Uber Health HIPAA - CBS News misspells HIPAANews abounds about Uber and other ride-sharing services taking people to their doctor appointments.  They say they will be HIPAA compliant. Today we look at what they say that means as we discuss Uber Health HIPAA.

 

HIPAA For MSPs by J. David Sims Uber Health HIPAA
00:00:00 00:00:00

I am really excited to hear that the ride-sharing services are jumping in to help solve some of the problems in medical transportation.  I have family members that should use the service even if they refuse to use the service. My question though is how much do they really understand they should do under HIPAA? We see companies jump into health care all of the time and have an understanding of parts of HIPAA but not all of it.

According to their website and official announcement:

Uber Health is a HIPAA compliant transportation platform for healthcare organizations. The web-based dashboard allows hospitals and other healthcare professionals to request, manage, and pay for rides for others, at scale.

HIPAA Compliance. To ensure Uber Health meets HIPAA standards, we have been working hard to develop, implement, and customize numerous safeguards. We also worked with Clearwater Compliance, a leading HIPAA compliance company, to conduct comprehensive risk and compliance assessments. We are thus pleased to sign Business Associate Agreements (BAAs) with our healthcare partners.

As with other things we have learned about, the scope is everything.  Just how far in the process did they engage Clearwater to work with them? How much do they really understand what they are getting themselves into here?  I have had groups who had us come in to review things and don’t want me to worry about anything except X.  I know they need to worry about more but there isn’t much I can do about it.  Clearly based on some statements I have seen they worried about the application platform more than anything else.

In one of the PDFs, they distribute there is a quote from Bob Chaput of Clearwater.

“In June 2017, we conducted a HIPAA Risk Analysis of the technical, physical

and administrative controls related to Uber Health’s new dashboard and

technology. Our team concluded that Uber Health has an unusually robust

security environment involving numerous information security safeguards.”

I respect the words that are clearly stated here.  “Related to Uber Health’s new dashboard and technology” is specifically worded.  I would have done the same thing to make it clear they don’t have us totally involved with the whole thing.

In an interview on The Verge, Chris Weber, general manager of Uber Health, is very sure they have it covered.  Here is the quote from the article:

Uber Health is compliant with the US’s health care rules on data privacy, known as the Health Insurance Portability and Accountability Act, or HIPAA. “We built this service from the ground-up in a fully HIPAA-compliant technology stack,” Weber said. “It was architected from Day One. Everything we built from a technology perspective was built to fit within the constraints and best practices of HIPAA.”

Things like Business Associate Agreements required with providers that require different things than they expect.  Will they say you must sign ours, period?  It isn’t often those things can be done with a big health system even for a vendor like Uber.

Uber Health HIPAA compliance requirements are about more than just signing a BAA.  How does it work since Uber has no employees?  Are the drivers going to have to sign a BAA with Uber as a subcontractor?

Another interesting point to consider is their track record.  Uber had a cyber attack in 2016 that exposed 57 million driver and rider accounts.  And, don’t forget, that they paid people to COVER IT UP.  Keep that in mind when you read about their disclosure that they hired a lobbyist who says:

… her lobbying work would focus on the Health Insurance Portability and Accountability Act and health care policy related to “transportation, ridesharing, and innovation.” The disclosure also notes Waldo will focus on compliance matters.

Here is my real issue with this service.  I really don’t worry so much about the technology behind it as I do about the people involved.  We know it’s often all about the people, people.  How will managing that insider issue we all know exists happen in the Uber Health HIPAA compliance program?

Here is how they describe the process.

  • A provider books the ride either right now or for a future appointment with the dashboard.
    • That works for me since the providers want people to show for the appointments it makes it perfect for them to coordinate the process.
  • The “passenger” is contacted by text or a phone call with the details when it is booked and again when the driver is on the way.
    • Ok, they have addressed the lack of smartphones or app skills with many of the patients, ummm passengers, that they will be picking up.
  • The driver picks them up and takes them to the provider’s address.
    • The charges are dealt with by the provider.

A few areas of concern we should evaluate in the Uber Health HIPAA compliance program:

  1. Providers should do a risk analysis for implementation.
    1. They mention all over the doc that you can download a CSV with the details about the trips and this Internal Memo Field for billing codes and patient IDs.  Clearly, providers need to understand their risk in managing this information properly on their end.
    2. Yes, it is their responsibility but how many times does something like this get skipped?  No need to worry because it is all HIPAA compliant.
    3. Please providers, educate yourselves on what all of this requires from you.
  2. What happens when they have a data breach based on their history?
    1. Have they learned their lesson on this or will some provider be left in the wind after a data breach makes the news?
  3. Privacy is probably going to be an issue somewhere down the road, just how big will it be.
    1. Here is what concerns me about the whole service from a HIPAA perspective, no matter which company.  The drivers.  Here is the way Uber says they have this handled:
      1. When a driver receives an Uber Health trip request, it is indistinguishable from any other type of Uber request to protect patient privacy.

If you have ever gotten in a taxi or used a rideshare you know the drivers like to chat.  (What else are they going to do?)  I know that all it takes is one question to my mother and off she will go for the whole ride telling her ailment details to the driver.  Yes, it is her choice to share all of that but when they do that in a “HIPAA environment” you can’t share that information the same way that you could if the patient called their ride-sharing service themselves.

Also, even if they don’t tell them anything, what happens when you pick up someone two or three times to take them to chemo?  There is no way the driver isn’t aware of what is happening even if the patient never says a word.

We just got a report from Verizon that shows that insider issues and misuse are the biggest data breach issue in healthcare.  Doesn’t this fall right into that trap?

We certainly agree there is a need that these types of services can fill.  However, it isn’t something that can easily be implemented without thinking through a lot of scenarios that could easily happen.  Stay on top of evaluating the possibilities as you consider implementing these and other new services.