rss
J Am Med Inform Assoc 2003;10:611-612 doi:10.1197/jamia.M1388
  • Editorial Comment
  • Editorial Comments

Physician PDA Use and the HIPAA Privacy Rule

  1. Paul E Pancoast, MD, MBA,
  2. Timothy B Patrick, PhD,
  3. Joyce A Mitchell, PhD
  1. Affiliation of the authors: Department of Health Management and Informatics, School of Medicine, University of Missouri, Columbia, Missouri
  1. Correspondence and reprints: Paul E. Pancoast, MD, MBA, 324 Clark Hall, Department of Health Management and Informatics, School of Medicine, University of Missouri, Columbia, MO 65211; e-mail: <pancoastp{at}health.missouri.edu>.
  • Received 28 April 2003
  • Accepted 30 June 2003

Optimal health care delivery requires that providers have access to current clinical information.1 In the last 25 years, hospitals have dramatically improved diagnostic capabilities for both inpatients and outpatients, but providers often do not have access to the results.2 These disruptions in information availability lead to clinical errors and can cause patient injury or death. Many physicians use individual lists with names, hospital identifiers, room numbers, and pertinent clinical information when a decision needs to be made and the patient's record is not at hand. With the ready availability of personal digital assistants (PDAs), many clinicians now keep these patient lists in electronic format.3 4 5 6 Physicians can improve their access to information by downloading patient data into personal handheld computers that are available wherever decisions need to be made. Hospital administrators may be reluctant to allow such information transfers because of concerns about confidentiality and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. However, careful definition of the HIPAA Designated Record Set can eliminate the need to track the use of information stored in provider PDAs.

All physicians, whether employed by a covered entity or covered entities in their own right, have legal and ethical obligations to protect the confidentiality of patient information.7 Medical students and resident physicians are members of the hospital workforce. They have varying levels of autonomy in medical decision making, but the hospital administration regulates their activities in the hospital setting; they are required to follow the privacy regulations of the hospital that employs them. Other physicians are employed by hospitals and health plans that contract their services. These physicians also are under the jurisdiction of the administrative policies of their employers. Physicians who treat patients in multiple locations may be part of multiple workforces and may encounter different policies in each location. They are ultimately bound by the policies of their primary covered entity (employer) but should follow the policies of each facility when working in that setting. Privacy regulations are set by the privacy officer, a person designated to design the policies and procedures to ensure compliance with HIPAA regulations. Even a solo practitioner must designate a privacy officer for their practice. Physicians generally are aware of their duty to protect confidential information in their care, but they may not be aware of the technical means to protect the information on their PDA.8 We recommend several simple precautions that should be taken by every health care provider who stores patient information on a PDA:

  • Keep careful physical control of the device at all times.

  • Use data encryption technology to protect the information.

  • Use a password when turning on the PDA and a time-out to reactivate the password.

  • Disable the infrared ports except during use.

  • Do not send infrared transmissions in public locations.6 9 10

These recommendations should be followed as a matter of standard practice. The adoption of new technologies has great potential to improve patient outcomes and reduce potential injury but also imposes a burden of precautions in the face of increased risks.11 The use of PDA-based patient lists is no exception. If physicians download patient information into their PDAs, over which they alone have control, they must assume the responsibility for safeguarding the confidentiality of that information.

 
Next Section

Footnotes

  • This research was supported in part by National Library of Medicine Biomedical and Health Informatics Research Training Grant 2-T15-LM07089-11. Similar material appeared in a poster presentation at the AMIA Fall Symposium 2003.

Previous Section
 

References

  1. Institute of Medicine. Crossing The Quality Chasm: A New Health System for the 21st Century. Washington, DC: National Academy Press, 2001.
    1. McKnight L,
    2. Stetson PD,
    3. Bakken S,
    4. Curran C,
    5. Cimino JJ
    . Perceived information needs and communication difficulties of inpatient physicians and nurses. Proc AMIA Symp 2001:4537.
    1. Bauer JC
    . Rural America and the digital transformation of health care. New perspectives on the future. J Leg Med 2002;23(1):7383.
    [Medline][Web of Science]
    1. Sokol AJ
    . The changing standard of care in medicine: e-health, medical errors, and technology add new obstacles. J Leg Med 2002;23(4):44990.
    [Medline][Web of Science]
    1. Duncan RG,
    2. Shabot MM
    . Secure remote access to a clinical data repository using a wireless personal digital assistant (PDA). Proc AMIA Symp 2000:2104.
    1. Fischer S,
    2. Stewart TE,
    3. Mehta S,
    4. Wax R,
    5. Lapinsky SE
    . Handheld computing in medicine. J Am Med Inform Assoc 2003;10:13949.
    1. Wynia MK,
    2. Coughlin SS,
    3. Alpert S,
    4. Cummins DS,
    5. Emanuel LL
    . Shared expectations for protection of identifiable health care information: report of a national consensus process [comment]. J Gen Intern Med 2001;16:10011.
    [CrossRef][Medline][Web of Science]
    1. De Ville KA
    . The ethical and legal implications of handheld medical computers. J Leg Med 2001;22:44766.
    [Medline][Web of Science]
    1. Chilton L,
    2. Berger JE,
    3. Melinkovich P,
    4. et al
    . American Academy of Pediatrics. Pediatric Practice Action Group and Task Force on Medical Informatics. Privacy protection and health information: patient rights and pediatrician responsibilities [comment]. Pediatrics 1999;104(4 pt 1):9737.
    [Abstract/FREE Full text]
    1. Blanton SH
    . Securing PDAs in the health care environment. SANS Info Sec Reading Room. 09/06/2001. <http://www.sans.org/rr/pdas/health_care.php>. Accessed February 16, 2003.
    1. Terry NP
    . Cyber-malpractice: legal exposure for cybermedicine. Am J Law Med 1999;25:32766.
    [Medline][Web of Science]

This Article

  1. Extract
  2. Full text
  3. PDF

Responses

  1. Submit a response
  2. No responses published

Social bookmarking

Access policy for JAMIA

All content published in JAMIA is deposited with PubMed Central by the publisher with a 12 month embargo. Authors/funders may pay an Unlocked fee of $2,000 to make the article free on the JAMIA website and PMC immediately on publication.

All content older than 12 months is freely available on this website.

AMIA members can log in with their JAMIA user name (email address) and password or via the AMIA website.