Ridesharing in Healthcare: HIPAA Compliant?
A new player has entered the mobile health scene: the rideshare. Since early 2018, the two most popular ridesharing companies—Uber and Lyft—have started partnering with healthcare providers to provide transport to patients. This makes total sense as approximately 3.6 billion Americans miss appointments every year due to the lack of reliable transportation, costing the healthcare industry roughly $150 billion per year.
These popular rideshare services are available as online dashboards, desktop and mobile applications or as an API that can be integrated into healthcare tools. In this model, providers cover the cost of the transportation—which is to their advantage. Head of partnerships at Uber Health, Jay Holley, noted that many hospitals find the cost of rides cheaper than the cost of missed appointments. A real plus is that patients do not need to have the ride share app or even a smartphone to benefit from these services—medical facilities can arrange the cars and details to reach the patients via text message. Uber is currently working to expand their service, Uber Health, so that people with landlines will be able to receive transportation details, as well. Lyft has also struck a deal with Allscripts that lets 180,000 doctors call rides for their patients.
This exciting new offering could be a game changer in reducing missed appointments and improving Americans’ health nationally, but it also raises questions about privacy and HIPAA compliance—especially within the context of ridesharing apps. Uber, for example, has faced privacy issues before, attempting to cover up a data breach in November of 2017. It’s important to consider, then, how these applications are storing the data on patients that is shared with them and what steps they’re taking to ensure patient data is protected. Where is the data being stored? Will rideshare companies be able to build a pattern of information off the patient based off of scheduled rides and destinations? Who will the data be shared with? What about the drivers?
Data breaches of health information are particularly problematic. These are not information leaks such as passwords or credit cards where victims can simply make a few changes to protect themselves again. Health information leaks are especially detrimental. Fortunately, rideshare programs will be expected to be HIPAA compliant. Such programs cannot avoid accessing Personal Health Information (PHI). The minute a ride share picks up a patient and delivers them to a cancer treatment center or a kidney dialysis treatment, the rideshare company is in possession of PHI and becomes what is considered a business associate under HIPAA—meaning it must comply with HIPAA rules. And the ride share programs are taking steps to ensure they meet these regulations. Uber, for example, has worked with Clearwater Compliance, the healthcare compliance and cyber risk management company, and is ensuring encryption of rider information both in transit and at rest and confining data related to their Uber Health initiative to a small team.
While rideshare programs will be required to comply to HIPAA rules, the questions these initiatives raise about privacy remain relevant as we become more and more reliant on applications to assist with health care. It is important for providers to remain vigilant about who they share information with and how they communicate. Rideshare details can be shared with patients via SMS and if the information is unidentifiable, will still be HIPAA compliant. However, any information that could identify the patient—such as name or details about the type of appointment–should not be sent via SMS, but rather through secure applications like Vaporstream. As healthcare providers incorporate prominent companies and apps into day-to-day procedures, it is important that they do not get complacent in how information is shared.
Contributor: Kristi Perdue Hinkle