If a physician stores patient documents on the Mac OS X "shared desktop," is it a violation of the Federal Health Insurance Portability and Accountability Act (HIPAA)?
Or, more specifically, has APPLE designed the "shared desktop" to comply with the Federal Health Insurance Portability and Accountability Act?
That would depend on who has access to the machine and whether they all have a legitimate need to access that information.
This isn't really a matter of whether Apple designed it to be HIPAA compliant, but more a matter of how you're implementing things on the machine and in your organization.
I believe your statement only deals with part of the HIPAA issue. Besides limiting access as to who shares the desktop, one needs to be concerned about security of the data which is stored remotely (does it meet HIPAA standards) as well as how the data is transported from my office to the remote data storage site.
I don't fully understand all the legal ramifications of HIPAA, but I think it would be appropriate for Apple Legal to weigh in on this issue.
How are you implementing this "shared desktop"? I'm not entirely clear on what you're referring to.
Where, exactly, is the data being "stored"?
For data stored in the cloud, you must have a signed BAA agreement with the vendor to prove HIPAA compliance. Apple will not do so, to the best of my knowledge.
This article is a few years old, but is still relevant: http://telehealth.org/blog/which-cloud-storage-services-are-hipaa-compliant/
Your point about the BAA is a good one. I think the medical community needs to have the lawyers weigh in on this as it may be a deal-breaker for physicians who are now using a Mac as their desktop computer.
Regarding the location of the "shared desktop," I assume that Apple is storing the data from the "shared desktop" in "the cloud" (at one of their data farms.)
I'm still not clear on what you're talking about when you say "shared desktop". What shared desktop? There is no "shared desktop" feature in macOS. Unless you're referring to the ability to share your desktop with someone else so they can see what you're doing and control your Mac, in which case nothing is being "stored" in the cloud.
That is not a "shared desktop". That's cloud storage for the desktop and documents folders.
No, it is not HIPAA compliant as Apple will not sign a BAA.
iCloud storage is, of course, encrypted, and it is highly unlikely that it would be vulnerable except in the case where the individual's iCloud account might be compromised, but lacking a BAA, it will not pass a HIPAA compliance audit. PHI should never be stored in iCloud.
HZMD wrote:
Your point about the BAA is a good one. I think the medical community needs to have the lawyers weigh in on this as it may be a deal-breaker for physicians who are now using a Mac as their desktop computer.
Yes, clearly what we need in Medicine is more Lawyers 😮
I think you are conflating technology with process. There are process, technology and security industries developed since 1996 in response to HIPAA requirements. Just because a system is capable of storing data does not make it not compliant. It is the process, technology and environment used to store and manage the data that determines compliance.
So just because a computer can share data through the cloud does not make the computer non-compliant. There are technologies and processes that allow medical records to be stored in the cloud. These technologies and processes are subjects way more complex than what this community can solve.
Physicians need to know whether or not the "share desktop" meets the minimum technical/legal requirements of HIPAA. If the answer to this question is no, then physicians cannot legally use "share desktop" in their medical practice, which would be very unfortunate as it would make their lives much easier, especially when working from home.
I understand this issue is only part of the HIPAA compliance issue, and the physicians need to ensure their desktop computer is only accessible to appropriate people.
The physician should focus on medical issues and let the technology, security, and legal professionals worry about HIPAA desktop computer compliance. You don't see IT people fretting over a specific courses of treatment for a patient.
We will not affect or solve any HIPAA compliance issues in this community.
As a practicing physician, IT geek, developer of an EMR and blogger on health information technology (The Health Care Blog), you are total wrong about this. Physicians need to control the IT, otherwise it does not work to improve healthcare.
President, ComChart Medical Software, www.ComChart.com (no longer for sale to the general public)
The Lowell Diabetes & Endocrine Center, www.DiabetesEndocrine.com
Massachusetts Medical Society, Vice Chair of the Committee on Information Technology (For information purposes only. My personal writings do not represent the official policy of the MMS.)
HZMD wrote:
Physicians need to know whether or not the "share desktop" meets the minimum technical/legal requirements of HIPAA.
It does not, time to move on, this horse has been shot enough.
HZMD wrote:
As a practicing physician, IT geek,
I think you've found the problem there.
+1
Shared Desktop, HIPAA and Medicine
