Every country has regulations on how to protect and secure personal health information. In the US it’s HIPAA or the Health Insurance Portability and Accountability Act. In Canada PIPEDA, or the Personal Information Protection and Electronic Documents Act. In the UK it’s the Data Protection Act. Each act is designed to help citizens keep personal information private and yet also account for the fact that information does need to be shared between individuals and organizations, and across organizations.
Technology vendors, like Wellpepper need to ensure that they are following certain guidelines around data access and encryption to protect this information. The types of things we need to do include encrypting information when it’s in transit or stored, making sure each person has a secure login ID, limiting access to who can see information. Basically, most of these regulations are just best practices for protecting any type of digital information, and we’d expect to see them in any well-designed software that needs to protect information.
Wellpepper does not store any information on the device. It is all stored securely on Amazon Web Services. Video, which includes patient identifiable information, is uploaded and encrypted when you record it. It’s transferred to our servers, and it’s streamed back to the client in an encrypted manner. (Also remember that the patient can do whatever they want with their health information. However, we still don’t store any of their information on their devices, and we send information encrypted to them.)
We can only fulfill part of the equation on protecting information. How you use Wellpepper and protect the hardware that it’s installed on is the other part. In fact, if you look at some of the top health-related data breaches in the US in 2012, you can see that a number of them were human error. Examples include not cleaning the hard drive of a photocopier before selling it, having records stored on a laptop computer that was stolen from an employee’s car, and disabling a firewall that protected records. All of these situations were preventable with good data management practices.
We’ll take care of securing the information, you take care of the devices and your passwords. So, with that a few things to remember when using Wellpepper.
- If you are recording video in an open space, make sure you don’t accidentally have other patients in the background. Otherwise, you may inadvertently include recognizable information about one patient in another patient’s record.
- Put a password on the iPad. We know that you will want to stay logged into Wellpepper during clinic hours. Use the password protect feature on the device to lock it when it’s not immediately being used.
- Use remote management features. Apple provides the capability to wipe all devices if they are lost or stolen. Note that since we do not store information on the device, if it’s stolen you don’t need to worry unless you were logged into Wellpepper. Then, you can use remote management features to delete Wellpepper so no one can log in.
- Secure the iPad when it’s not in use. Make sure you have a secure place for it, either in a locking docking station or locked location when it’s not at use or when the clinic is closed.
You do your part, and we’ll do ours to secure patient information.