Applying Mobile Technologies to Medical Health Information of Schools by nabiljutawan


More Info
									Literature Review

The Applications of Industrial and Domestic Scanning Devices

A growing problem with the confidentiality of electronic medical records
(EMRs) has led to renewed interest in studies of secure communication and
storage. One area of improvement is in the security procedures taken to
ensure the invulnerability of electronically scanned personal health

For instance, modern industrial devices have obtained the ability to
scan, print, copy, email, and fax information. Those intended for
commercial use usually require a hard drive to help it process
information at a faster rate. In contrast, those devices of more domestic
origins do not require this extra feature because they are not designed
to accommodate such a large amount of data.

However, machines that contain hard drives are capable of storing distant
traces of the information that is transferred through it. For this
reason, it is a liability issue for companies that handle secure
information, especially if an outside party were to examine the device.
In addition, the process to access the confidential information may not
require intense labor because it can be retrieved wirelessly or by direct

In consideration of the sensitive data storage, devices that include a
hard drive often come with a security plan that may consist of two
functions: encryption and overwriting. The former is a specified code
that acts as the only key to the information whereas the latter alters
the bit composition of the file by using symbols to obscure the device
memory of its whereabouts. Machines will generally allow the user to set
the number and regularity of the overwriting process. Incidentally, the
issue is complex because some devices can store information directly on
the hard drive. This poses a problem because the data is not secured by
either protection method.

Another security method for such a device is the ability to define a
passcode for the hard drive so that if it is removed, the information
cannot be accessed without the specified solution. Further, if a device
is leased, then it is important to insure that the hard drive will remain
permanently with the leaser at the end of the agreed settlement. In the
event of a terminated contract, it is also critical to have an
information technology (IT) professional remove the hard drive(s) because
unseen obstacles may be present inhibiting disposal such as specific
firmware that with the elimination of its memory can render the machine
useless (Federal Trading Commission, 2010).

Policies and Regulations of HIPAA and FERPA

Recently, patients have expressed an interest in the security and
confidentiality of their personal health information (PHI). However,
healthcare professionals are often uncertain about how to properly apply
privacy policies such as HIPAA (Health Insurance Portability and
Accountability Act of 1996) and FERPA (Family Education Rights and
Privacy Act). The following attempts to correct ambiguity surrounding
both FERPA and HIPAA policies to aid professionals in correctly
implementing them. Yet there are still ongoing discussions addressing the
overlap of these two laws, and therefore, new protocols resulting from
these conversations must be anticipated.

A government-issued law, the Family Education Rights and Privacy Act,
addresses the majority of public education institutions and both public
and exclusive postsecondary establishments. The law insures the
protection of each student's education records. This policy differs from
the Health Insurance Portability and Accountability Act of 1996 because
it categorizes medical information as a student education record rather
than a separate entity.FERPA applies to those institutions that receive
funding from the U.S. Department of Education. This law applies to an
institution collectively meaning that each separate branch is also
affected by the policies of FERPA.

In contrast, parochial and independent schools normally do not receive
federal funding due to their private nature; this circumstance allows
them to be unaffected by FERPA. However, this is changed if, for example,
a student with a learning disability is placed in a private institution
to better meet his or her needs. If the student is sponsored by his or
her school district, then the school is still given the responsibility of
insuring that the student's education records are kept in compliance to
FERPA. It is significant that FERPA only affects the records of that
particular student, not the entire student body as a whole.

In addition, establishments that are affected by FERPA normally will not
allow communication of a student's records unless there is a parent
signature consenting release or permission from an eligible student. The
latter is defined to be someone of at least eighteen years of age or a
student enrolled in a postsecondary establishment regardless of age. Both
the student and his or her parents can examine the records and request to
have errors corrected if necessary.

Under FERPA, the definition of education record is narrowed to two main
specifications: the forms must be in direct correlation to the specific
student, and an established academic company must maintain them.
Immunization records as well as general health information kept by the
nurse of the educational establishment are subject to FERPA policies.
This also includes, in the case of students with different education
needs, any documents recording assistance given by the IDEA (Individuals
with Disabilities Education Act).

In regards to postsecondary education establishments, records referred to
as treatment records are not subject to the policies of FERPA. These
records include information concerning medical and cognitive treatment.
However, these records must only be used by professions providing
treatment and kept with the student for informational purposes. If
permission is granted from an eligible student and this information is
disclosed for a reason other than medical care, then the records are
affected by all FERPA regulations.
Similarly, the Health Insurance Portability and Accountability Act of
1996 came about in order to protect the privacy of individual personal
health information. In the past few decades, the AIDS epidemic became a
point of discrimination among hiring prospective job applicants. The
government recognized this injustice by establishing a national set of
security standards protecting each individual's records.

HIPAA serves to protect the confidential information of patients as well
as to refine the healthcare network by establishing national regulations
and standards for electronic healthcare procedures. The law affects
covered entities, which includes all institutions associated with a
health care provider. These are companies that supply medical services
(hospitals) as well as other informal providers such as dentists,
specialized practitioners, and physicians (United States Department of
Health and Human Services, 2008).

Also, federal services established the HIPAA Privacy Rule to securely
protect the personal information of patients in addition allow medical
practitioners to provide excellent care. The Privacy Law applies to
health service plans (except a company consisting of 50 or less
participants who receive care coverage directly from their employer and
government organizations with a main goal of providing something other
than just healthcare funds), healthcare providers, and data
clearinghouses. The Privacy Law protects PHI (personal health
information), which is defined as individually identifiable health
information. However, the Privacy Law does not affect de-identified
information because of its anonymity (United States Department of Health
and Human Services, 2003). Covered entities must protect the confidential
data by complying with a certain standard of secure protection and must
set limitations on the transferal of health records without written
patient consent. This regulation encourages the rights of patients
because it grants them the ability to view files, to maintain a copy of
files, and to correct files if necessary (United States Department of
Health and Human Services, 2008).

Despite their differences, the two policies must merge on certain
occasions. For example, if a school provides medical treatment through a
clinic, the institution is considered a medical provider and must abide
by the HIPAA Administrative Simplification Rules for Transactions and
Code Sets and Identifiers, especially if it electronically communicates
information to the health care company. However, the records of the
students are not kept under the HIPAA Privacy Law standards because by
definition, they are education records and are maintained by the school.
This renders them exempt from the HIPAA regulations.

The HIPAA Privacy Law normally does not affect elementary and secondary
schools because they are not defined as covered entities or the schools
are defined as covered entities but do not maintain confidential medical
information. Although the school may employ medical practitioners, the
staff usually does not become involved in covered transactions, and this
allows the school to remain a non-covered entity. If a school were
involved in billing a health care company, then it would have to follow
the HIPAA Administrative Simplification Rules for Transactions and Code
Sets and Identifiers. Because the records maintained at the school are
categorized as education records, they are not kept under the HIPAA
Privacy Law by FERPA regulations.

Also, schools are not allowed to share the confidential information in
the education records without written permission; however, there are two
exceptions to this rule: if school administration has a legitimate reason
for the disclosure of the information for educational purposes only, then
written consent is not mandatory, and in the event of an emergency,
information can be given to medical officials to ensure the student's

Regarding postsecondary establishments, FERPA and HIPAA are both
applicable, albeit under different circumstances. Most schools maintain
education records and treatment records and thus are subject to FERPA
policies. If a school shares treatment records for a reason other than
communicating with the primary care provider, then the information
becomes part of the education records, and written consent must be
provided before it can be shared. In addition, if a postsecondary
establishment provides medical care to individuals that are not enrolled
as students, such as faculty and the public, these records must comply
with HIPAA regulations including the Privacy Law, but the records of the
enrolled students are considered education or treatment records so they
are, by definition, FERPA records.

Additionally, a student's health records may be disclosed to a primary
care physician directly involved in treatment of the patient under FERPA.
If a student wishes to have another medical professional review his or
her records and the professional is considered a covered entity, then the
records may be subject to the HIPAA Privacy Law. If a student's
confidential information must be disclosed for a reason other than
treatment, then it must be disclosed as an education record meaning that
written consent is mandatory.

In contrast, under the HIPAA Privacy Rule, a patient's information may be
disclosed only if the information is reasonably thought to prevent
serious injury to the patient or others or if the information is sent to
a person that can lessen the potential threat.

In a similar manner, the FERPA policies allow a patient's information to
be disclosed without consent under its exceptions policy. This means that
with reasonable cause, a patient's information may be given to
authorities, parents, and other professionals if there is serious cause
to believe that the patient is a threat to his or herself or others
(United States Department of Health and Human Services, 2008).

Security of Electronically Stored Medical Records

EMRs are forms that follow the patients' activities and interactions with
healthcare providers. Unlike an EHR (electronic health record), the
provider rather than the patient owns the EMR, and it is used by the
healthcare providers to record, observe, and analyze medical treatment.
Sensitive information such as lab results, treatment plans,
prescriptions, and specialized jargon notes pertaining to the patient's
specific condition can be found in the EMR. On the other hand, solely the
patient owns the EHR. He or she is able to insert personal recordings
into this record, and more than one healthcare provider can access the
documents for reference.

The methods to store medical records comprise paper-based records,
electronic records, and a combination of the two. There are four reasons
that former president George Bush supported the conversion to electronic
medical records (EMRs): it is cost-effective, it is mandated by law, it
allows offices to remain technologically advanced, and it provides
influence over the opinions of prospective patients. It is 17-24% of
mobile physicians who have already converted to EMRs; however, it is
probable that most professionals' reservations stem from the need to
upkeep a secure encryption on the confidential data.

Also, a significant component of comprehending proper security of medical
records comes with a clear understanding of the HIPAA policies. These
policies limit the accessibility of patients' medical information and
place businesses that handle sensitive data under rigid constraints. For
example, one policy mandates that the business adhere to all privacy
standards. This was enforced by the publication from Centers for Medicare
and Medicaid Services to the Office of E-Health Standards and the U.S.
Department of Justice in February of 2003.

Although EMR-based offices face multiple problems: efficiency tends to
decrease, software expenses increase, and chances of breeching HIPAA laws
increases; however, these problems are countered by tax reductions and
easily obtained loans. In addition, software geared toward securing EMRs
is not highly regarded because of its high cost, and this makes
converting to electronic storage a near impossibility for small

Yet, offices that have converted completely to electronic health medical
records are still required to complete paper-based forms on occasion.
Software utilized by electronic offices range from sound files, voice-
recognizing products, information taken from other electronic devices
such as electrocardiogram monitors and individually inputted text
information. These different input sources provide a higher analysis of
data but are unable to perform the archaic task of painstakingly
completing paper documents.

Nevertheless, there are also documents that have been specifically
created to allow transfer between healthcare providers: the CCR
(continuity of care record) and the CCD (continuity of care document).
The former was created by the ASTM (American Society for Testing) in June
of 2005 and was developed from a generic form that all physicians
complete before dismissing a patient to the care of a long-term care
provider. Also, the altered form can pass between different healthcare
suppliers and distributes information such as address, medical
background, and current treatments. In addition, the Health Level 7 (HL7)
and the ASTM produced the latter form so that it was compatible with the
CDA (clinical document architecture). The CDA (2010) enables health
institutions to transport more than one form of medical information.
Thus, the CCD was created as a hybrid between the two medical formats and
allows offices that had already adapted CDA to communicate the CCD
through HL7 communication software.

It is the software PDF Healthcare that is significant in the recent
development of useful applications. This technology allows doctors to
attach images and documents to CCRs and CCDs, and it grants patients the
ability to manually decide what information they want to share or keep

Electronic offices have two security requirements to fulfill. The first
is communication security, which is the promise of the healthcare
provider to have a secure connection link between any parties that EMRs
may be transported to for review. The second is accessibility security,
which is the provider's affirmation that medical information is shared
with only those who are legally allowed to view it. In regards to
efficient security, it is advised that companies use a more advanced
method of safeguarding their patients' files than just a WEP (Wired
Equivalent Policy) password, which protects the wireless Internet
connection from unwanted users.

Moreover, any electronic medical record storing system should have
functions that allow a designated person to add users as well as
deactivate terminated accounts. The institutional employees should be
given just enough access to the medical information to perform their
daily duties and no more. This process will insure a secure system (Kahn
& Sheshadri, 2008).

Paper medical records can be viewed by anyone, and security breeches may
not be detectable because there is no way to monitor those who have
viewed them; however, while EMRs provide greater protection because there
are more advanced security systems available, the records store such
sensitive data that it is absolutely essential that the information is
well secured to protect the integrity of the patient. Because personal
health information (PHI) includes particulars such as social security
number, credit cards, location, phone numbers, primary care physicians,
etc., it is said to contain the most sensitive, identifiable data of a
patient and therefore must not be disclosed to third parties without
written consent.

While modern industries have greatly benefitted from IS (information
systems) and IT (information technologies), which allow them to excel as
a competitor in the economy, precautions must still be implemented. Many
companies also utilize healthcare information systems (HCIS), which
improve the medical treatment in the facility as well as lowering
substantial costs. However, the switch to electronic health records
(EMRs) causes great concern to patients because it is easier for
confidential information to be accessed; thus, total security must be

It is important that medical companies establish a privacy system that is
heavily enforced so that security breeches do not occur. A clear, well-
explained system that is practiced daily allows employees to become
familiar with the privacy policy and prevents accidental violations of
HIPAA. Two areas that must be secure are the accessibility of medical
files and the accessibility of information recorded by audit logs.

Currently, two widespread methods of access control include certified
information retrieval and authentication. The former allows access to
medical information by absolute necessity. The data is categorized into
sections of who may view that particular set of data, and those who are
able to view the information may so in order to carry out the primary
occupational functions. The latter requires information to gain access to
the confidential data such as a username and password, fingerprint scans,
an identification card, etc. The problem with using a password or an
identification card is that the items may be left in the open and
inevitably stolen. Passwords can become so difficult to remember because
of their requirements that they may be written elsewhere for others to
see. Moreover, biometric identification, such as a retina scan (M.
Buttkus, personal communication, December 18, 2011), is more secure
because it is unique to that particular individual and is more difficult
to imitate (Li & Shaw, 2008).

Audit logs, an additional form of security, grant the user the ability to
monitor all sources that have access to personal medical information. The
program records the times users access information and what functions
they perform on it. Also, this record of access allows industries to
provide the security that HIPAA demands. The technology also allows
unauthorized breeches of information to be tracked and identified (Li &
Shaw, 2008). However, this system is effective only in the post-breach
phase; it does not secure the data in any way. It truly serves to monitor
the activities on a server so that in the event of a confidentiality
infraction, the person(s) responsible can be located (M. Buttkus,
personal communication, December 18, 2011).Audit logs are complex and
secure in monitoring private information; they serve to ease patients
because they assist in protecting confidential information at the highest

Paper medical records can be viewed by anyone, and security breeches may
not be detectable because there is no way to monitor those who have
viewed them; however, EMRs provide greater protection because there are
systems that help secure the sensitive information.

While switching to EMRs provides doctors with easy access to a patient's
complete medical history rather than fragmented information, improper
attention to secure methods can result in tragedy for the patient. There
are advantages to running an office on EMRs. For example, HCIS can supply
doctors with the most up-to-date research in a particular field so
doctors can take this information into account before they determine a
diagnosis. In addition, healthcare professionals have agreed that a
switch to electronically kept medical records as well as electronically
prescribed medicine will reduce the risks of misunderstandings and
improve the safety of patients.

It is significant to account for the variety of people who may come into
contact with personal medical information: physicians, nurses,
receptionists, lab technicians, clerks, and healthcare providers. In
order for the switch the EMRs to be successful, patients must be
confident that their information is kept secure, and without this trust,
the new system will never take hold.

Some identified weaknesses of companies that do not comply with HIPAA are
a) there are not strong enough rules on record accessibility, b)
organization systems have not been audited or observed closely, and c)
there is an absence of an emergency access plan in case of an accidental
information leak.

In a specific case study, Dr. M. D. Anderson's approach to managing
confidential health records in accordance to HIPAA is examined. The
medical center uses unique software that allows patient data to be
incorporated into recent medical studies. It is said that a great benefit
to having electronic medical records is that information is easily
accessed in addition to the data being current and well recorded for
billing rights.

However, Dr. Anderson's faculty have realized that because the office has
such a large quantity of information on hand, securely protecting the
information is a much greater task. Because of this, standards for
required auditing have been defined as follows: (1) the date of access
must be recorded; (2) the location of the facility or person that
received the information must be recorded; (3) a concise summary of the
information disclosed must be recorded; and (4) a short explanation
written by the discloser about the purpose of communication must be
recorded (Li & Shaw, 2008).

PHRs (personal health records) provide an easy method for individuals to
store and access their own medical information. Because it is a common
occurrence for individuals to possess their own PHRs, USB-based storage
appliances are being created to allow for direct access. This article
touches on two main devices and examines the successes of the products.
Both of these devices used Microsoft Access as their database of choice.
The analysis showed that there was a key factor missing in the encryption
of the programs. The distributor stored the user-specific password as a
line of code inside the database rather than having the users create
their own password. The database was then encoded with a passcode, which
allowed the distributors to access the information. This generated a
problem as the users' passwords could be recovered without much energy.

Personal health records can be accessed in a variety of ways; these
include but are not limited to Internet webpages and mobile universal
serial bus (USB) devices.

The first device the article discusses is the Personal HealthKey, which
is manufactured by CapMed in Newtown, Pennsylvania. The manufacturers
claim that the information stored on the device cannot be obtained
without the patient's request. The second device is called E-Health-KEY,
which is produced by MedicAlert located in Turlock, California. The
manufacturers' statement about the functionality of the product claims
that the stored information can be shared at the user's discretion. Both
devices share similarities in that their main function is to store PHRs
and other medical information. They are designed for a keychain, and
manufacturers claim that the devices are securely protected with
appropriate encryption.

The two devices were received in either sample form or were simply
purchased from the manufacturers. Because both devices offered encryption
options, the settings were activated, and tests were conducted to inspect
storage methods and the database systems. Following analysis, both
devices were found to have a password security system where the
distributor administered the password. Also, in the event of an
emergency, a certain amount of information could be accessed without a
passcode. Each device secured its files using the Microsoft Access
database, but accessing the records was not an arduous task. Thus
information was easily recovered. Both device administrators chose to
protect the users' confidential information by placing the patients'
chosen password under a common encryption, which was scrambled into the
code of the file. The unscrambling of the code was relatively simple, and
thus, the devices were not secure. This encryption strategy posed a
problem as the protection was not what was advertised, and it also meant
that the manufacturers could access the users' information, which may not
be to the liking of the patients.

There were three inadequate spots in the devices where the encryption
plan did not meet the required standards of protection. These were a) the
manufacturers chose to master encrypt all of the users' information with
a password of their own, b) the common encryption allows the manufacturer
access to the users' confidential files, and c) the manufacturers utilize
the security systems already put in place by another system, namely the
Microsoft Access database.

There are four suggestions on how to maximize the security of such a
device: confidential data should always be protected by the password
chosen by the user, encrypted material should not be accessible by the
manufacturer unless written permission is granted with the purchase of
each device by the user, manufacturers should not depend on the security
systems of other companies, and the input from an encryption professional
is preferable as he or she tends to have a much clearer understanding of
security than the average programmer (Wright & Sittig, 2007).

Another software, PCASSO (patient-centered access to secure systems
online), works to utilize the versatility of both the Internet and its
technologies to raise the quality of health care. The program allows
administrators to control the information accessibility of other users
and has a strong security program containing multi-level protection and
audit recording. PCASSO works to use high security protection to ensure
the constant confidentiality of patients' health information. In
addition, the application strives to grant patients the ability to be
more involved with maintaining and accessing their personal records
(Baker & Masys, 1998).

However, the Internet is teeming with risks: the level of security is
breeched because of the hackers that currently exist, IP (Internet
protocol) addresses can easily be fabricated, and they also cannot be
connected specifically to a computer, passwords can easily be obtained,
and the security of any information released on the Internet is at stake
because of the phenomena known as Trojaned programs. These systems are
programmed to function as any other application but inconspicuously
collect data from the users without their knowledge or consent.

Another advantageous aspect of the program is that users do not have to
purchase addition software to utilize its functions. This allows
prospective users to see the planning that went into the programing of
the application. The program encourages use by providing a simple, easy-
to-use interface.

Program security includes five levels of protection: low (de-identified
information), normal (regular health information), deniable (confidential
information such as HIV/AIDS), minor-guardian-deniable (confidential
information of a minor that must be authorized for release by an adult
over 18), and primary-deniable (information that a primary caregiver sees
as potentially damaging if it were to be released). Another special
feature is that first responders can access emergency information of a
patient for up to 72 hours.

Although the system is outdated in the sense that floppy disks are
utilized, the model is a great example for current day programs (Baker &
Masys, 1998).

Record Scope and Design (Medical Record Contents)

Health information is defined as any material, be it written or oral,
that is produced and maintained by primary health care providers, health
insurance carriers, public wellness officials, medical record
clearinghouses, places of work, or places of learning. Health information
deals with any form of mental or physical form and the fees that may have
accompanied any treatment. Individually identifiable health information
(one in the same as protected health information) specifically singles
out an individual as being the owner of that data. This includes but is
not limited to demographic information.

However, individual records can go through a process known as
deidentification that allows the information to pass under the many
federal privacy laws. The concept allows companies to release information
for further analysis without being under the laws of HIPAA. If a company
removes all trace of identification from a document so that no individual
persons can be identified from the information provided, then the
information is referred to as deidentified. Information that must be
deidentified comprises all demographic information, dated information,
personal telephone and fax information, electronic mailing information,
social security information, medical record number information, personal
banking account information, license information, IP and URL information,
biometric information, photograph information, and personal information
such as names must be removed in order to comply with code (Jones, 2009).

 Previous Studies and Designs
Progress in the areas of electronic mobile applications has created a
surge of studies in new, useful innovations designed to aid professionals
in their occupational demands. For example, certain programs were
designed for use over the Internet. Specifically, the Integrated System
for Generation and Retention of Medical Records (U.S. Patent No. 969,
221) is an innovation that stores patient medical files and allows
physicians to compare their notes to current, up-to-date research in that
particular medical field. The program also provides an easy method to
track patients' medical bills. In compliance with privacy laws, the
database continuously stores all confidential patient medical information
in a secure environment (Miglietta & Ripperger, 2008). Similarly, Method
and System for Providing Current Industry Specific Data to Physicians
(U.S. Patent No. 7, 509, 263) allows physicians the ability to view
current medical data as well as their own patients' information on a
mobile device. The confidential information can be shared securely with
covered entities. The program also instructs the computer on how to
communicate information between different sources so that the data and
the mobile device form a health information dispensation protocol
(Fiedotin, Tangney, & Lee, 2009).

Other applications focus mainly on compiling all past medical information
into one location in order to grant easier access to medical history so
that physicians can better understand the patient's condition. For
instance, Patient Directed System and Method for Managing Medical
Information (U.S. Patent No. 628, 876) provides a database that stores
all past and current information on patients. The program incorporates
files from previous healthcare providers and primary physicians and
categorizes and stores them for easy retrieval (Mok, Jopling, and Mattox,
2009).Records Access and Management (U.S. Patent Application Publication
#US 167,746) relies on an electronic device that compiles EMRs from
various sources into one location. The medical record inventory is stored
in various ways to allow outsider access to information without releasing
the identity of the patient. The device can be associated with other
validated devices and facilitates emergency access to the information
following the verification of the authentic identification as a medical
care provider (Raduchel, 2008). Personal Medical Data Device and
Certified Methods (U.S. Patent No. 770,123) also provides a refined
system to store personal medical information on a handheld device. The
user interface is simple and clean, which makes navigating through the
program an easy task as opposed to more complex menus (Abbo, 2010).

Having a less specific function, systems have been patented with a
function to securely transfer documents of any nature securely over a
specified server. System and Method of Permissive Data Flow and
Application Transfer (U.S. Patent Application Publication #US 0174010)
works to improve the interface connection between a remote device and a
confined device. The main function is to allow secure communication of
documents and records between two or more parties; in addition, the
program allows the sender or the administrator to control the access and
privileges of the recipient. This means that the sender can set how many
times the recipient can view the document, if he or she can edit the
document, and if he or she can print the document. The program is
equipped with a thin-client system to help adjust to the specific
environment (Rice, 2001).
Similarly, Secure Flash Media for Medical Records (U.S. Patent
Application Publication #US 494, 694) securely protects sensitive data by
utilizing a mobile mechanism. The device contains a -microarchitecture
connected via an interface to a flash memory on the device.- The internal
microarchitecture permits users to view the secure contents when a
password is entered into the program. The primary owner of the
information is then capable of sharing his or her personal information
with other trusted entities. The program distributes this confidential
information by using a public key. The invention permits users to share
sensitive information in a secure environment over multiple networks and
locations (Tafoya, Baca, Trodden, & Ferguson, 2006).

Also, System and Method for Usage of Personal Medical Records in Mobile
Devices (U.S. Patent Application Publication #186, 011) utilizes the
ability of mobile devices to store documents. The documents (XML form)
created contain sensitive medical information. They can be transferred
from the mobile device directly to a PSAP (public safety access point) in
the event of an emergency, and they can also be communicated to a NFC
reader/receiver (near field communication) that allows individuals to
transfer personal information directly to a form. What is more, the
application allows these XML documents to be transferred via HTTP
(hypertext transfer protocol) to online questionnaires, which enables
patients to easily purchase medication via Internet (Bajko & Kiss, 2008).

For practitioners who do not wish to purchase a separate mobile device to
access medical files, there are multiple systems already existing that
can store and obtain electronic medical information. Such software
includes HanDBase and Patient Tracker; however, a problem arises with the
former when the primary physician must share information with more than
five other individuals. This requires a central computer to which all the
information is synced and a team of professionals to establish the
wireless connection. The latter allows physicians to electronically
preserve patients' data. The program is compatible with both handheld
devices such as a tablet. In addition, the computer-based program allows
data to be accessed through a main device and off-site handheld devices,
which provides many outlets of secure accessibility for users (Paton &
Al-Ubaydil, 2006).

Literature Cited

Abbo, F. E. (2010). U.S. Patent No. 770,123. Washington, DC: U.S. Patent

Trademark Office.

Bajko, G. and Kiss, K. (2008). U.S. Patent No. 186,011. Washington, DC:
U.S. Patent

and Trademark Office.
Baker, D. and Masys, D. (1998). PCASSO: a design for secure

communication of personal health information via the internet.
International Journal of Medical Informatics, 54 (1999), 97-104.

Federal trading commission. (2010). Copier data security: a guide for

businesses. In Bureau of consumer protection business center. Retrieved

Fiedotin, A., Tangney, J., and Lee, T. (2009). U.S. Patent No. 7,509,263.

Washington D.C.: U.S. Patent and Trademark Office.

Jones, E. (2009, September). HIPAA -protected health information':

what does PHI include?. Retrieved from

Kahn, S. and Sheshadri, V. (2008) Medical record privacy and security in

digital environment. Healthcare It, 1(2), 46-52.

Li, J. and Shaw, M. (2008). Electronic medical records, HIPAA, and

patient privacy. International Journal of Information Security and
Privacy, 2 (3), 45-54.

Miglietta, J. H. and Ripperger, J. B. (2008). U.S. Patent No. 969,221.
Washington, DC:

U.S. Patent and Trademark Office.

Mok, M. W. H., Jopling, A. D., Holvery, R. D., and Mattox, J D. (2009).
U.S. Patent No.

628,876. Washington, DC: U.S. Patent and Trademark Office.

Paton, C. and Al-Ubaydil, M. (2006). The doctor's PDA and smartphone

handbook: medical records. Journal of the Royal Society of Medicine, 99,

Raduchel, W. J. (2008) U.S. Patent No. 167,746. Washington, DC: U.S.
Patent and

Trademark Office.

Rice III, J. (2001). U.S. Patent No. 0174010. Washington D.C.: U.S.
Patent and Trademark

 Tafoya, R., Baca, J. S., Trodden, T., and Ferguson, E. I. (2006). U.S.
Patent No. 494,694.

Washington, DC: U.S. Patent and Trademark Office.

United States Department of Health and Human Services. (2003).

Summary of the HIPAA privacy rule. Washington, DC: Office for Civil

United States Department of Health and Human Services. (2008). Joint
guidance on the

application of the Family Educational Rights and Privacy Act (FERPA) and
the Heath Insurance Portability and Accountability Act of 1996 (HIPAA) to
student health records. Washington, DC: Office for Civil Rights.

Wolfram Alpha. (2011). How many students in the US. Retrieved October 30,
2011, from

Wright, A. and Sittig, D. (2007). Encryption characteristics of two USB-

personal health record devices. Journal of the American Medical
Informatics Association, 14, 397-399.

To top