How to Prevent Healthcare Privacy Breaches?
The healthcare industry has always needed data to provide excellent care options. Data informs research, allows for more effective patient-practitioner interactions, and helps achieve better outcomes.
However, never before has health data been shared across such an array of highly connected devices and systems. The healthcare ecosystem from patient outwards is generating these data across health wearables, telemedicine, online support groups, and so on. The data generated from multiple sources are moved between multiple parties within a complex matrix of touchpoints. This has implications for security but also for privacy.
Why Tackling Privacy Matters
In recent years, data has become synonymous with privacy violations which can - and do - lead to harms. An example, creating fears in insurance discrimination, are DNA kits which test for genetic predisposition to certain diseases. Some worry that they could be used to increase insurance policy costs.
Privacy can be a nuanced and complex area for a business to engage in and often get mixed up with security. The fact is that they are different while being 2 are sides of the same coin. Let's look at some legislation and best practices to achieve good privacy.
Healthcare Privacy Legislation
Due to the increasingly connected way we live our digital lives, privacy issues and violations have made a big noise in the world. Legislators have responded to this. In healthcare, as well as in general, data privacy legislation has become more stringent in recent years.
Data privacy in terms of healthcare has to cover patient confidentiality, care of health data, and sharing of data across a wide ecosystem of stakeholders. Below, we take a brief look at the privacy provisions in some high-profile data protection regulations:
General Data Protection Regulation (GDPR)
The EU’s GDPR became enforceable on 25th May 2018. It applies to all EU member states. Companies outside of that jurisdiction, who process the data of EU citizens, may also be affected. The GDPR is a comprehensive regulation that not only sets out stringent protection rights for individuals but applies heavy fines for companies that do not comply (see Google above).
In terms of health data, the GDPR places emphasis in several areas that are health-related, placing certain health data into the ‘special categories’ with more stringent protection. These areas cover data concerning health, genetic data, and biometric data.
However, Article 9 of the GDPR, does offer derogations for health data if explicit consent is taken or if the data is needed for preventive or occupational medicine or is “necessary for reasons of public interest in the area of public health.”
Health Insurance Portability and Accountability Act / Health Information Technology for Economic and Clinical Health (HIPAA/HITECH)
Although the U.S. healthcare legislation, HIPAA and HITECH are separate acts, they work in unison to enforce and augment the privacy of patient data. The HITECH Omnibus rule strengthens HIPAA privacy (and security) placing focus in areas including:
Extending HIPAA compliance to business associates across the health vendor ecosystem.
Establishing limits on the use of health data for marketing and similar purposes.
Provision for health data access by patients.
Preventing the use of genetic information in insurance underwriting.
Strengthening breach notification requirements
There are some noticeable omissions by HIPAA including mobile app health data which is currently not covered by the law.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Canadian federal privacy legislation PIPEDA, applies to all personal data, including health data such as DNA and medical records. It requires compliance across a number of areas that can impact the privacy of health data, including:
Minimization of data collected
Best Practices to Keep Health Data Privacy-Enhanced
Both legislation and customer expectations are driving a culture of privacy. But how does an organization handling health data make sure they meet those, often nuanced and stringent privacy requirements? Here are the top tips for enhancing the privacy of health data:
1 - Know your data
Understanding the what, why, and where of health data is the starting point to ensure privacy measures are appropriate and effective (this ePHI Audit Guide could help). Information governance (IG) and management are key to establishing this know-how. Using IG gives you visibility into unstructured data in the complex data ecosystem of healthcare.
2 - Minimize
Data minimization, or in other words, “collect only the health data that is needed to operate a service”, is a central tenet across privacy legislation. It is also a general good practice as it reduces overhead in securing data and any potential data breach -- if you don’t have it, it can’t be exposed.
3 - Consent
This is a foundation stone of many regulations and advisories. In the UK, the Caldicott report weighed heavily on the subject of consent. GDPR, similarly, places emphasis on taking granular consent for data processing. Always make sure you get the OK to process health data. This helps to uphold patient confidentiality both digitally and in the real world.
4 - Transparency
Being transparent with patients about what you need health data for, helps to create good relationships.
5 - Protect
This is where security can be used to augment and enforce data privacy. Good encryption and policies of least privilege access to health data, ensure that risks to data are minimized.
6 - Check
Privacy extends to all data touchpoints. Check that all of your business associates have privacy policies in place that reflect legislation.
7 - Educate
A culture of privacy must be encouraged to ensure that all staff understands the importance of privacy.
Enhancing Privacy is Good for Business
Privacy can be a complex area to tackle. This is especially true when it comes to sensitive health data that is created, stored, and shared across a wide ecosystem. Although privacy is a legislative requirement across much of the world, it is also a good business practice.
Being respectful of an individual’s privacy makes for good relationships. By using information governance and having an understanding of what data is all about, you can create the type of privacy-enhanced environments that people want to interact with.