" that I don't know, and if that stuff is enough to deem the phone HIPPA compliant.

Thank you everyone so far for your responses.
 
Comment

vinay427

macrumors 6502a
Sep 18, 2008
701
0
Should I google that for you? :)

Anyway, I would think the iPhone would be HIPAA compliant, since they were demonstrating some Medical apps at the WWDC, but I'm not sure. I would just try googling iPhone and HiPAA and maybe you'll find something. You could also search the Apple site.

No, thanks but actually I'm one of the exclusive few who can go to http://www.google.com and type a search term. By the way, I just did. :cool:
 
Comment

emt1

macrumors 65816
Jan 30, 2008
1,385
20
Wisconsin
I know that you can make a specific iPhone App HIPAA compliant, but I don't know if the whole phone itself is.

For HIPAA compliancy, I know that we can...
-access our e-mail securely over Exchange
-password protect the phone
-enable remote wipe
-use only HIPAA compliant Apps when using medical Apps​

Is that "what else am I missing" that I don't know, and if that stuff is enough to deem the phone HIPPA compliant.

Thank you everyone so far for your responses.

If you also use the encrypted backup on iTunes, then yes, it is HIPAA compliant.

EDIT: forgot to mention, data transmission on an unsecured wifi network is a violation
 
Comment

ZipZap

macrumors 603
Dec 14, 2007
5,796
1,099
What medical product is this....eClinicalWorks (only one with an iphone interface I am aware of).

This is about what gets left behind on the phone as much as its about 2 factor authentication, encryption, policies and procedures.

You must be 100 percent sure that no unauthorized person can pick up your phone and gain access to patient records. They should not be able to see the data either by looking over your shoulder. Further, you must be 100% sure that the application leaves no patient data or any kind on the phone unless that data is encrypted so that it can only be access by the doctor.

If you can say yes & yes...you are hippa compliant.
 
Comment

HollandX

macrumors newbie
Original poster
Aug 17, 2003
10
0
What medical product is this....eClinicalWorks (only one with an iphone interface I am aware of).

This is about what gets left behind on the phone as much as its about 2 factor authentication, encryption, policies and procedures.

You must be 100 percent sure that no unauthorized person can pick up your phone and gain access to patient records. They should not be able to see the data either by looking over your shoulder. Further, you must be 100% sure that the application leaves no patient data or any kind on the phone unless that data is encrypted so that it can only be access by the doctor.

If you can say yes & yes...you are hippa compliant.

Hey ZipZap--

It's not for a specific product, but a medical company in general.

ie, We will have e-mails, files saved on the phone, etc.

So I was wondering about the whole phone itself...

Thanks
 
Comment

Roller

macrumors 68030
Jun 25, 2003
2,655
1,637
I've been tasked with buying Blackberries for my team since they are HIPAA compliant. I'm trying to get my group to choose the iPhone instead, but I can't find any whitepapers or information on the Internet that state the iPhone is HIPAA compliant.

Any ideas?

Thank you!

Devices aren't HIPAA-compliant per se. However, covered entities (such as hospitals and health plans) must have policies and procedures in place that safeguard against unauthorized release of Protected Health Information. Many facilities require that PHI stored on portable devices be encrypted and that access to the data be password-protected, both of which can be done at the application level. A method to remotely erase the device is often required, as well. PHI must also be encrypted while in transit to or from the device. The iPhone is capable of satisfying all these requirements.
 
Comment

dseig001

macrumors member
Apr 28, 2009
76
1
Devices aren't HIPAA-compliant per se. However, covered entities (such as hospitals and health plans) must have policies and procedures in place that safeguard against unauthorized release of Protected Health Information. Many facilities require that PHI stored on portable devices be encrypted and that access to the data be password-protected, both of which can be done at the application level. A method to remotely erase the device is often required, as well. PHI must also be encrypted while in transit to or from the device. The iPhone is capable of satisfying all these requirements.

+1 UCLA MS3 here using the iPhone everyday
 
Comment

The Californian

macrumors 68040
Jan 17, 2009
3,161
11
Surfers Paradise
Medical facilities and orginizations are leaning towards communication devices that can be LOCKED into a "HIPPA SAFE" mode as to prevent someone from accidently engaging in a HIPPA violation. You can make any device HIPPA SAFE by monitoring your transmissions, it all depends on how much the company trusts it's employees. I'm at Loma Linda University Medical Center and most of the physicians and clinicians use iPhones, we also have data encrypted pagers to ensure highly sensitive information stays secure.

Your company must no trust you guys that much, haha
 
Comment

HollandX

macrumors newbie
Original poster
Aug 17, 2003
10
0
Hey everyone-- I've spent the last few days doing some intensive research on this subject. It was all new to me, so I'm glad I spent the time to learn about it. Your comments were all so very helpful. I just needed to verify some stuff on my own.

Here is what I came up with.

Devices themselves cannot be "HIPAA compliant." HIPAA compliancy is set by internal IT guidelines and procedures. Some are pre-defined in practice, some are pre-defined in theory, and some you can decide on your own. However, the device must allow for you to implement these guidelines, or it will not work allow you to reach HIPAA compliancy. This is all to prevent patient data from falling into the hands of unauthorized users.

The iPhone can:
- securely access e-mail
-be protected by a password
- be remotely wiped (even by the user from Outlook Web Access, or through Exchange server controls. In fact, the iPhone will instantly brick unlike the Blackberry)
- run HIPPA-compliant Apps
- be backed up with encryption through iTunes

AND the iPhone 3GS is the first iPhone that offers an encrypted backup of the whole hard drive.

Thus, the iPhone 3GS offers everything to allow us to maintain HIPAA compliancy.

I have convinced my CEO to allow the iPhone as our mobile device as long as we choose the iPhone 3GS (or any other later model in the future I presume).

This is the document that was tremendous to me in my research and the most helpful thing I saw (other than your comments): http://images.apple.com/iphone/business/docs/iPhone_Security_Overview.pdf There is so much more information in it than what I posted. I highly recommend anyone interested in this topic read it.

Thank you all again for your time and your postings. This was a wonderful learning experience for me. I hope this thread serves to benefit others as well.

-Mark
 
Comment

nefan65

macrumors 65816
Apr 15, 2009
1,354
14
I've was in IT Healthcare for over 12 years. Recently changed, had enough...lol. Anywho, anyone who states that a device is/is not HIPAA compliant is crazy. There's no such thing. It's all policy, and processes. If you allow clinical staff to send/receive PI Information via email, and it's not encrypted at the server level, then that's an issue with policy allowing it. If you allow laptops to hold PI Information, and the drive isn't encrypted, then it's policy that needs to be addressed. I'd first check all IT policies to see what they state. That includes email, files, etc. All of our policies clearly stated that NO PI information could reside on any PC, Laptop, or mobile device, including thumb drives, etc. ONLY the clinical system could be utilized for PI Information, such as notes, diagnosis, etc. Any remote access to those systems had to be done via a secure VPN connection, and nothing else.

If you're accessing clinical applications via the phone, and the data does not reside on the phone, then you're fine. Also, if you use Exchange 2007 or newer, you have the ability to remote wipe if needed. However, if you're not storing PI Info on the device, you're fine.

Someone in your org should be the HIPAA Guru. I'd find them, and sit and discuss this specifically with the guidelines, as well as your internal policies on data use/storage, etc...
 
Comment

THENIZZZEIL

macrumors member
Dec 22, 2009
37
0
Cerritos, Ca
We use it without any issue at our facility, it helps for on the fly searching and if you just follow basic rules by putting pt initials rather than John Smith when transporting text messages I think its okay. We havent had any issues or complaints so far, i know a few Dr's use the BB or a few droids but thats probably preference vs anything else.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.