With the enactment of HIPAA (the Health Insurance Portability and Accountability Act of 1996) and the subsequent publication of its Security Rule and Privacy Rule, the United States set important standards for protecting patient data and maintaining privacy. These standards help ensure that only authorized individuals can access and disclose patient data—and they can do so only under certain conditions.
Maintaining data privacy is particularly important in this digital era. Cyber criminals are eager to tap into personal data to steal patient identities and commit fraud. And with the continuous adoption of new digital technologies by healthcare organizations, cyber criminals have more and more opportunities for unauthorized access and theft.
How can your organization better protect data and maintain privacy—while still supporting legitimate access, sharing, and use of patient data? A better understanding of government regulations, emerging threats, and data privacy best practices can help you strengthen your patient data privacy strategy.
The Recent History of Patient Data Privacy
The goals of maintaining the confidentiality of healthcare information and protecting the privacy of patients have been well established in the United States for many decades. But it wasn’t until the 1990s that the government moved forward with creating a single, comprehensive federal law.
Before HIPAA
Prior to the introduction of HIPAA in 1996, there was no single federal law in the United States governing the privacy and security of patient information. Though multiple states had laws about preserving the confidentiality of medical records and requiring patient consent before sharing information, these laws lacked consistency across the country.
Without strict, consistent regulatory controls for patient information, patients did not always know how their information would be used or shared. Moreover, they were not always able to easily access it themselves. Meanwhile, third parties, such as employers and insurance companies, could sometimes access sensitive information about individuals. And that information could affect decisions for hiring and insurance coverage.
Enactment of HIPAA and its key provisions
HIPAA was enacted to address multiple goals:
- Insurance portability: The law was meant to help preserve healthcare coverage for individuals who might lose or change their job.
- Administrative simplification: HIPAA was designed to spur the healthcare industry to enhance efficiency by using electronic health records (EHRs).
- Data privacy: The Secretary of the U.S. Department of Health and Human Services (HHS) was tasked with recommending standards for protecting the privacy of health information, or specifically electronic health information. The result was the Privacy Rule.
- Data security: The law similarly required the secretary to set standards for maintaining the security of electronic health information. This requirement led to the Security Rule.
Evolution of health privacy laws
Since HIPAA was enacted, the healthcare industry and government entities have continued to consider new rules and regulations that could protect data privacy as new technologies and threats emerge. For example, growing interest in artificial intelligence (AI) for healthcare has led government agencies and industry organizations to develop frameworks and guidelines on how to use AI without jeopardizing patient privacy. Similarly, the increasing use of Internet-of-Things (IoT) devices, mobile healthcare apps, and wearables could drive fine-tuning of privacy regulations.
Protecting Patient Identifiers
To protect patient privacy, healthcare organizations must understand the full range of elements contained in healthcare information that could put that privacy at risk.
18 elements considered PHI under HIPAA
According to the HIPAA Privacy Rule, PHI is “individually identifiable health information” held or transmitted by a covered entity in any form—including electronic, paper, or oral form. There are 18 elements that constitute individually identifiable health information:
- Name
- Address
- Any date related to an individual (such as a birthdate, admission date, discharge date)
- Telephone number
- Fax number
- Email address
- Social security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifier, such as a license plate number
- Device identifier
- Digital identifier, such as a website URL
- Internet Protocol (IP) address
- Fingerprint or voice print
- Photographic image (not limited to the face)
- Any other attribute that could uniquely identify the individual
Methods for de-identifying patient data
Organizations can “de-identify” patient data to avoid violating privacy regulations when using that data. HIPAA rules do not have restrictions on the use or disclosure of de-identified health data.
There are two methods for de-identifying data:
- Expert determination: A healthcare organization can engage with an expert who might determine that the risk is small for certain information being used. The expert would then document the methods and results of the analysis.
- Safe harbor: A healthcare organization can remove the 18 elements that identify individuals.
Challenges in protecting patient identifiers
Protecting the identifying elements in PHI can be very difficult, especially given the broad range of these identifiers. In addition, data that does not directly identify a patient can sometimes be combined with other information to reveal a patient’s identity. For example, knowing the zip code, age, and occupation of an individual could be combined with other information available on the internet to identify that person.
HIPAA Security Rule
The HIPAA Security Rule sets standards for how organizations should protect patients’ PHI and electronic PHI (ePHI).
The rule mandates that organizations must:
- Ensure the confidentiality, integrity, and availability of ePHI
- Identify and protect against threats to the security or integrity of information
- Protect against impermissible uses or disclosures of information
- Ensure workforce compliance
Security safeguards required by healthcare entities
The rule also provides some guidance on how organizations can adhere to those requirements through physical, technical, and administrative safeguards. For example, organizations must: ensure that physical facilities housing ePHI are fully secured; implement sufficient data access controls; and conduct risk assessments to identify vulnerabilities.
Limitations and gaps in the HIPAA Security Rule
Though the Security Rule clearly establishes some standards for protecting healthcare information, there are some important limitations and gaps. For example, the rule does not apply to researchers who might use PHI. In addition, the focus of the rule is electronic medical records, not paper records, so paper-based records and forms might not be adequately protected by the rule.
Not everyone follows the Security Rule as fully as they should. If an organization fails to protect even a few identifiers in PHI, for example, and that PHI is exposed through a breach, attackers can ultimately access all the information they need to steal identities and commit fraud.
HIPAA Privacy Rule
The Privacy Rule sets standards for protecting the privacy of patients’ medical records and other PHI. The rule restricts how and when PHI can be disclosed without an individual’s authorization and establishes an individual’s rights to PHI.
The rule highlights the need for balancing data protection with the flow of information. The goal is to permit some important information uses while also protecting patient privacy.
Limitations and gaps in the Privacy Rule
Like the Security Rule, the Privacy Rule does have some limitations and gaps. For example, patients have very little recourse if a provider violates their privacy. They can lodge a complaint with the Office for Civil Rights (OCR), but it can be difficult to sue a provider for a data privacy violation.
The rule also limits patient control over data. The Privacy Rule provides several situations in which organizations can disclose information without patient consent. For example, organizations can disclose patient information to the patients themselves, use patient information for treatment, disclose data to meet public health requirements, and even use a limited data set for research.
Emerging Privacy Threats
Efforts to protect the privacy of health information must evolve along with the emergence of new technologies and new threats.
Digital health technologies
The growth of digital health technologies over several decades has been instrumental in enabling healthcare organizations to improve the quality and efficiency of care. But it has also produced new threats to data privacy. As organizations collect, store, and share more patient data, they are creating new opportunities for cyberattacks and accidental exposure of data. There’s no going back, but all healthcare organizations must understand that the continued adoption of new digital processes and applications will require corresponding efforts for maintaining data protection and data privacy.
New risks from apps, wearables, and telehealth
In recent years, data privacy risks have risen with the increasing use of healthcare apps, wearables, and telehealth visits. Healthcare apps—such as patient portals and pill trackers—transmit and store highly personal information about users. Wearable devices—from glucose monitors to fitness-tracking smart watches—continuously collect similarly sensitive information. All of this information spends some time beyond the secure confines of data centers and cloud environments, making it vulnerable to exposure and misuse.
Meanwhile, the expansion of telehealth has increased the risks to data privacy—and the concerns of patients. Patients share responsibility for keeping telehealth communications private: For example, when attending telehealth visits, they must ensure that they are in a location where they cannot be overheard. And they should avoid public WiFi, which might not be secure.
Patient concerns over data sharing and tracking
Not surprisingly, many patients are concerned about their health data being collected and shared without their knowledge or consent. They are already keenly aware of how online platforms and digital assistants collect personal data and track behaviors. Healthcare organizations will need to confirm their compliance with strict data privacy standards to reassure patients and maintain their trust.
Strengthening Data Security
Healthcare organizations must continuously work to strengthen security in light of emerging threats to privacy. There are several areas where your organization should focus your efforts.
Upgrading systems to prevent breaches
Continuing to use legacy systems and outdated software can leave you exposed to attacks. Cyber criminals are constantly looking for vulnerabilities that they can exploit to gain access to or control over systems. You should ensure systems are patched and updated, completely and promptly. And you might consider updating legacy systems or migrating to cloud environments to reduce vulnerabilities.
Employee training on handling PHI
Not all exposure of PHI is the result of a malicious attack. Employees might jeopardize privacy, for example, by accidentally disclosing PHI. Sending a bill to the wrong patient or sharing medical records of the wrong patient with another provider constitute accidental disclosures.
Training is essential for preventing these and similar types of errors. As the Privacy Rule specifies, organizations should train all members of the workforce on privacy policies and procedures for handling PHI. And the organizations should apply sanctions against workers when they violate those policies and procedures.
New technologies like blockchain for security
New technologies hold the promise of assisting organizations in protecting sensitive information. For example, blockchain technology could help preserve data privacy while also enabling authorized access to PHI. Blockchain is a distributed digital ledger technology that records transactions and tracks assets in a business network. By adopting blockchain for medical record access, patients could have a single means of identifying themselves to providers, simplifying the way they access their information across multiple providers. They could also control which providers and payers access their records.
Data Privacy vs. Data Sharing
For healthcare organizations, maintaining the privacy of patient data is paramount. The challenge is to protect that data from unauthorized access while also maximizing the benefits of sharing data among authorized entities.
Benefits and risks of sharing health data
Sharing patient data is essential for providing timely, high-quality care. Doctors often need to share healthcare records, images, test results, and other information across multiple providers to effectively collaborate on patient care. Data sharing is also important for conducting research, analyzing trends, keeping patients engaged with their own healthcare, and creating AI models that can ultimately improve the efficiency and quality of care.
But of course, sharing data creates risks. As more people and systems have access to data, the potential for accidental disclosure, purposeful theft, and other types of misuse grows. Healthcare organizations must make sure that authorized users have access to the information they need, when they need it, while minimizing the possibility that data will fall into the wrong hands.
Global Perspective
Across the globe, numerous countries and regions have recognized the critical importance of protecting data and preserving privacy. In fact, 78% of all countries across the globe have some privacy legislation in place. Still, not all laws are the same.
Comparison of US laws with Europe, Asia, and elsewhere
While HIPAA regulates healthcare information in the United States, the General Data Protection Regulation (GDPR) is the primary data security and privacy law in the European Union. One key difference is that HIPAA is more narrowly focused on PHI while the GDPR covers all personally identifiable information (PII).
There are, however, a number of similarities between HIPAA and the GDPR. For example, both laws:
- Intend to limit access to sensitive data and require organizations to keep personal information private
- Can apply to organizations beyond the borders of where the law was enacted
- Give individuals certain rights to control their data
- Require consent from individuals before using, disclosing, or processing data
- Mandate that organizations report breaches, though the reporting criteria are different for each
- Establish potential fines for organizations that fail to comply or have compliance violations
In addition to HIPAA and the GDPR, there are a number of country- and even state-specific regulations that might apply to healthcare organizations. Many of them were inspired by or based on the GDPR. For example, Brazil’s General Data Protection Law (LGPD), passed in 2018, defines personal data and grants individual rights in similar ways to the GDPR. China’s Personal Information Protection Law (PIPL), passed in 2021, shares many of the same concepts as the GDPR though it defines sensitive information slightly differently and has tougher penalties for violations.
Issues around cross-border data flows
Many data privacy laws anticipate the potential legal issues with sharing personal data, including health data, across borders. The GDPR requires EU organizations to continue adhering to its provisions even if organizations transfer data among countries. For example, organizations must: obtain consent to process health data, secure the transmission of data, and transfer data only to countries that can guarantee sufficient security.
Similarly, with HIPAA, healthcare organizations must continue to comply with privacy rules even if they transfer data beyond the United States—for example to store data in a cloud environment elsewhere. Organizations covered by HIPAA must ensure that any international partner organizations continue to sufficiently protect patient data. Those partners must also enter into a business associate agreement (BAA), which records their commitment to protect PHI. In addition, healthcare organizations must implement any technical safeguards necessary to address potential threats facing data transferred to other countries.
Calls for international privacy standards
Because the GDPR has provided a foundation for many country-specific data privacy laws, it may be the closest to providing an international standard for data privacy. Prospects are dim for enacting a single global data privacy law or implementing universal data privacy standards. Disagreements about individual rights among nations and challenges with international enforcement, for example, are likely to prevent any progress toward a single framework anytime soon.
The Future of Health Privacy
The data privacy landscape will continue to shift quickly. Healthcare organizations will need to continuously adjust data privacy strategies to address the use of new technologies, enactment of new regulations, and emergence of new threats. Patient demands for greater control of personal information will keep pressure on organizations to make changes rapidly and transparently. Meanwhile, organizations will need to find ways to meet ethical and legal obligations for privacy while also using data as fuel for innovation.
Engaging a Partner to Strengthen Your Data Privacy Strategy
Maintaining data privacy must be a top priority for providers, health plans, and other healthcare organizations. But navigating all the rules and requirements for data privacy is not easy.
For many organizations, working with outside consultants or a managed service provider (MSP) is the most efficient way to develop and implement a robust data privacy policy. Through collaboration with third parties, healthcare organizations can apply best practices and comply with regulations while reserving internal resources for more strategic projects.
Ready to strengthen your patient data privacy strategy? Cloudticity can help. Contact us to set up a free consultation.