Interoperability requires a holistic approach. For the American health care system to reap the benefits of full health information exchange, solution providers must apply our expertise to every aspect of data transmission. Proven by our involvement with the Da Vinci Project, we are committed to infusing data protection into the development of data standards to ensure privacy concerns are assessed early and often. We also ensure that patients and organizations can trust that the data being shared is being sent to the right entity, for the right purpose, without any extraneous information included.
In this installment of our Interoperability series, we discuss challenges in securing patient data across the industry, and where thought leaders and solution providers should focus efforts to preserve and enhance data security.
Evolution and Opportunity After HIPAA
Since the passage of the Health Insurance Portability and Accountability Act (HIPAA), health organizations continue to broaden their understanding of how they play a part in safeguarding patient information. Similarly, patients expect to have some control over how their data is used. There remain many challenges ensuring providers, payers, and other covered entities can consistently make the right decisions about what data to share and when. For example, privacy laws can sometimes overlap or conflict, and covered entities often need very detailed guidance to make the right decisions, especially when a patient isn’t present to clarify his or her wishes. As part of the Da Vinci Project, we are focused on addressing these types of use cases.
Privacy Rules Still Conflict. Data Standards Can Help.
There is currently no Federal privacy law. Currently, 50 states, the District of Columbia, and three of the five territories have laws that protect patient information. All of them offer similar protections and include similar requirements for disclosure and notification of data breaches, however, their processes and timelines vary. (For example, notification requirements for data breaches can range from one hour for a Federal agency to 60 days for a state entity).
In addition, specific populations may be covered by multiple entities. Most entities will defer to HIPAA, which covers most common situations. However, there are separate authorities and rules for the handling of Veterans health data, mental health or substance abuse data, or services provided by the Indian Health Service. Since patients can receive care in multiple settings, it can be difficult to apply the appropriate protocols if the health record doesn’t clearly state which limitations should be applied.
This is particularly important for use cases that don’t involve medical treatment. For example, data transmitted for research must be properly de-identified. Under some circumstances, mental health services should be disclosed, but under other circumstances they should not. Ensuring that providers know what to do in these situations – and ensuring that the systems support these nuances – will continue to require our focus.
Where there are gaps or conflicts, the application of standards is what allows providers to act in good faith and remain in compliance with the law. The standards create the “if/then” structure that ensures consistency in how the data is treated.
Cloud Technology to Enhance Patient Protections
Privacy laws and data standards provide much of the framework for protecting data, but cloud technology can help too. Most major cloud products like Amazon Web Services or Google Cloud have built–in parameters for protecting data. Once a customer enters data into the cloud, the service provider cannot access it. Cloud providers act as a “bank vault,” and their customers are the only ones with the combination. Cloud technology will ultimately enable people to have greater control over their data, and confidence in how it is being used.
Patient Control of Data: Opportunity and Risk
On March 9, 2020, Office of the National Coordinator (ONC) released the 21st Century CURES ACT Final Rule. One of the major pillars of interoperability is patient control of data. The goal is to move beyond making patients aware of the right to their data (which was accomplished under HIPAA), and allow them to control it and use it. Consumers have had the means to control their financial data and other personal information through APIs for some time, but the sheer complexity of the health care system makes it much more challenging in this instance. The CURES ACT provides the regulatory framework to move further towards consumer control.
It is also important to remember that mobile technologies like smartphones and health apps were not prevalent when HIPAA was passed. In fact, some of the biggest innovations in patient care are coming from technology companies that are not covered by HIPAA. As the speed of innovation outpaces the regulatory environment, patients must be aware of where they are sending their data, and when they are providing protected health information (PHI) to an entity that may not be covered by HIPAA. For example, health information that a patient sends to their health insurer for wellness benefits may be covered, but that same information may not be covered by the fitness tracker used on a mobile device.
Patient Privacy and Public Health
A final word about privacy in the era of COVID. Privacy laws have always permitted the use of patient data to combat disease outbreaks and protect public health. Both the ONC Strategic Plan and the CURES ACT Final Rule address the need for de-identified data to be available for epidemiological purposes. Even so, innovative solutions that support a pandemic response must still be developed with privacy in mind. The coronavirus pandemic has highlighted the many ways that machine learning or data mining can identify hot spots, or that contact tracing can help contain the virus. As Cognosante and other providers develop these solutions, we must do so in a way that continues to protect patient data and instills and enhances patient trust in the power of technology to protect and preserve information.