The mobile technology era can be traced back to the early 1990s. In a combined effort from IBM (Armonk, N.Y.) and Bell South (Atlanta, Ga.), the IBM Simon Personal Communicator was released to the public in 1993. This was the world's first smartphone, and it combined features of a mobile phone, a pager, a personal digital assistant device, and a fax machine.1 Nowadays, besides digital voice calling, our cell phones have the capabilities of a portable media center, Internet browsing, text messaging, high-end photography and video camera, video-calling, calendar, and global positioning system, among other things. The impact of these devices in our lives is such that a group of gadget gurus from around the world have named smartphones “the # 1 gadget that has changed the world,” surpassing television and radio.2 Smartphones and other mobile devices are having a vast impact not only in our personal lives but also in other areas, including the health care industry.
Plastic surgeons today are incorporating the use of smartphones and other mobile devices into their practices. More recently, there has been an increased interest in our literature to evaluate the effect on patient care and outcomes when we integrate these new gadgets into our daily work. In 2011, Engel et al. reported that remote smartphone photography assessment has a comparable accuracy rate and shorter response time compared with in-person examination for free flap monitoring.3 Academic institutions around the world have been incorporating the use of smartphone photography into their daily activities (e.g., morning rounds, consultations, intraoperative evaluations) with a significant impact on improving communication between residents and attending physicians. Having the ability to share pictures (by means of text or e-mail) of postoperative patients, open wounds, and/or any other new patient or problem (e.g., impending flap failure, wound dehiscence, skin lacerations) will enrich the discussion of a case. In this manner, smartphones can be an essential tool in designing a plan of care, with a direct impact not only on patient care but also on resident education.
Mobile devices may also have the potential to increase revenues in an academic institution. As we all know, an attending physician must be present during the critical parts of a procedure to be able to bill for it. There is significant loss of potential revenue every time residents perform procedures without direct supervision (e.g., laceration repairs, bedside débridement) while on call or on the surgical floors. With the innovations of mobile technology, an attending physician might be able to guide a resident by means of video-calling through a secure network (e.g., FaceTime), which could potentially be considered appropriate for the level of complexity by health insurance companies, allowing us to bill for these procedures.
Although the arrival of smartphones and other mobile devices has definitely eased our lives and in certain circumstances improved work flow, we are concerned that if their use is not carefully regulated, they will impose a threat to patient privacy and protected health information. The inadequate storage (e.g., no password protection) of confidential patient information (e.g., photographs, contact information), and the electronic transmission to other colleagues and/or with cloud-type Web-based storage (e.g., iCloud), entails a threat to the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996.4 In contrast, the potential benefits of mobile technology with regard to resident education, patient care, and even hospital and physician reimbursement are promising. Therefore, we should look for ways to incorporate their use into our practices following the standards and regulations exemplified in the Health Insurance Portability and Accountability Act of 1996. Let us review the origins of these regulations and what they entail.
In 1996, the U.S. Congress recognized the importance of protecting the privacy of health information, given the rapid evolution of health information systems, technology, and communications. With this in mind, the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191) was enacted in 1995 by the U.S. Congress and signed by President Bill Clinton on August 21, 1996.5,6
The Health Insurance Portability and Accountability Act of 1996 consists of two Titles. Title I protects health insurance coverage for workers and their families when they change or lose their jobs. Title II gives the U.S. Department of Health and Human Services the authority to draft regulations aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information.6,7 These standards are collectively known as the Administrative Simplification provisions or “Rules.” The Department of Health and Human Services has promulgated five Rules: the Privacy Rule, the Security Rule, the Transactions and Code Sets Rule, the Unique Identifiers Rule, and the Enforcement Rule. The Privacy and Security Rules are at risk with the liberal use of smartphones and other mobile devices; therefore, every practicing physician should have an understanding of what they entail.
After multiple modifications, the Privacy Rule was finalized on August 14, 2002.5 The goal was to establish national standards to protect all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information protected health information. Individually identifiable health information is information, including demographic data, that relates to the individual's past, present, or future physical or mental health or condition; the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. It includes many common identifiers, such as name, address, birth date, and social security number. The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act.7 These standards apply to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients the rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.8
The confidentiality of health information is threatened not only by the risk of improper access, but also by the risk of interception during electronic transmission. With the purpose of adopting safeguards to protect the confidentiality, integrity, and availability of electronic protected health information, the Security Rule of the Administrative Simplification provisions was made effective on April 21, 2003. The Security Rule protects a subset of information covered by the Privacy Rule, which is all Individually Identifiable Health Information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule does not apply to protected health information transmitted orally or in writing. When a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider its size, complexity, and capabilities; its technical, hardware, and software infrastructure; the costs of security measures; and the likelihood and possible impact of potential risks to electronic protected health information. Covered entities must review and modify their security measures to continue protecting electronic protected health information in a changing environment.9
As our technical capabilities to exchange health information expand, it becomes more challenging to balance the privacy and security policies that protect this information. It is in the best interest of health care providers, federal agencies, state Medicaid agencies, private health plans, and health care clearinghouses to assure their customers (e.g., patients, insured individuals, providers, health plans) that the integrity, confidentiality, and availability of electronic protected health information that they collect, use, maintain, or transmit are protected.
We encourage plastic surgeons to familiarize themselves with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996, and to understand the potential threat to patient privacy and confidentiality with the unregulated use of mobile devices. We must work as a team with health care information technology specialists to design and implement standard regulations to allow the incorporation of new mobile technology into our practices with the hope of improving patient care and outcomes and even increasing revenues.
Jose R. Rodriguez-Feliz, M.D.
50 New Scotland Avenue
MC-190, First Floor
Albany, N.Y. 12208
The authors thank Gregg Revak, Director of Information Technology at the American Society of Plastic Surgeons, for research regarding video calling (e.g., FaceTime) and cloud-type Web-based storage (e.g., iCloud) and how they may entail a risk to patient privacy and the security of protected health information.