HIPAA Privacy and Security Considerations in the Age of Big Data

Health data, thanks to HIPAA, is required to be de-identified Protected Health Information (PHI) if used for research or data-aggregation purposes. However, de-identification only goes so far in the datasphere. Professor Ian Bogost of The Atlantic, Ivan Allen College and Georgia Institute of Technology’s recent article on “The Internet of Things You Don’t Really Need”, and Andy Greenberg’s Wired article last week hit on some key points that lawyers and senior leaders in healthcare should be thinking about, as providers, staff and patients are increasingly connected.

HIPAA Privacy Implications:

  • Companies such as Google, Facebook, Microsoft, Amazon and others build databases based on user activities. Some of these activities, such as on social media, are intentional and visible.  Others, such as a Google or Bing search, are made without the assumption that actions are being recorded.  Through ‘cookies’, different websites record computer user activities across multiple websites, connecting into advertising that links back to an Amazon search made a few days before without leading to a purchase. Big Data has already been shown to be able to identify health status changes through aggregation.
  • HIPAA does not apply if others learn about a patient’s health condition or status because of the patient posting to Instagram, Twitter or Facebook about their health care with location services enabled identifying their location as at a health care provider’s office. Doubly so if the patient ‘checks-in’ to the health care provider via a Foursquare account set to automatically Tweet or Facebook post this information.

HIPAA Security Implications:

  • Health care providers’ medical equipment is increasingly wireless and joining the ‘Internet of Things’. The new insulin or medication pump may be connecting to the electronic medical record system to triage and administer critical medications according to the physician order without the secondary step of a nurse re-entering the dosage directly into the pump at the patient’s bedside. While this is a Lean and patient safety improvement, the interface of the pump should be carefully considered by the Information Security experts on staff.  Is the wireless signal looking for an internal network connection, or is it going out to the Internet and then re-connecting to the hospital network for its data connection? Whatever the connection, has it been sufficiently encrypted to protect the privacy of the PHI the data contains?
  • Beyond the initial network configuration, the Internet of Things exposes device users to risk from hackers. In the past week, Wired published regarding the hacking of a Jeep, initiating a major vehicle recall by Fiat-Chrysler.  Is a major expose of a medical device’s hackability in the near future?

HIPAA and Meaningful Use require a risk assessment of PHI vulnerabilities. The questions and scenarios above are largely theoretical, but have a basis in reality. Senior leaders and lawyers in healthcare looking to make effective decisions about a HIPAA privacy complaint, equipment investments or Security Services staffing should consider the ramifications of the Internet of Things and Big Data as part of their annual risk analysis.