HIPAA Privacy and Security Considerations in the Age of Big Data

Health data, thanks to HIPAA, is required to be de-identified Protected Health Information (PHI) if used for research or data-aggregation purposes. However, de-identification only goes so far in the datasphere. Professor Ian Bogost of The Atlantic, Ivan Allen College and Georgia Institute of Technology’s recent article on “The Internet of Things You Don’t Really Need”, and Andy Greenberg’s Wired article last week hit on some key points that lawyers and senior leaders in healthcare should be thinking about, as providers, staff and patients are increasingly connected.

HIPAA Privacy Implications:

  • Companies such as Google, Facebook, Microsoft, Amazon and others build databases based on user activities. Some of these activities, such as on social media, are intentional and visible.  Others, such as a Google or Bing search, are made without the assumption that actions are being recorded.  Through ‘cookies’, different websites record computer user activities across multiple websites, connecting into advertising that links back to an Amazon search made a few days before without leading to a purchase. Big Data has already been shown to be able to identify health status changes through aggregation.
  • HIPAA does not apply if others learn about a patient’s health condition or status because of the patient posting to Instagram, Twitter or Facebook about their health care with location services enabled identifying their location as at a health care provider’s office. Doubly so if the patient ‘checks-in’ to the health care provider via a Foursquare account set to automatically Tweet or Facebook post this information.

HIPAA Security Implications:

  • Health care providers’ medical equipment is increasingly wireless and joining the ‘Internet of Things’. The new insulin or medication pump may be connecting to the electronic medical record system to triage and administer critical medications according to the physician order without the secondary step of a nurse re-entering the dosage directly into the pump at the patient’s bedside. While this is a Lean and patient safety improvement, the interface of the pump should be carefully considered by the Information Security experts on staff.  Is the wireless signal looking for an internal network connection, or is it going out to the Internet and then re-connecting to the hospital network for its data connection? Whatever the connection, has it been sufficiently encrypted to protect the privacy of the PHI the data contains?
  • Beyond the initial network configuration, the Internet of Things exposes device users to risk from hackers. In the past week, Wired published regarding the hacking of a Jeep, initiating a major vehicle recall by Fiat-Chrysler.  Is a major expose of a medical device’s hackability in the near future?

HIPAA and Meaningful Use require a risk assessment of PHI vulnerabilities. The questions and scenarios above are largely theoretical, but have a basis in reality. Senior leaders and lawyers in healthcare looking to make effective decisions about a HIPAA privacy complaint, equipment investments or Security Services staffing should consider the ramifications of the Internet of Things and Big Data as part of their annual risk analysis.

HIPAA: One P, Two As, and 1,000 Different Interpretations.

The Health Information Portability and Accountability Act, or HIPAA, as it’s colloquially known, is thrown about on a daily basis in the health care industry, and many people think they know what it requires.  More worrisome, just as many know they don’t know what it requires, but don’t ask questions of their internal experts and make their own judgments.  Paula Span has a great article published in the New York Times that speaks to these incorrect applications.  And then there’s the black sheep contingent who think “HIPPA” doesn’t apply to them, perhaps as one person recently commented to me, “Well, I don’t live around here – so I don’t worry about patient privacy”.

HIPAA: the law, the regulation, the mystery.

This law was originally passed in 1996, as a precursor of health reform, which established insurance portability requirements for individuals changing employers.  A secondary part of the law was requiring that medical records be kept under appropriate privacy standards by providers and health plans.  There were regulatory updates in 2006 and 2011, respectively establishing the security and breach notification requirements.  However, it was only in 2013 that the HIPAA Omnibus Rule was released by the Department of Health and Human Services.  The Omnibus Rule pulled all of the previous updates together, adding in genetic information privacy requirements established under GINA, and pulled the health care industry forward.

As it stands today, HIPAA creates numerous requirements for health care providers that substantially impact and define the manner in which a provider can operate, with often vague definitions such as “in the provider’s professional judgment” to qualify who should or should not have access to a patient’s medical record.  As Paula Span’s article highlights, that professional judgment most likely tips too conservative for what is actually required.

Here is a summary of these requirements, as they fit into three broad categories:

  • Security: Keep protected health information (PHI) secured within your organization – systems should require passwords for access, and only those whose jobs require system access should be assigned user accounts.  Do not use cloud services (example – Dropbox) to store PHI that have not been vetted by your Information Security Officer to have the appropriate encryption standards. Maintain and review access logs to medical record systems. Conduct a security risk assessment of all technology infrastructure annually to identify risks, and develop plans to mitigate those risks.
  • Privacy: Train staff on access standards: only access PHI with a ‘business need to know’ – defined as healthcare treatment, payment or operations. Complete formal business associate agreements (BAA) with any entity your organization is establishing a contract with to perform healthcare treatment, payment or operations on your organization’s behalf that establish clear expectations for how the BA will handle your organization’s PHI.  Establish a privacy policy and Notice of Privacy Practices (NPP) for your organization.  The NPP must be visibly posted across the organization, and document that it is offered to patients entering the organization.
  • Communication with Patients: Provide patients access to their medical records within a timely manner, in the manner with which the patient would like access- even if they would like their PHI emailed to them. Patients have the right to designate who has access to their PHI beyond their own person. Additionally, any breach of privacy or security standards for a patient’s PHI must be communicated to that patient within 60 days of the date that the breach was discovered.

The following is a tip sheet I’ve created that summarizes the highlights of these requirements, designed for the physician group practice setting:

HIPAA Best Practices for Medical Practices

What questions do you have about administering and maintaining HIPAA compliance?

Governance Dual-Usability Obligation

Leaders in health care are likely familiar with the concept of a ‘dual-fiduciary role’. This administrative responsibility for senior leaders and organizational governance requires the balance of resources to assure the organization resources to provide high quality care to today’s patient in balance with maintaining reserves for tomorrow’s needs. This blog proposes that, as privacy and security is of equal weight to the organization’s financials, there is a requirement that administrators must balance in terms of IT security: the dual-usability role. This dual usability role requires that administrators and governance assure the following:
1. End-user accessibility of health care systems. Interoperability and integration are the latest buzzwords regarding the information systems that help health care professionals to provide high-quality medical care. The Meaningful Use program challenges health care technology platforms to certify their ability for users to demonstrate that the computer is not just a box in the room; rather, the computer and its systems are an active tool in use to provide high quality and timely patient care. The program requires providers demonstrate that patients can have access their own medical records through a portal, and to share information with others through information transfer between inpatient and outpatient care settings.
2. Physical and cyber security of information systems to prevent unauthorized access. The claim that privacy and security are equal to the bank account is a bold one; however, who would honestly trust a provider that was known to have lax security standards protecting the privacy of their medical record? The privacy of the doctor-patient relationship is essential; patients assume that office staff will not be gossiping to their friends and neighbors about their medical conditions, or allowing their medical information to fall easily into the hands of criminals and identity thieves. Again under Meaningful Use program requirements, providers must document that they have completed a security risk assessment during their attestation period. HITECH and the HIPAA Omnibus Rule require careful handling of PHI, analyzing breaches, and providing appropriate notification.

Health care providers, and their leadership, must carefully balance the two aspects of usability. Tipped too far to the side of security, with security protocols hindering a user’s abilities to access the patient information, usability is compromised. If a system is too accessible, and information is available without limitations based on patient assignment or job duties, then security is at fault. Health care administrators and governance can measure financial health and responsible fiduciary oversight through concrete metrics, for example: days cash on hand, operating margin. Security, conversely, is measured by what we do not have – breaches and angry individuals. Measuring and monitoring the balance of usability requires new metrics. Lawyers working in the healthcare space, with an understanding of technology, may be uniquely qualified to design these metrics given their training to minimize client risk within the limits of what today’s information system capabilities.