Beyond HIPAA: Data Privacy in Healthcare
For years, HIPAA has guided the privacy of individuals’ health information in the United States.
But with the changing digital landscape and the rise of highly sophisticated cyberthreats, HIPAA is not always enough to protect patient data. In 2021 alone, nearly 700 healthcare organizations experienced breaches of 45 million patient records.
Today, we’ll outline the need for better data privacy and security in healthcare. We’ll explain some of the less frequently discussed aspects of data privacy in healthcare, and we’ll suggest a technological solution for advanced data protection.
The current landscape: data confidentiality under HIPAA
The Health Insurance Portability and Accountability Act, or HIPAA, is a 1996 law designed to create a national standard for ensuring the privacy and security of protected health information (PHI). The law applies to hospitals, doctor offices, health providers, insurance plans, and other healthcare organizations.
HIPAA addresses data privacy in the digital age, setting standards for the collection, use, and disclosure of sensitive health information. It also requires healthcare organizations to implement policies and technical safeguards to protect the confidentiality, integrity, and availability of PHI.
The ramifications of HIPAA for healthcare organizations are significant. Compliance with HIPAA is mandatory, and organizations that fail to meet its requirements — including employee training, regular risk assessments, and processes to respond to breaches of PHI — can face both civil and criminal penalties.
A lack of clarity around data privacy technologies
HIPAA compliance is still essential, but it’s no longer sufficient on its own. One of the reasons is that the law’s regulations put the bulk of the burden for data privacy on organizational awareness, rather than technological safeguards.
While HIPAA is comprehensive in defining requirements for protecting data, it does not define the technologies that organizations should use to meet those requirements. In other words, the law tells healthcare providers what they need to do, but it doesn’t guide them to the technologies that will help them go beyond compliance to achieve true data privacy.
This lack of clarity can leave healthcare providers struggling to implement the right data protection technologies. (After all, knowing that you need to implement effective data privacy practices is very different from knowing how to deploy the right kind of encryption tool.)
It can have major consequences for individuals, too. Without clear technical guidelines and standards for data privacy, even well-intentioned providers may not be able to prevent unauthorized access and breaches of their patients’ sensitive data.
Unregulated healthcare data
HIPAA also covers fewer data privacy scenarios than one might think. The law focuses primarily on the way that hospitals, clinics, and insurers store and share personal health records. It does not regulate other types of data, including personal health data used as part of a commercial activity by entities like data brokers, advertisers and marketers, genetic testing companies, and even some governmental and nonprofit groups.
As the National Committee on Vital and Health Statistics, notes, that data may be around for a long time: “Health data, whether it originates entirely in the commercial, unregulated sphere, or ‘leaks’ into commercial databases from the HIPAA-regulated world, can remain essentially forever in files of data brokers and other consumer data companies.”
Data privacy in health and wellness apps
In the past decade, health, wellness, and fitness apps have proliferated on smartphones and wearable devices. Research suggests that there are at least 350,000 health apps on the market today, the vast majority of which collect and store users’ personal information.
Because this kind of data collection is typically unregulated by HIPAA, many health apps are free to store user data and share it with advertisers. Forbes gives the example of the GoodRx app, which in 2020 was found to be sharing users’ personal prescription details with tech and marketing companies.
Although companies may not face legal penalties if they’re handling unregulated data from health apps, they can still face major social consequences when sensitive data is exposed. Data breaches, hacks, and other cyberattacks can lead to a lack of consumer trust and a loss in revenue.
As a result, robust data privacy measures are recommended even for companies handling unregulated health data.
A patchwork of state data privacy laws
In the absence of any comprehensive federal legislation, several states have begun to include protections for consumer-generated health data in their own data privacy laws.
For instance, California’s Confidentiality of Medical Information Act (CMIA) protects the confidentiality of individually identifiable medical information obtained by health care providers, health insurers, and their contractors. But it differs from HIPAA in that it also governs any business that offers software, hardware, or apps designed to maintain medical information.
Some state regulations, like Connecticut’s upcoming data privacy law, exempts HIPAA-covered entities because they are already complying with the healthcare privacy regulation. However, the lack of clarity and consistency among these state laws makes it difficult for companies to keep up.
The bottom line? Most companies handling health data, regulated or otherwise, should seek a strong data privacy solution that will help them maintain compliance with the patchwork of different privacy regulations.
Achieving advanced data privacy and protection with ShardSecure
ShardSecure’s Data Control Platform offers strong data privacy for healthcare organizations and other companies handling sensitive data — HIPAA-regulated or otherwise.
Our innovative, agentless approach to encryption protects data from third-party access, making it unreadable to unauthorized users regardless of where it’s stored. Even if an attacker manages to gain access to an on-prem or cloud storage location, strong data privacy is ensured.
Our Data Control Platform also works transparently and in real-time, and it can be seamlessly integrated with existing applications. That means that data in electronic health record systems can be protected without redesigning workflows or retraining employees.
In a report about our technology, the cybersecurity research firm TAG Cyber noted: “The advantage… for healthcare teams is that sensitive application-level data stored into multiple clouds can be disaggregated, separated, and obfuscated to reduce the back-end threat. In the healthcare sector, this can be a valuable cyber security and framework compliance tool.”
To learn more about ShardSecure and data privacy, visit our resources page or contact us today.
Largest Healthcare Data Breaches of 2021 | HIPAA Journal
Health Insurance Portability and Accountability Act of 1996 (HIPAA) | CDC
Going Beyond HIPAA Compliance Is Worthwhile | Healthcare Dive
Health Information Privacy Beyond HIPAA: A 2018 Environmental Scan of Major Trends and Challenges | Health and Human Services
FTC Issues Reminder on the Breach Notification Requirements by Health Apps and Other Connected Devices and Their Service Providers | McGuireWoods
Protecting Consumer Health Data Privacy Beyond HIPAA | Forbes
The Confidentiality of Medical Information Act (CMIA) | Stanford University IT
How New Federal, State Laws Impact Healthcare Data Privacy | Health IT Security