The world of data safety and patient privacy in healthcare is a complicated one, and the industry is slowly coming to terms with how to handle technology in an increasingly complex world. For some, figuring what to do from an operational perspective can be daunting, and a number of challenges remain, from handling de-identified patient data to the tangled laws that are currently on the books.
What's covered by HIPAA? How does the industry stay one step ahead of malicious actors? How does one come to grips with the sometimes contradictory laws that are in place on a state and federal level? These are some of the questions payers and providers are asking themselves, and often they're short on answers.
Let's start with de-identified patient data.
Focus on Health Equity
Expanding access, ending disparities, empowering communities. See our coverage >>
Elizabeth Litten, HIPAA privacy and security officer at Fox Rothschild, said the need to de-identify data has become a concern in healthcare. Litten, who serves as a national and regional counsel to a wide range of healthcare-related entities -- including hospital systems, healthcare facilities, regulated and self-funded health plans and healthcare technology companies -- said that removing required patient identifiers is sometimes necessary.
But because there's so much data out there, and so many data sets, it's easy to re-identify the data -- and once it's been initially de-identified, it's no longer subject to HIPAA, meaning re-identified data isn't covered by any national privacy or security laws.
"There's a lot of confusion around when information is subject to privacy law or not," said Litten. "If you're using an app because your doctor arranged for it, and there's some communication with your doctor, then it's subject to HIPAA. But if you download something from Apple or Amazon, that's not subject to HIPAA. I think it's understandable that there's a lot of confusion about that.
From that perspective, it's important to align how the data is going to be used with what the expectation is from the individual. One of the key difficulties is people having no idea that this was how their information was going to be used, and healthcare and data professionals have to ask themselves: Is this consistent with what a consumer would expect?
As long as patient data exists, there will be malicious individuals who attempt to breach it. Healthcare organizations are struggling to stay one step ahead.
One of the most effective ways to do this, said Litten, is to constantly be training staff members and paying attention to the trends. It's also effective to have system segregation in place so information doesn't spread easily from one pocket to another. One way to think of it is as security housekeeping: Know where the data is, know how it fits, and don't hold onto data in perpetuity if nothing is being done about it. Failure to do so puts a bullseye on organization's backs.
"I see more attempts to train employees," said Litten. "I'd like to think the industry's getting better at it, but it's not a one-and-done thing. Companies have to take it seriously. I think they're getting a little bit better at recognizing the threat, and the willingness to spend money on these kinds of activities is improving."
Solid, effective training generally walks staff through what's subject to HIPAA and what's not, which is still a point of confusion for some.
"It tells you what your obligations are with the data, and it gives you a direct line if you have a question," said Litten. "And it just gives them enough of a working knowledge. Not everybody can be an expert, but they should have an increased degree of sensitivity to protect your information, and when to ask questions, when they should call the privacy officer. There needs to be a culture where it's good to ask."
Organizations have to balance that with access requests, since they don't want to put up roadblocks in the way of patients asking for their data.
As things stand now, healthcare data can be a headache from a legal perspective. Many in the industry want a national legal standard, but that would be a challenge since states currently have a lot of leeway to enact more stringent requirements if they think they're appropriate.
Vermont, for example, has a data broker law that mandates brokers register with the state. Illinois and Texas have laws governing how entities can collect biometrics data.
"Companies that are operating in multiple states will probably comply with the most stringent requirements, so that they have a de facto standard saying, 'This is the best practice,'" said Litten.
One major law is California's data privacy law. It attempts to protect consumers, but it contains a lot of confusing provisions. It doesn't apply to every company -- nonprofits are exempt, for example -- and an organization has to be a certain size to be subject to the law.
If the law does in fact apply to a given organization, it changes the way that organization does certain things. They have to inform people that they have to opt out of sharing their data, and they need to be able to track the data and tell consumers what they did with it.
"What's good about it is it's sort of a wake-up for consumers," said Litten. "Consumers will start to become educated because they'll start to see some of these big changes. They won't just have an 'I agree' button."
Protected health information is not subject to the California privacy law, but unprotected information is. If, say, a hospital website collects information from people who aren't patients, or a consumer has allowed the use of their information for research purposes, that information is no longer subject to HIPAA. But it is subject to California's law.
That creates a lot of confusion around what constitutes protected and unprotected health data. Information that comes from an insurance carrier not considered a health plan under HIPAA is unprotected. Drug testing information for a job is unprotected. If a patient wants their information, an organization has to give it to them -- unless it's information in the employee file, in which case there's no obligation to turn it over unless it's subject to state law.
"The difficulty is that in the U.S., unlike in the European Union, we don't have one overarching law that applies to people's information," said Litten. "We have pockets. We have HIPAA, we have requirements under banking laws. We typically regulate it by industry, so we have these silos of regulation, and that lends itself to confusion.
"We could have a federal law, but I just don't know if we can go backwards in that direction," she said. "We're very individualistic, and we typically as a country have not wanted to have unnecessary restrictions that make it difficult for businesses to run. We want businesses to grow and develop. I think it'll happen through California law and some of these other laws, and the millennials will be more aware of how this information is used. I think it will probably happen naturally."
One trend that will improve data security is better data management, said Litten -- especially for more sensitive data, like health information and biometric data. The collectors and maintainers of the data are are realizing they don't want to hold data forever. Data can be a commodity, but if it's sensitive data it can become a liability.
"Companies are looking at what happens, particularly those who have been hit by an instance," she said. "They're recognizing the need to invest in data security. The stakes are too high for their business."