Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Is the iPhone HIPAA compliant?

H

HollandX

macrumors newbie
Original poster
I've been tasked with buying Blackberries for my team since they are HIPAA compliant. I'm trying to get my group to choose the iPhone instead, but I can't find any whitepapers or information on the Internet that state the iPhone is HIPAA compliant.

Any ideas?

Thank you!
 
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16)

I have no clue what HIPAA is but if the iPhone isn't then I recommend the BB Curve 8900 or the Bold if 3G is necessary. If you're on AT&T, that is.
 
vinay427 said:
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16)

I have no clue what HIPAA is but if the iPhone isn't then I recommend the BB Curve 8900 or the Bold if 3G is necessary. If you're on AT&T, that is.
Click to expand...

Should I google that for you? 🙂

Anyway, I would think the iPhone would be HIPAA compliant, since they were demonstrating some Medical apps at the WWDC, but I'm not sure. I would just try googling iPhone and HiPAA and maybe you'll find something. You could also search the Apple site.
 
The iPhone has all the needed security to be HIPAA compliant. HIPAA compliance is more of a set of rules and procedures and not a hardware based issue.
 
The biggest question would be around local device encryption, enforcement of passwords with auto-lock, and possibly (depending on the institution) ability to remotely destroy data. We work in a HIPAA/CFR Part 11 validated environment and we have our BES (Blackberry Enterprise Server) enforce local encryption, lock on holster or 10 minutes of inactivity, and destruction of data on the device after 10 consecutive incorrect passwords. This configuration has passed many external audits (including government medical audits) so I would assume they would be key elements to an iPhone passing such scrutiny. That said, I have no idea if the data at rest on the iPhone is encrypted or not. 😕
 
A quick google search showed me what look like HIPAA compliant apps available on the iPhone right now, so I'd guess the answer is yes.
 
HollandX said:
I've been tasked with buying Blackberries for my team since they are HIPAA compliant. I'm trying to get my group to choose the iPhone instead, but I can't find any whitepapers or information on the Internet that state the iPhone is HIPAA compliant.

Any ideas?

Thank you!
Click to expand...

With all the Doctors using the iPhone to track patient vitals and using apps to diagnose and prescribe, of course it is HIPPA compliant... I think.
 
The iPhone was approved for me to use in my MD/PhD program and we had to list what phone we used in our ID card/badge/key paperwork. So I would assume it passed my HIPPA compliance.
 
vansouza said:
With all the Doctors using the iPhone to track patient vitals and using apps to diagnose and prescribe, of course it is HIPPA compliant... I think.
Click to expand...

I know that you can make a specific iPhone App HIPAA compliant, but I don't know if the whole phone itself is.

For HIPAA compliancy, I know that we can...
-access our e-mail securely over Exchange
-password protect the phone
-enable remote wipe
-use only HIPAA compliant Apps when using medical Apps​

Is that "what else am I missing" that I don't know, and if that stuff is enough to deem the phone HIPPA compliant.

Thank you everyone so far for your responses.
 
iphone.aggie said:
Should I google that for you? 🙂

Anyway, I would think the iPhone would be HIPAA compliant, since they were demonstrating some Medical apps at the WWDC, but I'm not sure. I would just try googling iPhone and HiPAA and maybe you'll find something. You could also search the Apple site.
Click to expand...

No, thanks but actually I'm one of the exclusive few who can go to www.google.com and type a search term. By the way, I just did. 😎
 
HollandX said:
I know that you can make a specific iPhone App HIPAA compliant, but I don't know if the whole phone itself is.

For HIPAA compliancy, I know that we can...
-access our e-mail securely over Exchange
-password protect the phone
-enable remote wipe
-use only HIPAA compliant Apps when using medical Apps​

Is that "what else am I missing" that I don't know, and if that stuff is enough to deem the phone HIPPA compliant.

Thank you everyone so far for your responses.
Click to expand...

If you also use the encrypted backup on iTunes, then yes, it is HIPAA compliant.

EDIT: forgot to mention, data transmission on an unsecured wifi network is a violation
 
What medical product is this....eClinicalWorks (only one with an iphone interface I am aware of).

This is about what gets left behind on the phone as much as its about 2 factor authentication, encryption, policies and procedures.

You must be 100 percent sure that no unauthorized person can pick up your phone and gain access to patient records. They should not be able to see the data either by looking over your shoulder. Further, you must be 100% sure that the application leaves no patient data or any kind on the phone unless that data is encrypted so that it can only be access by the doctor.

If you can say yes & yes...you are hippa compliant.
 
ZipZap said:
What medical product is this....eClinicalWorks (only one with an iphone interface I am aware of).

This is about what gets left behind on the phone as much as its about 2 factor authentication, encryption, policies and procedures.

You must be 100 percent sure that no unauthorized person can pick up your phone and gain access to patient records. They should not be able to see the data either by looking over your shoulder. Further, you must be 100% sure that the application leaves no patient data or any kind on the phone unless that data is encrypted so that it can only be access by the doctor.

If you can say yes & yes...you are hippa compliant.
Click to expand...

Hey ZipZap--

It's not for a specific product, but a medical company in general.

ie, We will have e-mails, files saved on the phone, etc.

So I was wondering about the whole phone itself...

Thanks
 
HollandX said:
I've been tasked with buying Blackberries for my team since they are HIPAA compliant. I'm trying to get my group to choose the iPhone instead, but I can't find any whitepapers or information on the Internet that state the iPhone is HIPAA compliant.

Any ideas?

Thank you!
Click to expand...

Devices aren't HIPAA-compliant per se. However, covered entities (such as hospitals and health plans) must have policies and procedures in place that safeguard against unauthorized release of Protected Health Information. Many facilities require that PHI stored on portable devices be encrypted and that access to the data be password-protected, both of which can be done at the application level. A method to remotely erase the device is often required, as well. PHI must also be encrypted while in transit to or from the device. The iPhone is capable of satisfying all these requirements.
 
Roller said:
Devices aren't HIPAA-compliant per se. However, covered entities (such as hospitals and health plans) must have policies and procedures in place that safeguard against unauthorized release of Protected Health Information. Many facilities require that PHI stored on portable devices be encrypted and that access to the data be password-protected, both of which can be done at the application level. A method to remotely erase the device is often required, as well. PHI must also be encrypted while in transit to or from the device. The iPhone is capable of satisfying all these requirements.
Click to expand...

+1 UCLA MS3 here using the iPhone everyday
 
Medical facilities and orginizations are leaning towards communication devices that can be LOCKED into a "HIPPA SAFE" mode as to prevent someone from accidently engaging in a HIPPA violation. You can make any device HIPPA SAFE by monitoring your transmissions, it all depends on how much the company trusts it's employees. I'm at Loma Linda University Medical Center and most of the physicians and clinicians use iPhones, we also have data encrypted pagers to ensure highly sensitive information stays secure.

Your company must no trust you guys that much, haha
 
Hey everyone-- I've spent the last few days doing some intensive research on this subject. It was all new to me, so I'm glad I spent the time to learn about it. Your comments were all so very helpful. I just needed to verify some stuff on my own.

Here is what I came up with.

Devices themselves cannot be "HIPAA compliant." HIPAA compliancy is set by internal IT guidelines and procedures. Some are pre-defined in practice, some are pre-defined in theory, and some you can decide on your own. However, the device must allow for you to implement these guidelines, or it will not work allow you to reach HIPAA compliancy. This is all to prevent patient data from falling into the hands of unauthorized users.

The iPhone can:
- securely access e-mail
-be protected by a password
- be remotely wiped (even by the user from Outlook Web Access, or through Exchange server controls. In fact, the iPhone will instantly brick unlike the Blackberry)
- run HIPPA-compliant Apps
- be backed up with encryption through iTunes

AND the iPhone 3GS is the first iPhone that offers an encrypted backup of the whole hard drive.

Thus, the iPhone 3GS offers everything to allow us to maintain HIPAA compliancy.

I have convinced my CEO to allow the iPhone as our mobile device as long as we choose the iPhone 3GS (or any other later model in the future I presume).

This is the document that was tremendous to me in my research and the most helpful thing I saw (other than your comments): http://images.apple.com/iphone/business/docs/iPhone_Security_Overview.pdf There is so much more information in it than what I posted. I highly recommend anyone interested in this topic read it.

Thank you all again for your time and your postings. This was a wonderful learning experience for me. I hope this thread serves to benefit others as well.

-Mark
 
I've was in IT Healthcare for over 12 years. Recently changed, had enough...lol. Anywho, anyone who states that a device is/is not HIPAA compliant is crazy. There's no such thing. It's all policy, and processes. If you allow clinical staff to send/receive PI Information via email, and it's not encrypted at the server level, then that's an issue with policy allowing it. If you allow laptops to hold PI Information, and the drive isn't encrypted, then it's policy that needs to be addressed. I'd first check all IT policies to see what they state. That includes email, files, etc. All of our policies clearly stated that NO PI information could reside on any PC, Laptop, or mobile device, including thumb drives, etc. ONLY the clinical system could be utilized for PI Information, such as notes, diagnosis, etc. Any remote access to those systems had to be done via a secure VPN connection, and nothing else.

If you're accessing clinical applications via the phone, and the data does not reside on the phone, then you're fine. Also, if you use Exchange 2007 or newer, you have the ability to remote wipe if needed. However, if you're not storing PI Info on the device, you're fine.

Someone in your org should be the HIPAA Guru. I'd find them, and sit and discuss this specifically with the guidelines, as well as your internal policies on data use/storage, etc...
 
We use it without any issue at our facility, it helps for on the fly searching and if you just follow basic rules by putting pt initials rather than John Smith when transporting text messages I think its okay. We havent had any issues or complaints so far, i know a few Dr's use the BB or a few droids but thats probably preference vs anything else.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back