Health privacy and security are often mentioned in tandem, but Deborah Peel, Founder and Chair of Patient Privacy Rights and Adrian Gropper, Chief Technology Officer of Patient Privacy Rights, took a different view in a recent Institute for Health Technology Transformation (iHT2) webcast.
The presentation, titled “Competing for Patient Trust and Data Privacy in the Age of Big Data” detailed a few of the nuances between patient data privacy and security and why privacy is so significant as healthcare organizations pull together huge data sets for health information exchange (HIE) and accountable care.
Peel began the presentation by reminding the audience that health information privacy is an individual’s right to control the acquisition, uses or disclosures of his or her identifiable health data. Gropper followed that explanation up with why he believes it’s hard to differentiate a healthcare practice based on just data security, especially when it comes to big data. He argued that data privacy is not only a way for organizations to differentiate themselves, privacy more valuable than security in the context of a healthcare setting and good privacy practices can spur better analytics, patient engagement and brand and trust recognition.
Focus on Fair Information Practice Principles (FIPPS)
Peel and Gropper said that while HIPAA is a good baseline, for privacy purposes, healthcare organizations should focus on FIPPS when working with large quantities of patient data:
Transparency – There’s no need for secrecy with medical information practices.
Individual participation – Involve patient and get their consent. Patients prefer to be asked about their participation.
Purpose Specification – Telling individuals about the reasoning for data collections and usages increases engagement.
Data Minimization – Don’t ask for more than you need and don’t send out more than is required to provide a service.
Data use limitations –Examples of this may be mental health and substance abuse.
Data quality and integrity – This allows for errors to be corrected.
Security – Security is a component to the privacy scheme – without it, it’s hard to do other items.
Accountability and auditing – Organizations must be able to provide accounting of disclosures for patients.
According to Gropper, since HIPAA was updated with Treatment Payment Operations (TPO), patient consent not required for some healthcare activities and could be interpreted as organizations not being transparent and not allowing patients good access to accounting of disclosures. He said it’s up to the institutions to police themselves and report breaches, which adds to overall privacy issue.
Additionally, Gropper mentioned how patient matching index systems aren’t accessible to patients and how patients can perceive notice of privacy practices as consent to treatment that they need to accept as condition to get care. “HIPAA is a privacy floor and was never meant to be universally-applicable standard,” he said. “Many states have added privacy standards on top of HIPAA.”