For healthcare organizations, protecting sensitive patient data is critical for avoiding financial losses, operational disruptions, and regulatory fines—while also shielding patients from identity theft and fraud. But organizations must balance security and privacy with data access. Providers and payers must be able to access patient data without excessive difficulty so they deliver timely care, generate new insights, and provide efficient services. In addition, patients should be able to access their own information without excessive effort.
How can your organization sufficiently protect healthcare data and simultaneously enable authorized access? Following several established frameworks, regulations, and best practices can help you develop a robust data protection strategy—one that maintains data security and privacy while still allowing legitimate access.
There are several government regulations and frameworks that can serve as guides to developing a data protection strategy in healthcare. In the United States, HIPAA (the Health Insurance Portability and Accountability Act of 1996) sets standards for safeguarding protected health information (PHI). In Europe, the General Data Protection Regulation (GDPR) governs how organizations doing business within the EU must secure the personal data of EU residents.
The HIPAA Security Rule, created by the U.S. Department of Health and Human Services (HHS), sets standards for how organizations should protect patients’ PHI and electronic PHI (ePHI).
The rule mandates that organizations must:
The rule also provides some guidance on how organizations can adhere to those requirements through physical, technical, and administrative safeguards. For example, organizations must: ensure that physical facilities housing ePHI are fully secured; implement sufficient data access controls; and conduct risk assessments to identify vulnerabilities.
The Privacy Rule, also created by HHS, sets standards for protecting the privacy of patients’ medical records and other PHI. The rule restricts how and when PHI can be disclosed without an individual’s authorization and establishes an individual’s rights to PHI. This is the rule that highlights the need for balancing data protection with the flow of information. The goal is to permit some important information uses while also protecting patient privacy.
The GDPR applies to all industries, not just healthcare. It provides a framework for how organizations may collect, process, store, and transfer personal data. And like the HIPAA Privacy Rule, it establishes rights for individuals about their personal data.
Though the GDPR was enacted in the EU, it applies to organizations across the globe. Any organization that does business in the EU or processes data collected in the EU is subject to the GDPR.
In addition to HIPAA and the GDPR, there are a number of country- and region-specific regulations that might apply to healthcare organizations. For example, China, India, Brazil, Mexico, Canada, and South Africa all have bills and laws pertaining to information privacy. In fact, 78% of all countries across the globe have some privacy legislation in place.
Before your organization can develop a data protection strategy, you should understand what exactly you need to protect.
According to the HIPAA Privacy Rule, PHI is “individually identifiable health information” held or transmitted by a covered entity in any form—including electronic, paper, or oral form. It might include someone’s name, address, birthdate, social security number, as well as any information relating to their health status, healthcare treatment, and payment for healthcare. In other words, it applies to information that might enable an individual to be identified. A “covered entity” includes healthcare providers, health plans, clearinghouses, and any of their business associates.
Not all health information is PHI. “De-identified” health information does not identify an individual or enable someone else to determine an individual’s identity. De-identified information can be created by removing identifiers from protected data.
HIPAA rules do not have any restrictions on the use or disclosure of de-identified health information. Healthcare organizations can use this information for analytics, AI, or other applications without requiring consent from individuals.
While organizations can provide access to PHI for accepted applications, they must limit that access to the “minimum necessary” use and disclosure. That is, they can provide access to PHI to accomplish a specific intended purpose, but nothing more. So, for example, a payer should be able to access PHI to process claims, but the payer should not have access to full patient histories: A provider should deliver only records relevant to specific claims.
HIPAA, the GDPR, and other data privacy regulations establish individual rights regarding data privacy. These regulations ensure that individuals can access their own data and restrict access by other entities.
Patients have the right to review and obtain a copy of their PHI. A patient can request any records used for diagnostic or treatment decisions, as well as any billing records. Moreover, patients can require healthcare organizations to amend their PHI if information is inaccurate or incomplete. There are only a few exceptions to access: For example, patients may not have access to psychotherapy notes, information compiled for legal proceedings, and some lab results.
Individuals also have the right to request that healthcare organizations restrict use or disclosure of their PHI. For example, an individual might request that one provider not disclose certain information to another provider. Or a patient might request that results of a genetic test be withheld from providers or payers. However, providers or organizations receiving these requests do not have to agree.
A patient also has the right to refuse to have their PHI used to support a clinical trial. Of course, a provider could also condition treatment on participation in a clinical trial.
Individuals can request that their providers or insurance companies deliver PHI to them in a way that is different from what the organization typically employs. If a provider typically communicates through an online portal, for example, the individual can ask to receive communications by mail instead. Healthcare organizations are supposed to accommodate reasonable requests.
HIPAA specifies how healthcare organizations should maintain data protection and data privacy. These requirements are good guidelines for a data protection and data privacy strategy.
According to the Privacy Rule, organizations should develop and implement written privacy policies and procedures. They should implement administrative, technical, and physical safeguards in place to protect data. And they should train their workforce on privacy policies and procedures.
In the event your organization suffers a data breach that involves PHI, you must notify individuals affected, the Secretary of the Department of HHS, and—in some cases—the media. These notifications must follow particular timelines and include a range of information: For example, you need to notify individuals within 60 days of discovering a breach. You must tell those individuals what happened, what information was exposed, and what steps you are taking to investigate the breach and mitigate damage.
The media and the secretary must be notified if the breach affects more than 500 people. If it affects fewer people, you can report the breach to the secretary as part of an annual report after the end of the year.
A business associate agreement (BAA)—or business associate “contract”—records the commitment from third-party organizations to protect PHI. Required by HIPAA rules, a BAA sets responsibilities and establishes the ways both organizations must work together to maintain security and privacy. In essence, a BAA makes a business associate accountable for complying with HIPAA security and privacy rules relating to PHI.
Achieving and maintaining compliance should not just be a matter of checking boxes. Organizations should pursue compliance by applying best practices that can help better protect data and ensure privacy while also complying with specific rules and regulations.
“Privacy by design” is a principle for building and operating apps, services, and processes. The idea is to actively embed data privacy into workflows rather than leaving it as an afterthought. For example, app developers should design their software to help ensure that user data can remain private and to reduce the likelihood data can be compromised or inadvertently disclosed. Implementing privacy by design can ultimately help streamline your work in maintaining data privacy.
Employing role-based access controls can help you meet the “minimum necessary” standard for use and disclosure of PHI. With role-based access controls, you allow users to access sensitive data according to their role. They can access only what they need to do their job and nothing more. With these controls, you can limit insider threats and prevent attackers from having free rein within your network even if they steal an authorized user’s credentials.
Encrypting data at rest and in motion is critical for protecting PHI. With encryption, you can prevent attackers from using sensitive information even if they are able to access it. Without the de-encryption key, attackers will be unable to read the data. Data minimization tools, meanwhile, can de-identify PHI and redact unnecessary information, reducing potential damage in the event data is compromised.
Healthcare organizations should take ethical considerations into account as they work to protect data and ensure data privacy. For example, they should strive to bolster trust: Patients should be able to trust providers and payers to safeguard their personal information. Organizations should also respect patients’ rights to determine how and with whom their personal information is shared. Addressing those ethical considerations might require your organization to give patients greater visibility and control over their data.
Taking an ethical approach to data protection and privacy should include transparency about data practices. Patients should be able to learn how their data is accessed and shared. They should also have information about their rights to controlling and accessing their own information.
Healthcare organizations should respect individual preferences for accessing and sharing data. Though organizations are not compelled to do so, they should consider patient requests for restricting access in certain cases and communicating information in ways that are different from typical practices. Accommodating individual preferences can help strengthen trust in healthcare relationships.
Just as the move to electronic healthcare records (EHRs) changed the data protection and privacy landscape, new technologies are once again forcing healthcare organizations and regulators to redefine how data should be protected.
Artificial intelligence (AI) and machine learning (ML) could have a tremendous impact on the healthcare industry. But as more healthcare organizations implement these technologies for a variety of use cases, they must continue to protect data and maintain data privacy.
Data de-identification will be particularly important for organizations planning to use patient information with AI or ML. For example, by de-identifying medical images, organizations can train AI models designed for diagnostic support by using real patient images.
Federated learning is a form of ML that enables organizations to train models using numerous data sources (instead of one single repository) and without exchanging the data itself. With federated learning, data is used and processed at the source—for example, on an Internet-of-Things (IoT) device, an app on a smartphone, or a wearable medical device. Once model parameters are generated on those devices, they can be shared with the organization building the model, but the original data is not shared. As a result, organizations taking this approach can have the benefit of tapping into large amounts of data for training without jeopardizing data privacy.
Blockchain is another relatively new technology that can help preserve data privacy while also enabling authorized access to PHI. Blockchain is a distributed digital ledger technology that records transactions and tracks assets in a business network. By adopting blockchain for medical record access, patients could have a single means of identifying themselves to providers, simplifying the way they access their information across multiple providers. They could also control which providers and payers access their records.
As cyberattacks continue to rise, protecting data and ensuring data privacy must remain a high priority for providers, payers, and other healthcare organizations. At the same time, these organizations must find ways to balance protection and privacy with authorized access: Organizations and patients must be able to view and use data to improve outcomes, produce new insights, and streamline processes.
Following established regulations, such as HIPAA, can help your organization build a comprehensive strategy for data protection and privacy. And by working with outside experts, such as a healthcare-focused managed service provider (MSP), you can implement best practices for keeping data safe while refocusing more of your internal resources on innovation.
Ready to build or enhance your data protection strategy? Contact us to set up a free consultation.