Humetrix

Using the iBlueButton® Professional iPad App in Compliance with HIPAA

Last revised February 7, 2013

About iBlueButton Professional
The iBlueButton Professional iPad App (the "App") allows physicians to directly and securely receive from their patients Blue Button and other health records by a secure proximity "Push" initiated by the patient using their iBlueButton or iBlueButton Veterans phone Apps. The App also allows the physician to “Push” back to their patients records either created within the App or imported from other iPad apps, and from iOS enabled EMR systems. Available to the healthcare provider wherever the patient receives care, the App allows physicians to securely receive from their patients medical information from other providers, payors and HIE systems. Using the iBlueButton phone Apps, your patients will be able to share with you their Blue Button records from the following portals: My HealtheVet, TRICARE online, MyMedicare.gov, Aetna, RelayHealth and new Blue Button enabled portals as they become available.

iBlueButton Professional and HIPAA
Most health care providers are "covered entities" subject to the Health Insurance Portability and Accountability Act and its privacy, security, and breach notification regulations (collectively "HIPAA") with respect to certain of their patient’s individually identifiable health information, known as "protected health information" or "PHI." The App allows health care providers to create and receive PHI, so we recommend that health care providers take steps to ensure that they are complying with HIPAA. The App includes a number of security features, but appropriate use of these security features to comply with HIPAA falls to the physician (the "User").

The following is intended to assist the User with complying with HIPAA. It is not intended as, nor should it be viewed as, legal advice nor a guarantee of compliance with HIPAA or any other law.

iBlueButton and the Privacy Rule

Access and Amendment
HIPAA’s Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) provides patients with a right to access and amend certain PHI that is maintained in a “designated record set,” which includes medical records, billing records, and other information that is used, in whole or in part, to make decisions about the individual. The Privacy Rule requires that a covered entity document its designated record set. Accordingly, if the User is using PHI stored in the App to make treatment or other decisions about the patient, then we recommend that the User document that the App’s PHI is part of the designated record set. Additionally, if a patient requests to access all information in their designated record set, the User may wish to provide a copy of any PHI stored in the App. If a patient requests to amend this information, the App allows the User to do so.

Accounting of Disclosures
The Privacy Rule also requires a covered entity to account for certain disclosures of PHI, but provides exceptions for disclosure to the individual who is the subject of the PHI and disclosures for treatment purposes. While the App allows the User to securely “Push” PHI to a patient, such a disclosure of PHI is not subject to HIPAA’s accounting of disclosures requirements. The App also provides the ability to send the patient’s Blue Button information through the device’s e-mail function. If the User e-mails a patient’s PHI for treatment purposes, this disclosure also would not be subject to HIPAA’s accounting of disclosures requirements. If a User e-mails a patient’s PHI for other reasons, however, we recommend that the User document the disclosure if such documentation is necessary to comply with HIPAA’s accounting of disclosures requirements.

Patient Communication Preferences
The Privacy Rule requires a covered health care provider to accommodate reasonable patient requests to receive PHI by alternative means or at alternative locations. For some patients, the use of the App and their own iBlueButton phone Apps provide a great means of receiving their PHI. Other patients may prefer alternative means of receiving PHI. We recommend that the User accommodate the patient’s preferences regarding how they would like to receive their PHI, including any Blue Button information.

Limits on Use and Disclosure
The Privacy Rule limits the use and disclosure of PHI. Additionally, many state laws limit the disclosure of medical information without a patient’s authorization. To the extent that the User e-mails or otherwise uses and discloses Blue Button information from the App, we recommend that all such uses and disclosures comply with HIPAA and other applicable laws.

iBlueButton and the Security Rule

HIPAA’s Standards for Security of Electronic Protected Health Information (the "Security Rule") requires certain administrative, physical, and technical safeguards with respect to electronic PHI ("ePHI") to reasonably ensure the confidentiality, integrity, and availability of such information. Because the App creates, receives, maintains, and transmits ePHI on the User’s mobile device, the User should take steps to comply with the Security Rule.

Risk Analysis and Management
The Security Rule requires a covered entity to conduct an accurate and thorough analysis of the risks to the confidentiality, integrity, and availability of ePHI and to implement measures to reduce risks to a reasonable and appropriate level. We recommend that the User include the App’s Blue Button data in any such risk analysis and use the App’s security features to reduce security risks to a reasonable and appropriate level. One risk to consider is the potential for the User’s mobile device to be lost or stolen, and the potential for an unauthorized person to try to access the App and its data. Another risk to consider is the potential lack of availability of a patient’s Blue Button data if the mobile device is lost, stolen, or damaged.

Audit Controls and System Activity Review
The Security Rule requires audit controls to record system activity and procedures to regularly review such records. The App provides the User the ability to access an exchange log to review a record of the names of all files transferred, to whom they were transferred and the date/time of the transfer. This log can be sorted by date/time or patient name. The log is not collected by Humetrix. We recommend that the User consider whether to regularly review this log and to document the decision made.

Security Official and Training
The Security Rule requires each covered entity to have a security official. If the User does not serve this role, then we recommend that the User inform his or her security official of the use of the App. The security official may wish to consider whether to require training on the appropriate use of the App (e.g., to ensure that the User is taking advantage of available security features and is not using the App in a manner that could violate the Security Rule).

Malware Protection
The Security Rule requires covered entities to address protection from malicious software. Accordingly, we recommend that the User maintain appropriate antivirus or other malware software on the mobile device to help protect the App’s ePHI.

Safeguarding Passwords
The Security Rule requires each covered entity to address procedures for creating, changing, and safeguarding passwords. The App includes password protection, and we suggest that the User create a reasonably strong password and avoids using words that may be easily guessed. If the User must write down the password, we recommend that the password is not stored alongside the mobile device. We also recommend that the User consider whether the mobile device itself also should be password protected (to add an additional layer of security and to safeguard any ePHI that the User transfers outside of the App). Backup, Recovery, Emergency Operations, and Criticality The Security Rule requires data backup and recovery plans, emergency mode operation plans, and that covered entities consider assessing the criticality of its applications and data. Accordingly, we recommend that the User consider whether the App and its data will be critical in an emergency, whether it should be routinely backed up and, if so, how it will be recovered.

Physical Security
The Security Rule requires physical safeguards for workstations that access ePHI. Users should be sensitive to the physical security of their mobile device, and should be cautious about where and when the device is left unattended.

Disposal, Reuse, and Inventory of Device
The Security Rule requires each covered entity to maintain device and media controls, implement procedures for disposal and reuse of electronic media, and consider maintaining records of movement of hardware and media containing ePHI. Before disposing of or giving away the mobile device, the User should consider taking steps to ensure that the App’s ePHI is adequately erased. Additionally, the User or security official should consider whether the mobile device, because it contains ePHI, needs to be included in any inventory of hardware.

Automatic Time-Out
The Security Rule requires a covered entity to consider implementing procedures for terminating electronic sessions after a predetermined time of activity. The App includes a time-out function after five minutes of inactivity, after which password entry is required.

Encryption of Stored and Transmitted Data
The Security Rule requires a covered entity to consider whether it is reasonable to encrypt stored ePHI. The App encrypts stored data using the AES algorithm and a 256-bit key that is randomly generated by the password. Additionally, when the App is used to take pictures using the mobile device’s camera, the pictures are stored by the App and are similarly encrypted. Users should be cautious when using the App to transfer ePHI to other software programs on the mobile device (such as an e-mail program), after which the ePHI will no longer be encrypted by the App.

The Security Rule also requires a covered entity to consider whether it is reasonable to encrypt transmitted ePHI. When the App "Pushes" ePHI to another mobile device that has the iBlueButton phone Apps, the two devices create a shared 256-bit key that is unique to the transfer and the ePHI is encrypted using the AES algorithm during transfer. The first device encrypts the ePHI, transmits the encrypted ePHI to a cloud server, generates a key, and generates a QR code on its screen. The receiving device scans the QR code through its camera, which provides the location of the data and the key. The receiving device then downloads the encrypted ePHI from the cloud server and decrypts it. The information encrypton ePHI on the cloud server is deleted immediately after the transfer or after a short period of time (if no transfer occurs), and the key is communicated between the devices using the optical recognition of the QR code but does not travel over the Internet. If the User chooses to transfer ePHI to the mobile devices e-mail program, the App will not encrypt the e-mail. The User may wish to use an e-mail program that offers encryption.

Integrity Control
The Security Rule requires a covered entity to consider mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner during storage or transmission. A patient may use the iBlueButton phone Apps to receive Blue Button information from one physician and to push the information to another physician. The App will display a green checkmark icon indicating if the ePHI from the other physician is unaltered by the patient during this transfer. Additionally, when data is transferred between the App and another device running the iBlueButton phone Apps, the applications use a hash to validate that no data loss or alteration occurred during the transfer.

Humetrix Is Not a Business Associate Under HIPAA
Both the Privacy and Security Rules require covered entities to have agreements with entities that use or disclose PHI on the covered entity’s behalf. These entities are called “business associates” of the covered entity. Humetrix does not have access to, or otherwise use or disclose, any of the PHI that is created, received, maintained, or transmitted on the App. Accordingly, Humetrix is not a business associate of the User and a business associate agreement with Humetrix is not required. Humetrix maintains the cloud server through which encrypted ePHI is temporarily stored when it is pushed from one device to another. However, Humetrix qualifies as a conduit, rather than a business associate, as it only provides a transmission service involving “temporary storage of transmitted data incident to such transmission.” 78 Fed. Reg. 5572 (Jan. 25, 2013). The encrypted ePHI is deleted immediately after download by the recipient device or within a few minutes if no download occurs. Additionally, Humetrix does not have access to the encryption key.

The App sends certain data about usage of the App to Flurry, Inc (www.flurry.com). This information does not identify the User, device, or the patient. Flurry, Inc. does not receive or have access to PHI. Accordingly, Flurry, Inc. is not a business associate of the User.

The App permits the User to backup data using iCloud. The use of iCloud to back up the App’s data will cause encrypted ePHI to be maintained on iCloud servers, allowing recovery of the ePHI should the device become lost, stolen, or damaged. Because the App only stores encrypted ePHI on iCloud and the encryption key remains solely with the User, no third party will have access to the unencrypted information. HIPAA is unclear as to whether the storage of encrypted PHI with a third party requires a business associate agreement with the third party when the third party does not have access to the encryption key. If the User does not wish to back up encrypted ePHI on iCloud, this feature can be disabled in the iCloud Settings of the iPad (Settings > iCloud > Storage & Backup > Manage Storage).

iBlueButton and the Breach Notification Rule
The Breach Notification for Unsecured Protected Health Information Interim Final Rule (the “Breach Notification Rule”) requires a covered entity to notify individuals if their unsecured PHI has been improperly used or disclosed. ePHI at rest is secured if it is encrypted in accordance with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices and the decryption key has not been breached. The App’s ePHI is encrypted in accordance with this guidance. ePHI that is transmitted is secured if it is encrypted in accordance with NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, 800–77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, or another FIPS 140-2 validated process and the decryption key has not been breached. When the App is used to "Push" ePHI to another mobile device running iBlueButton phone App, then the ePHI is encrypted in accordance with this guidance during transmission. Accordingly, if the mobile device is lost or stolen or the ePHI that is pushed to the iBlueButton phone Apps is intercepted, then the Breach Notification Rule will not require the User to make breach notifications, so long as the User’s password has not been breached. We recommend that the User also consider state law and ensure that such law does not require breach notification.

If the App is used to transfer ePHI outside of the App, such as to another program on the mobile device, then the information will no longer be encrypted by the App.
In such a case, the loss or theft of the device or the interception of ePHI transmitted by another application may constitute a breach for which breach notification is required. We recommend that the User activate the “Find My iPad” feature on the iPad’s "Location Services", which will allow the User to remotely lock the mobile device or erase all data stored on the device if it is lost or stolen.