Body Area Network Wireless Medical Device Operators Must Comply With the HIPAA Privacy and Security Rules
By Catherine Barrett, MITRE Corporation, McLean, VA1
What are Body Area Network Devices?
Technology companies are creating devices and providing data analytic services that promise to lower healthcare costs and improve the quality of care for patients. One such technology is the Body Area Network (“BAN”), a “low-powered wideband network consisting of multiple body-worn sensors” that wirelessly transmit data to a wearable device.2 For example, a cardiac BAN device can be worn much like a Band-Aid and provides real-time data about cardiac activity to the patient’s doctor. BAN devices are increasingly being developed and deployed to “monitor a patient’s health, including blood glucose and pressure monitoring” among other functions.3 BANs are popular because they offer a “cost effective way to monitor every patient in a healthcare institution, so clinicians can provide real-time and accurate data, allowing them to intervene and save lives.”4 BANs are projected to be widely adopted into the mainstream over the next 15 years.5
How Do BAN Devices Operate?
Typically, a BAN device operator contracts with a healthcare provider, such as a hospital or physician practice, to provide monitoring and analytic services to patients that are prescribed the BAN device. This contract between the provider and the BAN device operator allows physicians to prescribe the BAN device to patients seen at the healthcare facility, whether a hospital, clinic or doctor’s office. The BAN device is designed to monitor, collect and wirelessly transmit the patient’s protected health information (“PHI”) to the BAN operator for data analysis.6 Once the BAN operator collects and analyzes the patient’s PHI, a report is sent to the physician outlining the significance of the data collected. For example, a BAN device operator will collect cardiac data on a patient over a 30-day period of time, download and analyze that data from the BAN device and send the results to the patient’s cardiologist per the doctor’s instructions.
BAN Devices and HIPAA
Although BAN device operators may not realize it, they are considered business associates (“BAs”) under the Health Insurance Portability and Accountability Act (“HIPAA”) since they provide “services to a covered entity through which [PHI] is disclosed, such as legal, accounting, consulting, management, administration, accreditation, or financial services.”7
The HIPAA Privacy Rule requires a covered entity (“CE”) to enter into a written agreement with the BA to perform certain services, such as data analysis, which uses or discloses PHI. Passage of the HITECH Act in 2009 amended HIPAA such that BAs must now comply directly with some provisions of the HIPAA privacy rule as well as the HIPAA Security Rule “which requires implementation of administrative, physical and technical safeguards for electronic protected health information (“e-PHI”)” and requires BAs to develop and enforce policies and procedures to protect e-PHI.8 (42 U.S.C. 17931(a); 45 C.F.R. 164.308-312 and 164.316.)
CEs must ensure that the BA agreement includes safeguards regarding the use or disclosure of PHI to the BA such as: (1) a description as to how the BA is permitted to use the PHI; (2) prohibiting the BA from use or further disclosure of the PHI other than as permitted or required by the contract or by law; and (3) requiring the BA to use appropriate safeguards to prevent use or disclosure of the PHI beyond the scope of the contract.9 In turn, BAs agree, in part, to:
- Not use or disclose PHI other than as permitted by the CE;
- Use appropriate safeguards to prevent use or disclosure of PHI;
- Mitigate harmful effects of use or disclosure of PHI;
- Report to CEs use or disclosure of PHI not provided for by the BA-CE agreement;
- Make internal practices, books and records related to the use and disclosure of PHI available to the Secretary of HHS upon request; and
- Document disclosure of PHI.
BAN devices are disruptive, innovative technologies that promise to change the healthcare landscape. But, with new technology comes new challenges. The use and disclosure of e-PHI between BAN device operators and CEs trigger HIPAA compliance issues. BAN operators need to be aware that the regulatory environment is changing rapidly and the HIPAA regulatory framework that BAN device operators must adhere to is likely to significantly change in 2013.
The Department of Health and Human Services was expected to release the HIPAA Omnibus Final Rule (herein after “final rule”) in June of 2012, but the release date was extended, and is likely to be published sometime in 2013. The final rule is expected to significantly impact the HIPAA landscape and include new rules regarding “business associate liability; limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.”10 BAN wireless device operators will be impacted by this final rule. However, until that rule is published it is unknown how the landscape will change and affect this new technology.
Catherine Barrett is a lead healthcare consultant with the MITRE Corporation, a not-for-profit organization. She received her JD and MBA from American University Washington College of Law and Kogod School of Business, respectively. In August 2012 she earned a graduate certificate in health information privacy and security from the George Washington University School of Medicine, Public Health and Health Services. She may be reached at: firstname.lastname@example.org.
|2 ||Lucas Mearian, Body Area Networks Should Free Hospital Bandwidth, Untether Patients, Computerworld, June 4, 2012 at this link.|
Edwards, Brian, “Wireless Body Area Networks: Driving mHealth by Delivering Value to Patients, Providers and Payers”, iMedicalApps.com, August 4, 2011 at http://www.imedicalapps.com/2011/08/wireless-body-area-networks-wbans-driving-mhealth-opportunity-delivering-tangible-patients-providers-payers/.
PHI includes common identifiers such as a person’s name, address, birth date and Social Security Number as well as information that relates to an individual’s past, present or future physical or mental health or condition and/or the provision of healthcare services. Department of Health and Human Services, National Institutes of Health, “To Whom Does the Privacy Rule Apply and Whom Will It Affect?”, at http://privacyruleandresearch.nih.gov/pr_06.asp.
Harry Nelson, “Congratulations, you're a business associate?! The New Obligations and Newest Category of HIPAA Business Associates”, Fenton/Nelson LLC, August 25, 2010 at http://www.fentonnelson.com/news/industry-insights/hipaa-business-associates.htm.
See 45 CFR 164.504(e).
Department of Health and Human Services, Office of Civil Rights, “Health Information Privacy: Business Associate Contracts”, August 14, 2002 at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.