All you need to know about data security as a health-tech consumer - HIPAA Overview
It is estimated that a staggering 25 exabytes of health related data is generated and consumed by various stakeholders of the healthcare industry. Acquiring these colossal amounts of data is closely tied with trust. Trust is established in the patient-clinician relationship based almost entirely on the implicit belief that the information shared by the patient is going to be handled with care. Any threat to patient data will pose a high risk to the treatment process because patients will either not eagerly seek treatment nor will they fully disclose what is troubling them. In the process of treatment, especially in mental illnesses, most of the personal information is shared between the mental health practitioner and the patient. For this, the clinical establishment and any software applications used by the doctor and patient needs to secure the data. As clinicians and patients adopt new applications to aid in their treatment and health management, it is imperative that they consider the measures undertaken by software providers for maintaining data security standards as data is acquired, stored, processed and deleted to avoid liability concerns.
One of the most widely used policies for ensuring data security and privacy is HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) regulated by the Federal law of the US defines policies and standards that deal with the patient's health information. This post, aims to scratch the surface of a world of laws and bylaws intended to protect one's privacy by going through some guidelines on how HIPAA caters to the privacy and security needs of patients' data.
What type of data is secured with a HIPAA clearance?
Let’s start our understanding of HIPAA in terms of the kind of data to which it applies to. As a user, one should understand the concept of Personal Health Information (PHI). It states that PHI is any data that can be used to identify an individual that is transmitted or maintained in any form. This encompasses the past, present and future physical or mental health conditions of patients. The data can include many common identifiers, but is not limited to name, address, birth date, and social security number including medical finance transactions of an individual. The data consumers should clearly understand their asset of control or liability over the kind of data and all stakeholders should keep notice on the purview of data they need to secure.
The use of technology in healthcare settings is shifting data from structured to unstructured through the use of electronic media. PHI data may reside in any crude form and can carve out of patient records, scan images, lab reports, medical claims and bills etc. In this environment of diverse data, every liable person or establishment should protect all "individually identifiable health information" held or transmitted, in any form or media, whether electronic, paper, or oral. This clearly underlines the need to bring in place standard measures such as information security systems and cybersecurity to safeguard the sensitive digital information.
For upstream Healthcare providers, who all should be HIPAA cleared?
It is liable that the data chain within which the data gets acquired, stored and processed covers a lot of different entities. For a doctor or medical insurer understanding the context of the HIPAA guidelines provides them with a set of regulations which they must adhere to. All providers of healthcare services namely, institutional providers such as hospitals and non-institutional providers such as physicians, dentists and other practitioners will be covered under HIPAA. In addition, any other person or organization that furnishes, bills, or is paid for health care like a health care clearinghouse comes under the covered entity. In short, it is safe to say that all covered entities that deal with PHI come under the lens of HIPAA. This would mean that any entity or establishment that offers health services or plans that provide or pay the cost of medical care of any individual or group are covered entities. So, it is essential that all covered entities build necessary provisions to protect the security of PHI they create, receive, maintain, or transmit.
The concept of a Third Party for Data Management
As the user interacts with more service providers, they need to understand that they are liable to ensure that the service providers are HIPAA compliant too. The involvement of third party associates is growing rapidly as data is transferred to them for storing, analysing and processing information. An example of this, is the hospital engaging with a third party data analytics vendor that provides a platform to aid in detecting abnormalities in an MRI image. In lieu of HIPAA, a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of individually identifiable health information is termed as a business associate. A formal business associate agreement shall be made in this regard between the two parties in order to hold the liability of applicable laws and procedures for data sharing and rights.
The Rights HIPAA grants Patients
Even though a clinician or medical establishment will be using the data, the patient is the sole arbiter of their data and has full power to override it. It is at the will and discretion of the patient that any covered entity or establishment can operate and hold his data. An individual patient can provide an authorization that permits a covered entity or business associate to use or disclose his protected health information to someone else for a purpose that would otherwise not be permitted by the HIPAA privacy rule. There has to be an authorization form in writing, laid out in plain language, and must contain specific elements and statements to be valid. In due course, a person has the right to revoke the authorization at any time. The tech platform handling PHI should provide revocation features for the user to change or modify their authorization settings at any time.
Through the course of building diagnosis and prognosis decision support tools at BrainSightAI, we bear in mind that there exists a fundamental need to ensure that each individual receives the care he or she needs regarding confidentiality and integrity. Reach out to us for information about the regulatory requirements under HIPAA and how BrainSightAI is protecting the interests of clinicians, partners and patient users.
In conclusion, HIPAA clearly lays the emphasis on protecting and securing the data for the covered entities and the business associates. On the other side, the care seeker is entitled to get rights in safeguarding their PHI. Non-adherence to the HIPAA guidelines leads to increased distrust in adopting digital technologies and can potentially result in litigation. Therefore, keeping up with the aforementioned guidelines is a necessity for enabling a trustful healthcare technology and software ecosystem.
Computational Health Informatics in the Big Data Age: A Survey: ACM Computing Surveys: Vol 49, No 1. (2020). ACM Computing Surveys (CSUR). Retrieved from https://dl.acm.org/doi/10.1145/2932707
Letzring, T. D., & Snow, M. S. (2011). Mental health practitioners and HIPAA. International Journal of Play Therapy, 20(3), 153–164. https://doi.org/10.1037/a002371
Glenn, T., & Monteith, S. (2014). Privacy in the Digital World: Medical and Health Data Outside of HIPAA Protections. Current Psychiatry Reports, 16(11). doi: 10.1007/s11920-014-0494-4