Digital health technology is becoming a critical part of healthcare. As tools used in care (directly and indirectly), it has implications with regards to risk management. These are discussed from both liability and mitigation perspectives.
Implications for risk management of digital health technologies
1. Mobile Health Technologies:
Implications for Risk Management
David Lee Scher, MD, FACC, FHRS
Director, DLS Healthcare Consulting, LLC
Clinical Associate Prof of Medicine
Pennsylvania State College of Medicine
2.
3. Digital Health Technologies
• Wireless sensors
• Genomics
• Information systems
• Mobile connectivity
• Internet/social networking
• Computing power + data universe
Topol, E. The Creative Destruction of Medicine, 2012
4. Risk Management Issues in Select
Digital Health Technologies
• Electronic health records
• Mobile medical apps/sensors
• Social media
5. Patients Safety Issues and EHRs
• Pennsylvania Patient Safety Authority Report,
2004-2011:
– 3,099 ‘incidents’ (555 in 2010, 1142 in 2011):
• 324 related to wrong drug order default values
• 16 resulted in some patient harm
• Only 1 severe harm
• 47% related to wrong data input
• 18% Failure to update data found elsewhere
6. Patient Portals
• Required in only 5% of Medicare patients in
Stage 2 MU
• Third party portals w/greater capabilities
– Patient can view documents from multiple EHRs
– Messaging w/providers
– Patient education content
– Portal to hospital or practice Intranet via login
7. Patient Portals
• Can decrease risk by improving provider-patient
communications
• Can decrease risk by providing greater
multimedia-driven content/educational
materials
• Can increase risk with inappropriate
comments, mistakes
12. Facts About Health Apps*
• 97,000 mHealth applications are listed on 62
full catalog app stores.
• 15% are designed for healthcare professionals
(CME, RPM, healthcare mgt).
• 42% of apps: Paid business model.
• Top 10 mHealth apps generate 4 million free
and 300,000 paid downloads per day.
*Research2guidance, 3/13
13. Uses of Mobile Technologies by Clinicians*
• View patient information 69.41%
• Look up non-PHI health information 64.71%
• Use for education/training purposes 48.82%
• Clinical notifications 41.76%
• Secure communications regarding patients 39.41%
• Tracking worklists 38.82%
• Collect data at the bedside 36.47%
• E-prescribing 32.94%
• Use bar code reader on mobile device 28.24%
• Monitor data from medical devices 25.88%
• Capture visual representation of pt data 25.29%
• Telehealth 24.71%
* 3rd Annual HIMSS Analytics Mobile Tech Survey
14. Apps in the Healthcare Enterprise*
• 75% say clinicians use apps
– 77% of apps developed by third parties
– 52% use apps from hospital IT vendor
– 32% use apps developed internally
• >50% will update or develop new apps this
year
* 3rd Annual HIMSS Analytics Mobile Tech Survey
15. Types of Apps Made Available to
Patients/Consumers
• Monitor Chronic Conditions 52.54%
• Monitor Physical Activity 38.98%
• Monitor Nutrition Intake 35.59%
• Portal/Organization EHR 18.64%
* 3rd Annual HIMSS Analytics Mobile Tech Survey
16. Problems With mHealth’s Clinical Evidence
• Not readily available—some in peer-reviewed
literature, but much in blogs, presentations, and
other sources.
• Poor acceptance by journals: confusion about
whether mHealth is a “health” or “IT” intervention.
• Usually small studies, observational
• The evidence base is growing rapidly and it is difficult
for individuals to keep up-to-date
17. Mobile Medical Apps: Risk
Management Considerations
• Privacy and Security
• Accuracy
• Reliability
19. PRIVACY
An individual’s right to control how information
related to them is collected, used and disclosed
(‘Informational self-determination’)
20. CONFIDENTIALITY
• The obligation of an individual to keep
information that was provided in confidence
• May be set out in law or in an agreement
when the information was provided
• Applies to both personal demographic/contact
and personal health information
21. SECURITY
• Measures taken to safeguard information
against loss, unauthorized disclosure,
modification, destruction & protect the
confidentiality integrity and availability of
information
• Measures may be physical, technical or
administrative
• YOU CAN HAVE SECURITY WITHOUT PRIVACY, BUT
YOU CAN’T HAVE PRIVACY WITHOUT SECURITY!
22. Levels of Security
• At the app development level
• At the mobile device level
• At the enterprise level
23. BYOD Facts*
• 89% of healthcare BYODers work from their
smartphone
• 40% of them don’t have phones protected
with a password
• 53% access unsecured wireless networks
*Cisco Survey, 2013
24. Measures Used to Secure Mobile Devices*
• Password protected 93.79%
• Data encryption 70.81%
• Remote wipe capability 68.94%
• Automated data disintegration 15.53%
• Biometric authentication 8.70%
• 29% of respondents: mobile devices retain PHI
*3rd Annual HIMSS Analytics Mobile Tech Survey
25. MMAs: Technology Considerations
• Encrypted PHI
• Secure wireless networks
• Co-mingling of hospital data (patient PHI) and
personal data
• Support/enforcement of minimum password
requirements
• Blocking of untested and unapproved apps
• Remote wipe and/or delete/lock down
26. MMAs: Policy/Procedure Risks
• No “acceptable use” policy
• No minimum password requirements
or requirements for change frequency
• Lack of privacy breach protocol
• Failure to deliver “sticky” privacy
training
27. Mobile Medical Apps: Regulatory
Issues
• FDA Guidance Sept 2013
– Emphasizes criteria for oversight is degree of
patient safety
– Only medical devices or products which transform
a device to a medical device will be regulated
– Labeling to be big part in whether or not a
product is intended as a medical device
– Gives excellent examples and anecdotes
– Most apps will NOT be regulated
– Left open: Clinical decision support tools
28. Mobile Medical Apps Guidance:
Takeaways
• FDA guidance leaves review of reliability and
indications to the healthcare
enterprise/provider
• Consider mobile device management
intermediary
• CMIO or physician leader should oversee
mobile strategy in addition to CIO
29. Need for Certification Standards
• Certification of quality, reliability (do they do
what they say they do?)
• Will need to come from third party enterprises
• Reasons for certification:
– Providers, payers, and patients expect and demand
safety, efficacy, reliability and privacy
– App stores will request or showcase certified apps
– Certification standards will serve as guide for
developers
– Competitive advantage in the marketplace
– ? Standard for reimbursement/formulary placement
30. MMAs: Other Opportunities for Risk
• Lack of interoperability with EHR
• Lack of conformity to current medical practice
guidelines
• Changes in the app platform re:privacy,
security, design. API vs non-API apps
31. Five Pitfalls of Designing a Medical App
• The motivation for the app development is
misguided
• Lack of clinician involvement
• Poor attention to usability
• Not knowing the healthcare landscape
• Not building to regulatory specifications
http://davidleescher.com/2013/01/31/five-pitfalls-of-designing-
a-medical-app/
32. MMAs: Opportunities to Mitigate Risk
• Informed consent designed educational
content apps. Ex. Emmi Solutions
• Secure messaging apps
• Submission to third party testers (icsa labs)
• In-house development
• Clinician involvement in development
37. The Future of Medical Apps
• Further regulatory Guidance
• More apps developed by professional medical
societies
• App formularies for hospitals and payers
• Prescribing of apps by providers
• Integration of apps into patient portals and EHRs
• App development by Pharma/Med Dev
companies for disease management
• Telehealth consultation and remote patient
monitoring
39. Remote Patient Monitoring
• Provides continuous monitoring: acting on
trends, not just ‘snapshots’
• Setting: Inpatient, outpatient
• Tied to clinical decision support analytics, EHR
• Mobile to providers, patients, caregivers
41. RPM: Risk Management Issues
• Positive:
– Can identify clinical problems before becoming
crises (infections, heart failure, diabetes)
– Mobile tech
– Keeps caregiver in loop
• Negative:
– Quality control
– Alert management processes
42. Uses of Data from Remote Monitoring
• Post-market surveillance of leads and devices
– Early detection of trends towards failure or
technical problem
– Utilization of types of devices and leads
• Clinical management
– Device therapy
– Pharmacologic therapy
– Epidemiologic data for population health
management
46. Healthcare SoMe: Risk Management
Issues
• HIPAA: Patient descriptions, photos, events
depicted or narrated
• Medical practice issues
• Privacy/ownership issues re: sale of data from
online patient communities
• Pharma and Med Device company regulatory
issues
• Need for enterprise SoMe guidelines and
policies
47. SoME and Healthcare: Mitigation
Opportunities
• Online patient support groups
• Patient education
• Marketing tool: Patient satisfaction
53. Other Digital Risk Mitigation Technologies
• Real-time HCAHPS Survey tools
• OR video/audio tool for multi-room
management by anesthesiologist
• Your Nurse is On: automated RN scheduling
tool
• Patient Safe Solutions: Point of care digital
nursing tool
54. SUMMARY
• Security and privacy involve human and
technical issues
• EHR training critical step in liability mitigation
• Most mobile medical apps without clear QA
measures
• Have clear BYOD policies/procedures
• Consider mobile device management
outsourcing
55. SUMMARY
• Use of digital technologies can mitigate risk
– Timely communication (tests, messages)
– Patient education (informed consent issues)
– Patient engagement -> adherence
– Patient satisfaction
56. SUMMARY
• Risk management must have digital
technologies high on radar, before or at time
of adoption.
• Involve clinicians as well as IT
• Look what others are doing
• Use available resources (HIMSS)
• Turn liabilities into assets
57. “If you ask me a question I don’t know, I’m
not going to answer”
------Yogi Berra
Editor's Notes
Before we unpack Dr. Ross’ story, I want to take a moment to review 3 terms that I find often get confused in the discussion of privacy and security