Despite its growing embrace of innovation, healthcare still has a patient data privacy problem. Unconvinced? Skim the federal government’s list of health data breaches, and you’ll find more than 20 instances of hacking or unauthorized disclosure that exposed the digital information of nearly a million people.1 And that’s just what was reported last month.
This past fall, the FBI acknowledged the threat to patient data privacy and hospital operations when it warned of an increasing number of ransomware attacks tied to the COVID-19 pandemic.2 But while the ominous headlines were new, healthcare’s struggle to safeguard health data was anything but.
Hacking represents just one kind of risk to patient data privacy. Unauthorized third-party information access, insufficient transparency, and data governance lapses all plague patients and privacy experts. In 2018, 66 percent of patients in one survey said they worried that electronic data exchange might reveal their medical records to prying eyes.3 Now, as rules to foster interoperability and prevent information blocking move closer to taking effect, some healthcare stakeholders believe patient data privacy could further deteriorate.4
Health systems are scrambling to defend health data in a country with no comprehensive information privacy law other than HIPAA, which some experts claim is too outdated for the digital age.5 At the same time, healthcare provider organizations have a mandate to support data sharing and provide high-quality care—two goals that increasingly call for technological innovation.
How, then, can health systems serve patient data privacy while nurturing innovation? We spoke with an expert about where to start: Lisa Bari, a healthcare IT policy specialist who after working for the Centers for Medicare and Medicaid Services became interim CEO of the Strategic Health Information Exchange Collaborative.
Protect Patient Data Privacy
Health systems’ chief privacy motivation is to avoid fines related to data breaches, and new government regulations are enlarging the list of potentially costly violations, Bari says. Still, she believes the U.S. needs comprehensive data privacy legislation to secure sensitive information and help health systems act. For now, that falls on individual states, like California, which recently enacted a law meant to tighten privacy controls in healthcare and beyond.
“One of the defining factors of the U.S. healthcare system is that there’s no consistency,” Bari says, referring to how privacy may evolve under new data-sharing rules. “I don’t think that there’s any indication that there’s going to be a consistent implementation of anything.”
But healthcare organizations can take smart steps forward.
The obvious approach is to shore up networks to better thwart hackers and develop data governance strategies to minimize unauthorized access. Controls like passwords and PIN numbers, encryption, and employee training also help there, according to the University of Illinois Chicago’s health informatics department.6
Health systems can also improve data privacy as health data exchange grows among providers, payers, and third-party vendors that offer products like apps. Here are Bari’s suggestions include:
- Consider taking extra precautions before any national privacy law comes into place. “You don’t need to wait for the law to start acting the way you want to act.”
- Adopt more thorough standards from groups like the CARIN Alliance to preserve data exchange among providers, patients, and third parties.7
- Be transparent. Tell patients which types of information your organization collects, how you use that data, and who has access to it.
- Enable patients to opt out of data-sharing arrangements they don’t like or consider risky.
- Don’t be afraid to educate. Describe technical efforts to defend against the next big hack, so patients can gauge whether their data is safe with you.
Innovation, after all, requires bedrock security and transparency measures.
Protect Patient Data Privacy
Concerns over patient data privacy likely cause some healthcare organizations to remain as conservative as possible when it comes to technological innovation, Bari says. But that’s a mistake.
The truth is, health systems that fail to spur innovation—through artificial intelligence, patient-facing apps, meaningful data exchange, and the like—will lose patients, who have more options than ever.
They expect their health data to be available at the ready, to them and their clinicians, Bari notes. They can receive speedy care at the grocery store and head to digital providers who treat chronic disease and mental health conditions. Online digital health organizations even provide discreet prescriptions.
“If you can make it easier for them to receive services—whether it’s booking online, making sure that data follows them, or automated and intelligent follow-ups based on information you have about their health status—I think that those things will result in a competitive advantage,” Bari says.
Embracing innovation means avoiding falling victim to digital providers that are not built on data security and innovation.
It comes down to Culture
Building an environment that promotes patient data privacy and healthcare innovation is no easy lift. Like a major technology implementation, the work depends on creating a tight-knit web in which culture and workflow feed off each other, Bari says. Simply making the technologies, policies, and information available and hoping for adoption won’t do the trick.
“It’s not a simple process change,” Bari adds. “It’s a cultural rethinking, which drives dramatic changes in workflow and the way they deliver care.”
Everyone within an organization, from physicians and nurses to executives and front office staff, needs to understand why innovation that expands data sharing is important and how to meet patient demands for privacy.
“I don’t currently feel safe when I write my Social Security number down on a piece of paper and hand it to a front-desk person who I’ve never seen before, who puts it in a file, who leaves it on the counter,” Bari says. “But I can tell you that those workflows are embedded. They’ve calcified in these practices, in these hospitals and provider sites. So, you have to start over.”
The only question is: Who will strengthen their patient data privacy and innovation strategies now and who will wait for the next government mandate?
1. Breach portal. U.S. Department of Health and Human Services
Office for Civil Rights, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed 2 Dec. 2020.
2. “Hospitals hit with ransomware attacks as FBI warns of escalating threat to healthcare.” FierceHealthcare, October 2020, https://www.fiercehealthcare.com/tech/hospitals-hit-ransomware-attacks-as-fbi-warns-escalating-threat-to-healthcare. Accessed Dec. 2, 2020.
3. “Individuals’ Perceptions of the Privacy and Security of Medical Records and Health Information Exchange.” The Office of the National Coordinator for Health Information Technology, 2018, https://dashboard.healthit.gov/quickstats/pages/consumers-privacy-security-medical-record-information-exchange.php. Accessed Dec. 2, 2020.
4. “New Data Rules Could Empower Patients but Undermine Their Privacy.” The New York Times, March 2020, https://www.nytimes.com/2020/03/09/technology/medical-app-patients-data-privacy.html. Accessed Dec. 2, 2020.
5. “Health Data Privacy: Updating HIPAA to match today’s technology challenges.” Harvard University, May 2019, http://sitn.hms.harvard.edu/flash/2019/health-data-privacy/. Accessed Dec. 2, 2020.
6. “Protecting Patient Information in the Age of Breaches.” University of Illinois Chicago, https://healthinformatics.uic.edu/blog/protecting-patient-information/. Accessed Dec. 2, 2020.
7. Homepage. The CARIN Alliance, https://www.carinalliance.com/. Accessed Dec. 2, 2020.