The Role of Smartphones in Medicine: Dial M for Murky

Mount Sinai’s VitalHub app on Apple’s iPhone
What patient data are you allowed to access on your smartphone, and where? Please hold while a phalanx of federal agencies hammers out an answer.

Eighty-one percent of clinicians will have a smartphone by the year 2012, according to recent research from the Manhattan Group, and about half of these clinicians will use their devices for patient care, among other things. As regulations around data transmission evolve and medical apps on smartphones continue to grow exponentially, it remains to be seen what aspects of care physicians will be able to do legally with their smartphones in the future.

One thing is certain: Smartphones have already changed the way clinicians access information, says Barry P. Chaiken, MD, MPH, CMO for healthcare consulting firm DocsNetwork in Boston. “The patient isn’t coming into the office; the physician’s office is [becoming] a mobile office, so devices that allow them to bring their office around as they move will be the devices that will be useful,” he says.

Devices such as the Apple iPhone, Motorola’s Droid and RIM Blackberry have consumer roots, but the potential for medical applications—both data and images—is huge. At the 2009 Radiological Society of North America meeting, Asim Choudhri, MD, neuroradiology fellow at Johns Hopkins University in Baltimore, presented findings on a retrospective study in which five senior radiology residents reviewed 25 abdomen CT studies on an iPhone to test the feasibility and diagnostic accuracy of the presence of acute appendicitis.

“In the last decade, medical imaging has become critical to a number of diagnoses, including emergency diagnoses,” says Choudhri. “We thought it would be worthwhile to study if these handheld devices could be used for accurate diagnoses.”

To test iPhones’ diagnostic capabilities, residents viewed raw DICOM data on iPhones equipped with OsiriX image viewing software. They reviewed 15 cases of acute appendicitis five times, and correctly identified the condition on 74 of 75 interpretations—with one false negative. That level of accuracy is similar to the level found with more traditional viewing technology, Choudhri says. “This is at least a worthwhile proof of concept that needs to be further evaluated.”

Pushing data

Mount Sinai Hospital in Toronto is already harnessing smartphones to streamline point-of-care decision-making. Physicians and nurses at the 470-bed research and teaching facility use VitalHub, an internally built application, to combine and push out patient health information from the EMR to clinicians iPhones in real time.

“We have 66 clinical applications being used at Mount Sinai and technology was making communication harder,” says Prateek Dwivedi, CIO at Mount Sinai. VitalHub integrates patients’ EMR information with the hospital’s communication system, including messaging, orders, results and medications.

“Clinicians are accessing patient’s information more quickly and easily now. We believe that 80 percent of physicians’ information needs [for] a patient can be demonstrated on a mobile device, and VitalHub affirms this,” says Dwivedi.

Mount Sinai’s medical devices—including iPhones—are regulated by Health Canada, Dwivedi says. The second generation of VitalHub, which is currently in development, will use software development methodology that conforms to the standards of Health Canada and the U.S. Food and Drug Administration (FDA), he says.

Who's In Charge?
Health IT-related smartphone regulation is an inter-agency masma of acronyms. Here is a sample of which agency regulates what.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) regulates the transmission of information and the use of patient’s clinical information through the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.

HIPAA defines protected health information (PHI) as a subset of individually identifiable health information:
  • That is maintained or transmitted in any form;  
  • That is created or received by a healthcare provider;
  • That relates to the past, present or future physical or mental condition of an individual, provision of healthcare to an individual or payment for that healthcare; and  
  • That identifies or could be used to identify the individual.

The HITECH Act authorizes state attorneys general to enforce HIPAA  privacy and security rules.

The Food and Drug Administration (FDA) defines a medical device as one that:
  • Diagnoses, cures, lessens, treats or prevents disease;
  • Affects the function or structure of the body; and
  • Does not achieve primary intended purposes through chemical action.

The FDA’s Center for Devices and Radiological Health (CDRH) regulates companies that design, manufacture, repackage, re-label and/or import medical devices into the U.S., but doesn’t regulate how physicians use those devices.

In addition, the Drug Enforcement Agency (DEA) is reviewing electronic prescription guidelines, including remote transmission of prescriptions for controlled substances.   

The regulatory call

While iPhone apps are no doubt appealing to docs, what patient data are smartphone-legal in the U.S.? This is where the vision gets fuzzy. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) regulates the transmission and use of patients’ clinical information through Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, says Sue McAndrew, deputy director for health information privacy at OCR.

“The privacy rule sets the limits on who can access and use this information and to whom they can disclose it,” she explains. “When this information is in an electronic form, the HIPAA security rule governs what needs to be done to the information to ensure privacy protections, prevent impermissible disclosures of this information and make sure that the information is accessible to those who need it and have permission to use it.”

To determine what patient information clinicians should or should not access on their smartphones, McAndrew recommends evaluating what the risks are to the data, whether at rest or transmitted. “The entity should [determine] the safeguards needed to address the risks identified in using these devices so the information remains secure,” she says. Because protected health information (PHI) is delivered to a smartphone bidirectionally, security issues arise if the phone is lost or stolen, or if a clinician views medical data in a nonmedical setting.

VitalHub, for example, is an encrypted access portal, so PHI isn’t stored on the smartphone’s hard drive, says Dwivedi. VitalHub requires two-factor authentication including a password and VPN certification, which makes the device HIPAA-compliant, he says.

The future looks… uncertain

HIPAA rules aren’t the only ones to worry about. The FDA recently outlined its regulatory stance for medical devices, including smartphones (see sidebar). The agency is “reviewing the use of applications on mobile technologies for the screening, diagnosis, prevention and treatment of diseases and injuries,” says Jeffrey E. Shuren, MD, JD, director of the FDA’s Center for Devices and Radiological Health (CDRH).

Recently, the FDA ruled that MimVista’s Mobile MIM app “has [an] indication for displaying medical images for diagnostic use on a mobile/portable device,” and ordered the company to remove its app from the iTune App Store.

The software Choudhri used for his study is not FDA-approved for making diagnoses, “which means … the company cannot market it to clinicians to be used in a diagnostic capacity,” he says.

Chaiken argues for caution—or at least prudence—when it comes to regulation. “Let’s understand that what is decided today in 2010 needs to be changed over time so let’s not make any regulations [that are so] onerous [that they] destroy the marketplace, but let’s not ignore the issue,” he says. “We can’t get ahead of the technologies, workflows, the processes and our capabilities to manage health IT.”  

Make no mistake, the laws governing smartphones and PHI are in flux, and CMIOs need to pay attention. In April, HHS posted a regulatory agenda item in the Federal Register stating that the Office of the Secretary would issue a notice of proposed rulemaking to modify HIPAA privacy and security rules as necessary to enforce provisions of the HITECH Act. Stay tuned.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.