Healthcare Information Security

Cybersecurity News

Maintaining Health Data Privacy in HIEs, Data Exchange

As healthcare organizations continue to utilize data exchange and connect to HIEs, health data privacy issues cannot be overlooked.

- With the push for nationwide interoperability, more covered entities are beginning to look toward health data exchange options, and may even be considering connecting to an HIE. However, health data privacy must remain a top priority at all times, especially as the healthcare cybersecurity threats continue to evolve.

Health data privacy issues key part of interoperability, HIE

Valita Fredland was recently named Vice President and General Counsel and Privacy Officer at the Indiana Health Information Exchange (IHIE), and explained to HealthITSecurity.com that secure information exchange has always been a top priority for her.

In graduate school, Fredland explained that she finished with a masters in clinical biomedical ethics, and had previously obtained a bachelors in economics and a law degree.

“At the time, it was a tremendously interesting area of study because it raised important questions, ethical questions, about the right thing to do in healthcare,” she stated. “While we had capacity to do many different things, as far as treatment options, it became clear that not everything that one could do was always the right thing to do.”

That ethical inquiry has always been very important to her, Fredland added.

She then worked as in-house counsel for Wishard Health Services, now Eskenazi Health, “where the forefathers of the current day IHIE began their virtual medical desktop.”

Fredland also worked Indiana University Health, formerly Clarian Health Partners. When she joined IU Health, Fredland explained that the organization was in the midst of partnering with a large electronic medical records vendor. It became one of her first large project there to help with the legal aspects of the EMR implementation.

“As we know, digital data has just since then been growing,” she said. “It’s growing in detail, and we’re growing in the ability to analyze it. It’s growing in mass, and I think it's fair to say these days that in every industry, information as an asset of organization makes up about 98 percent of where companies store their information.”

Even before she joined IU Health and IHIE, Fredland stated that her work trended towards the new technology, new informatics, and the new data consolidation efforts and the legal and ethical questions that are raised by big data.

“The reason that I went back to my roots in studying clinical biomedical ethics, and ethics sort of more broadly, is that I think big data raises important ethical and legal questions that in some cases haven't yet been well addressed by regulatory frameworks,” she maintained. “It's hard to anticipate some of the things that we're able to do with big data until we've done it. One then has to ask, ‘Well, was that the right thing to do with it?’ That's what has compelled me into this area, and why I find IHIE is a great place to continue extending that legal practice.”

What are the top healthcare privacy issues?

One of the top privacy issues facing numerous industries, and not just healthcare, is information sharing. In many cases, the consumer – or the patient in healthcare – would love to have data be readily available.

Not only could this assist in decision making, but could also provide more accurate treatment decision making available to those to whom one might be referred for care, she added. There is a tension between data availability and appropriate data protection and use.

“It is always the case that when one is the steward, when a company is the steward of sensitive data, it is responsible for ensuring that the data is only used, or disclosed, as is appropriate and allowed by governing law. There are also the expectations of the individuals whose information it is.”

The key challenge, especially with the push toward interoperability, the population health initiative, and the accountable care initiative, is that to make data available, it’s going to be exchanged across a legal landscape that has varying degrees and various levels of privacy and security rules and regulations.   

“It's fair to say that for a privacy professional in this day and age, he or she needs to be familiar with not only the state expectations and regulations on sensitive data, but national and international, because data can travel,” Fredland explained.

Furthermore, the legal landscape is currently very complex when it comes to privacy and security regulations. That is the challenge for any privacy professional thinking about interoperability and serving a client, she added.

Key privacy considerations for BYOD, mobile devices

Proper education for users and employees is one of the most effective risk management strategies, according to Fredland. Highly sophisticated technical protections and technical infrastructures can be implemented, yet there is still going to be the human element in how the information is used and accessed.

“When you look at BYOD strategies, which are commonplace in many organizations, and the many virtual accesses that organizations allow to data, there needs to be a multifaceted strategy to best protect the information, because risks to data are multi-faceted. Even the best protected data can be, as we've seen, compromised with a single click on a single e-mail. That's very hard to prevent at 100 percent.”

Having comprehensive and regular user and employee education about trending risks is an important strategy, she maintained. It should also be combined with good technical security infrastructure, and then ensure that those technical security infrastructure expectations are set for all users.

“When I hear my colleagues talk about the risks in the marketplace, they will often say, ‘It's not a matter of if, but when data may be compromised.’ And so, one has to be able to anticipate that. The better you're able to anticipate it, I think the better you're able to manage the risk.”

Interoperability and OCR HIPAA audit preparation

Interoperability is just one piece of an already existing privacy puzzle, Fredland cautioned. From a privacy perspective, an organization is responsible to know the location of data stored and the data transferred. Interoperability fits under the data transferred piece.

“Interoperability just raises additional questions about mapping data so that organizations responsible for compliance with HIPAA and HITECH need to ensure the same privacy and security compliance with interoperability exchanged data, as with their other sensitive data.”

What 2016 entails for healthcare privacy issues

The top privacy issue for HIEs in the immediate future, according to Fredland, is to develop a privacy and security framework that appropriately addresses the complex privacy and security regulatory requirements that apply to exchanged data over a variety of jurisdictions.

“Once data leaves a particular state, it is probable that it will then fall under a different set of privacy and security regulations,” she explained. “That is a key piece of ensuring appropriate information exchange as exchanges think about national and international interoperability.”

Fredland also reiterated the fact that there is an interesting tension created by Federal incentives. On one side, there is the push to meaningfully use health information to improve the health of the population.

At the same time, it is important to ensure appropriate privacy and security of the same information.

“Privacy officers find themselves right in the middle of that tension, to ensure proper balance and compliance between meaningful use of the data and appropriate protection of the data.”

Additionally, another important challenge for privacy officers and data stewards who are responsible for the privacy and security of popular data warehouses and big data is tracking the rights and permissions for each of the data fields in these blended databases. 

Fredland explained that the data in those warehouses can come from disparate sources. For example, a database could contain information that has been collected from a variety of sources with a variety of confidentiality and privacy representations.

For example, public facing internet pages collect visitor data under the webpage privacy notice, healthcare providers collect individual data through registration processes and treatment, and some data is governed by contractual confidentiality terms and conditions. Furthermore, some data about individuals is considered “public.” 

“Once these disparate data sources are merged under the single individual in a data warehouse, it is important to track the restrictions and permissions that attach to each of the bits and bytes of data, to govern how the data is ultimately used and disclosed.”  

Dig Deeper:

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks