Mobile health devices make it possible for clinicians to monitor patients’ health on a day-to-day basis, regardless of their physical location. These technologies can greatly improve care for patients who are not well-served by the traditional healthcare system. Canadian healthcare providers do, however, need to consider several important regulatory and privacy concerns as they adopt mobile health devices.
Mobile health devices are an exciting new development in global healthcare. In Rwanda, lab-on-a-chip technologies are being used to provide highly accurate HIV tests and automatically send results to patients’ electronic health records via cell phone networks. Closer to home, mobile phones and tablets are being adapted to monitor heart rate, blood glucose levels, and other health indicators and upload results to online portals accessible to patients’ healthcare providers. These technologies are particularly well suited to supporting patients who find it difficult to travel to a doctor, such as people in remote areas and housebound seniors. They are also extremely useful for monitoring complex and chronic health conditions. Mobile health devices have the potential greatly to improve care for patients who are not well-served by the traditional healthcare system. Canadian healthcare providers do, however, need to consider several important regulatory and privacy concerns as they adopt mobile health devices.
Healthcare providers that give patients mobile devices which use cell phone networks are considered by the Canadian Radio-Television Telecommunications Commission (CRTC) to be telecommunications resellers. While the CRTC does not directly regulate resellers, these are none the less obligated to meet certain compliance requirements:
- Any mobile devices that have voice communications capabilities have to have 911 service capabilities. If devices can be used for phone calls (even if this is not their intended purpose), the CRTC requires that providers test the devices to ensure that they can make 911 calls. If devices are not capable of voice calls, patients need to be explicitly informed of this, and the devices should not look like cell phones (i.e. have features such as keypads).
- Resellers must report user complaints about mobile devices within five days to the Commissioner for Complaints for Telecommunications Services. Ideally, users’ issues will already be resolved by the time complaints are reported.
- Devices must be adapted, as needed, for people with visual disabilities. This is both a CRTC requirement and a requirement of the Accessibility for Ontarians with Disabilities Act (2005).
- Resellers must follow CRTC guidelines of transparency, innovation, clarity and competitive neutrality. This means that they must clearly explain services to users and make information about their business practices available to the public. Competitive neutrality means that users must have the option to switch telecommunications service providers. This means that healthcare providers managing mobile health devices need to have agreements with all national telecommunications carriers. While most urban patients will not be concerned with which carrier serves them, remote areas may not be served by all carriers, and healthcare providers need to be able to switch patients to a carrier that serves their home.
It is also highly advisable for telecommunications resellers to monitor their compliance with CRTC requirements, follow CRTC rulings, and participate in relevant meetings and boards.
Mobile health devices take patients’ personal health information outside of secure healthcare settings into the community. This raises a couple of important privacy issues:
- Mobile service providers to health devices will have records of patients’ names, addresses, and type of device, and will know that they are participating in a mobile healthcare program. Any employee in the telecommunications company serving a mobile health program will potentially be able to access this information. The worst case scenario is that an employee could steal contact information for vulnerable patients, such as seniors, and sell it to fraud artists. Patients need to be told who will have access to their personal information and what risks this may pose.
- If a mobile health device is lost, this should be considered a privacy breach, as the SIM card in the device will contain personal information. The healthcare provider will need to be able to respond in 5 days, for example, by disabling the SIM card or tracking the device’s location. Patients need to know that there is personal information on the SIM card and that they should contact the healthcare provider if they lose the device.
Mobile health devices have a great potential for extending healthcare services beyond traditional settings, and in particular, helping patients with complex health needs better to manage their conditions. In adopting these devices, healthcare providers need to take into account the needs of patients with differing abilities in diverse geographical locations. They also need to ensure that patients are thoroughly informed of how their personal information will be managed and whom to contact for help with the device. By planning ahead to fulfill mobile device users’ rights, as set out by CRTC requirements and privacy laws, healthcare providers can offer sensitive and responsible support to patients in need of innovative healthcare approaches.
Canadian Radio-Television Telecommunications Commission. Telecom Resources.
Bill Malone (2013). The Rise of Mobile Health Devices. Clinical Laboratory News 39.5.
Privacy Impact Assessments
Making Privacy Agile: Privacy Impact Assessments for an Agile IT Environment
Risk-Based Privacy Maturity Model