BYTEGRIDR. Compliant Health Apps in the Cloud. ByteGrid.com. Rebecca Santorios Associate Director of Compliance

Transcription

1 BYTEGID Compliant Health Apps in the Cloud ebecca Santorios Associate Director of Compliance ByteGrid.com

2 BYTEGID Introduction New mobile health applications are being developed every day, and with each new idea comes questions about how that app will be regulated and how it will protect patient information. What technical controls do you need? Does HIPAA apply? Is it FDA-regulated? If HIPAA doesn t apply, are there other privacy laws that come into play? Who is legally responsible for the app? egulatory agencies are striving to address these rapidly developing technologies, developers are struggling to understand what they need to do in order make their apps compliant, while end users are wondering which apps they can trust. In this paper, we ll discuss the regulatory considerations for health applications, but if you want to skip to the point: Accredited, fully compliant cloud hosting protects you and your customers no matter the scope of your regulatory burden. Even if you re not subject to HIPAA or FDA regulations, your customers will want top-notch privacy and security, and the rigor that comes with compliant hosting is a selling point. An EHNAC accredited hosting environment is solid proof that your app is deployed in a way satisfies these stringent security and privacy controls. As the app s use evolves, you ll be ahead of the game, having stepped into compliance with accredited cloud hosting. How is My App egulated? egulatory requirements for health apps are determined based on the application s use, and this also determines who s responsible for ensuring compliance. Covered entities, like healthcare providers, are responsible for HIPAA compliance for the applications that they use, while the application manufacturer is responsible for complying with FDA regulations, if the app is a medical device. As you go through the next sections, you ll see what questions to ask to determine where your application falls. Keep in mind that it s possible for your app to be within the purview of more than one agency, in which case you ll need to make sure that your hosting provider supports compliance with all of the applicable regulations. DEVICE SECUITY

3 BYTEGID Is it a Medical Device? If you re creating a health app that can be considered a medical device, then you, as the manufacturer, are responsible for complying with FDA regulations when designing, developing, testing and marketing the app. The FDA issued the Guidance for Mobile Medical Applications in February 2015, to clarify the subset of mobile apps to which the FDA intends to apply its authority. [9] This guidance is intended to help companies understand what the FDA expects for mobile apps, and what manufacturers need to do in order to legally market their applications. The determination of whether the medical device regulations apply to a particular mobile health application can be broken down into two yes/no questions, though answering them may require some thought: Is the app intended to help diagnose a disease or other conditions, or to cure, mitigate, treat, or prevent disease, or is it intended to affect the structure or any function of the human body? Does the app s functionality pose a risk to a patient s safety if it does not function as intended? If the answer to these questions is yes, then the application will fall under the FDA s oversight. Don t be too quick to answer these questions, though. There are nuances that can make this challenging, which is why the agency developed the guidance. Let s try to provide some clarification. Intended use is defined by labeling claims, advertising materials, or oral or written statements by manufacturers. Don t take this lightly. If you re promoting your application to help diagnose or treat a disease, no matter the format of those claims, then you re potentially making a statement of intended use that will impact the legal status of your app. The intended use is the determining factor in whether or not an application is considered a medical device. The guidance provides an LED as an example: an app that operates an LED isn t automatically a medical device, but if it s promoted as a light source for doctors to examine patients, it becomes one. Patient risk is the other determining factor in whether an app must be regulated. Application developers will need to consider this carefully in order to determine whether a regulatory submission is necessary before they can market their app. The guidance provides several examples. An application that provides patient monitoring or that controls drug delivery are high risk devices that are definitely regulated, while applications that help patients log their activities, like eating and exercise, are low risk. Manufacturers can compare their application s function to the examples in the guidance to help figure out where they may lie. High- or medium- risk applications will certainly require a regulatory acceptance in order to be sold legally. Compliant cloud hosting helps smooth the submission process by with documented controls that the agency requires. Cybersecurity, in particular, is easier to address if the app is deployed through a validated, tightly controlled datacenter. The guidance states that cloud hosting service providers are not considered device manufacturers. However, a creator of a software system that provides users access to the medical device through such a service (e.g. SaaS), is. Medical device manufacturers will need to evaluate their cloud hosting provider s services in accordance with the FDA s Quality System egulation, and document that assessment following an appropriate supplier quality program. A cloud hosting company that was designed specifically for GxP compliance can quickly provide documented evidence that that they ll consistently satisfy a medical device manufacturer s requirements. They ll always be audit-

4 BYTEGID ready, and can help you achieve that readiness, too, should the FDA come to call. As stated in the guidance, the FDA intends to apply oversight authority only to those mobile apps that are medical devices and whose functionality could pose a risk to a patient s safety if the mobile app were to not function as intended. Even if the app is a medical device, if it is low-risk FDA will exercise enforcement discretion. However, the guidance recommends that all manufacturers of mobile medical apps that may be devices adhere to the Quality System egulation (QS), even if they are low-risk. That s why compliant cloud hosting makes sense for applications that handle health information, even if they do not fall squarely within the FDA s purview. emember that a mobile medical app can be subject to HIPAA regulations, too, if it transmits or stores protected health information. In that case, the covered entity (or business associate) using the application will need to make sure that the app is deployed and used in adherence to HIPAA requirements. Does HIPAA Apply? In essence, there are two questions to consider here, too: Does the application store individually identifiable health information? Does it supply information to a covered entity or an entity s business associate? If the answers to these questions are yes, then the application is subject to HIPAA regulations. Let s look at the definitions to help clarify the scope here. Individually Identifiable Health Information is health information, including demographic information, that relates to an individual s physical or mental health or the provision of or payment for health care, and that identifies the individual [6]. Covered Entities are health care providers, health plans, and health clearinghouses. To further clarify [7]: Health care providers include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies - but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard

5 BYTEGID Health plans include health insurance companies, HMOs, company health plans, and government programs that pay for health care, like Medicare, Medicaid, and veterans health care programs Health clearinghouses includes entities that process nonstandard health information they receive from another entity into a standard, or vice versa. Business associates [8] are those who perform services for, or on behalf of, a covered entity. This includes those who create, receive, maintain, or transmit protected health information, including claims processing or administration, data analysis, quality assurance, billing, benefit management, practice management, and repricing; or those who provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services for a covered entity or another business associate. HIPAA compliance is the responsibility of covered entities and their business associates. For example, a doctor s office that uses a health application is responsible for ensuring that the health information stored or transmitted by the application is protected. If you re a covered entity or business associate, then you ll need to take a close look at any health application that stores or transmits PHI before you consider putting it into use. The penalties for a breach are stiff, so you won t want to take chances with an application that wasn t designed with security in mind. Find out how the application s design ensures data privacy and security. This isn t just a thought exercise if you use this application you ll need to include it in your HIPAA-required documented risk assessment. One question you ll need to answer is where the data is stored. Is it stored locally on the device that s running the app, or is it cloud-based, with patient data stored in a datacenter and made available over the internet? Cloud deployment has some security advantages over local storage, as long as the app is running in a secure, compliant datacenter. HIPAA compliant hosting requires deliberate activities throughout the system, and companies must be careful when selecting a hosting provider for the health applications they use. It helps to look for an EHNAC accreditation. EHNAC exhaustively evaluates candidates before supplying accreditation, and requires successful periodic evaluations to maintain it. HIPAA compliant hosting helps you avoid data breaches, and also protects you from further damages in the event that you do suffer a breach. With audit-ready, fully compliant cloud hosting, you re demonstrating a consistent, thoughtful approach to privacy and security that will show the HHS, and your customers, that you re taking the right

6 BYTEGID steps to prevent these occurrences. Your hosting provider can help you to respond quickly and appropriately to a breach, and that will limit its scope. Corrective action costs will be minimized, too, since your foundation is already solidly compliant. Other Considerations Privacy and security regulations can impact organizations that aren t subject to HIPAA. The FTC is responsible for protected consumers health data when it s outside the HIPAA silo. They enforce breach notification rules that are similar to HIPAA s and have taken enforcement actions against companies that exposed consumers health data, for example one that outsourced services to a third party without adequately checking to make sure it could implement reasonable security measures [10], and a settlement involving a company that made consumer records available over a peer-to-peer file sharing network [11]. The FTC has published some best practices for health app developers on their website. Not surprisingly, many of these best practices are exactly the things that EHNAC confirms when assessing a cloud hosting provider for HIPAA compliance [12]: Conduct a privacy/security risk assessment Limit your use and storage of health data only to what s necessary Identify management responsibility for ensuring privacy and security Train all employees to ensure privacy and security procedures are followed Implement access controls to restrict unauthorized access to data and to the network Patch known vulnerabilities Compliant cloud hosting has mature, documented processes for following these best practices, and much more, to ensure that health data stays secure. Keep in mind, too, that many states have their own privacy laws in addition to HIPAA, and may levy fines in addition to HHS penalties in the event of a breach. Developers and end users should consider how and where their applications will be deployed to make sure that they re adherent to the applicable regulations. Again, accredited, compliant hosting ensures that the app is running in a secure data center backed by mature, well-developed and thoroughly documented procedures, making compliance with privacy and security regulations that much easier. BYTEGID

7 BYTEGID Custom Demand for Privacy and Security egardless of regulatory requirements, would your customers tolerate weaknesses in privacy and security? While a few consumers may be willing to sacrifice privacy for convenience to some extent, it s also likely that they ll be willing to pay more for apps that are known to be safe and secure. If you re able to back your app with strong privacy and security claims, then even conservative consumers can subscribe without fearing that their fundamental rights are being violated. Accredited HIPAA compliant hosting lets users know quality, privacy and security come first. EHNAC Accreditation We ve mentioned EHNAC accreditation throughout this paper because it s a rigorous, measurable way to establish that a cloud hosting provider is truly HIPAA compliant. At ByteGrid, we re proud to have been the first EHNAC accredited datacenter, and we work hard to be the leader in compliant cloud hosting. EHNAC s accreditation process involves many phases and criteria, but we can list a few of the requirements here: A clear diagram showing PHI storage locations Documented privacy policies Documented procedures to protect transmitted data Policies and procedures for data security Documented procedures to limit access to PHI Documented measures to detect malicious software Identify individuals with access to PHI Breach notification plan isk assessment Documented training program Emergency response policy Security and breach notification procedures Termination procedures for workforce members Documented procedures to limit physical access Documented procedures for backups before moving any equipment Disaster recovery plan Documented procedures to secure facility Tightly controlled access for visitors Documented measures for network security Documented analysis of and evidence of compliance with other applicable federal and state laws Outage notification procedures

8 BYTEGID Documented analysis of breach scenarios This list is just a sample, but you can clearly see that compliance doesn t happen by accident, nor can it be achieved just through data encryption. It requires a thoughtful, system level approach. At ByteGrid, we ve shown exactly how this should be done. Conclusion HIPAA and GxP compliant cloud hosting is the safest way to deploy your health application. Consider your application s intended use, determine your regulatory responsibility and see how quickly you can meet it when you partner with an accredited, validated datacenter. ByteGrid makes it easy to achieve HIPAA compliance and satisfy FDA regulations. Your app can run safely in the cloud, while we guard your data and your reputation. With compliant hosting, you re getting the full suite of systems that truly support privacy and security at every level. eferences [1] [2] [3] [4] [5] health_data_after_plenary_annex_en.pdf [6] [7] [8] TML#se _1101 [9] [10] [11] [12]

9 BYTEGID QUESTIONS??? Contact Lisa Ackerson, Vice President of Marketing Phone: ByteGrid.com