Because of the need to protect patient privacy, and the many ways in which that privacy can be breached, governments around the globe have been seeking to legislate better data security.
In the U.S., perhaps the most significant and well known health and technology legislation is HIPAA. Introduced in 1996, HIPAA aims to combat data breaches and prevent the unauthorized access to personal health information. Due to the enormous changes to health information technology since the act was first passed, the legislation has been amended (most recently in 2013) to further protect patient privacy by strengthening security provisions, in an update informally known as the omnibus rule.
While HIPAA is the most well-known rule, individual states can also add other health privacy or consumer protection rules to the mix.
Compliance with HIPAA guidelines is required of: healthcare providers, including those who transmit electronic private health information, or ePHI; payers; and any other entities, such as clearinghouses, involved in the electronic exchange of data, and are classified as business associates. Entities affected by HIPAA vary, from professionals who provide services via contractual agreement with healthcare providers or plans, to those who work directly for a provider or plan, to patients who seek services from a provider or plan.
HIPAA has guidelines on how health information can be collected, used and disclosed. HIPAA also specifies how healthcare data should be protected throughout its lifecycle, while allowing for access to and sharing of data for legitimate purposes -- such as improving quality or providing care. A constant challenge, however, is to strike an appropriate balance between protecting sensitive data and needing to use that data, without requiring healthcare providers to take excessive measures to access required information. The law is broken into two pieces, the Privacy Rule and the Security Rule.
Privacy Rule particulars
The HIPAA Privacy Rule specifies requirements for how medical and personal information of an individual is saved, accessed, and shared.
One of the primary objectives of the Privacy Rule "is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being."
Security Rule safeguards
The HIPAA Security Rule specifies national standards around the protection of health and personal information that is created, received, transmitted and/or managed electronically. HHS noted that the Security Rule, "specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information."
Specifically, HIPAA requires that covered entities:
- Ensure the confidentiality, integrity and availability of all ePHI they create, receive, maintain or transmit;
- identify and guard against reasonably anticipated threats to the security or integrity of the information;
- protect against reasonably anticipated, impermissible uses or disclosures; and
- ensure compliance by their workforce.
Technical safeguards outlined in HIPAA do not mandate the use of any particular technology, because technologies change much more quickly than any legislation can be updated, and the technical safeguards are written to be tech-neutral.
Breach notification mandates
In addition to the Privacy and Security rules, HIPAA has a notification rule which states that all HIPAA covered entities (and their business associates) are required to provide notification if a breach of unsecured protected health information (PHI) occurs. As defined by HHS, a breach happens when PHI is disclosed without permission.
As more health information is generated, stored and transmitted electronically, and as health IT use in clinical care continues to grow, there will be a need to balance data security and usability. If health information is not kept secure in multiple ways (via encryption, secure hardware and responsible use), the unauthorized exposure of private data will continue to occur. If these breaches persist, especially on a large scale, the likely response will be a tightening of access to health information for everything but clinical care.
Information security is not really about technology and industry best practices -- it is about the patient. When a patient enters a healthcare facility, they are expecting healthcare professionals "to do no harm." In the modern era, doing no harm now includes protecting patient privacy. A balanced approach to information security and usability will ensure that both are possible. And, while HIPAA and related rules are not perfect, they are at least engaging providers, patients and all users of healthcare information in the discussion of how to secure sensitive information, and protect patient privacy.
About the author:
Trevor Strome, M.S., PMP, leads the development of informatics and analytics tools that enable evidence-informed decision making by clinicians and healthcare leaders. His experience spans public, private and startup-phase organizations. A popular speaker, author and blogger, Strome is the founder of HealthcareAnalytics.info, and his book, Healthcare Analytics for Quality and Performance Improvement, was recently published by John Wiley & Sons Inc.
HIPAA not the final arbiter for drug abuse data
Healthcare regulators, laws extend to cover electronic processes
HIPAA amendment gives patients right to lab info