- With the push toward nationwide interoperability, health data sharing is continually a top issue that covered entities are trying to overcome.
Whether a healthcare provider is trying to connect to an HIE, or a research institute is trying to gain more knowledge about a particular disease, health data sharing is not something that organizations can easily ignore.
But what are the privacy and security concerns? How can healthcare organizations remain compliant with all federal and state regulations, while still find convenient ways to share information as needed?
HealthITSecurity.com will review some of the larger aspects of health data sharing, such as how HIPAA regulations may come into play. We will also discuss recent legislation that has been passed on the matter, and how that could potentially affect healthcare privacy and security.
Sharing data securely
One of the key aspects to health data sharing is ensuring that it is done in a secure way that will not compromise patient information.
Health data encryption is a good option for this. While not technically required under HIPAA regulations, it is listed as “addressable,” meaning that healthcare organizations must determine which privacy and security measures will benefit its workflow.
“…it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity,” HHS explains on its website. “If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.”
For proper data encryption, a covered entity must make the information unreadable, usually by converting the data’s original form into encoded text. The information stays unreadable unless an authorized individual or entity has the necessary code or key to decrypt it.
While there are various options for data encryption, the HHS Security Series recommends that covered entities ask themselves to consider if it is necessary. For example, organizations can review the following questions:
- Which EPHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?
- What encryption and decryption mechanisms are reasonable and appropriate to implement to prevent access to EPHI by persons or software programs that have not been granted access rights?
Along with data encryption, there is the de-identification of data. This is where identifiers are removed from PHI, which can help mitigate privacy risks to individuals.
Data de-identification can be a popular option for medical research, along with policy assessment or comparative effectiveness studies.
“Regardless of the method by which de-identification is achieved, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information,” according to HHS.
The first type of de-identification is done through expert determination, when an individual “with appropriate knowledge of and experience” in rendering data unidentifiable will apply the necessary methods. After that, the expert will document the methods and results. This is important because it will prove how the conclusion that the data had been de-identified was made.
The other type of de-identification is where individual identifiers are removed, often referred to as the “Safe Harbor” method. Data can be considered de-identified if a covered entity removes 18 types of identifiers. Some of the identifiers include:
- Telephone numbers
- Email addresses
- Social Security numbers
- Medical record numbers
“The Privacy Rule does not limit how a covered entity may disclose information that has been de-identified,” HHS states on its website. “However, a covered entity may require the recipient of de-identified information to enter into a data use agreement to access files with known disclosure risk, such as is required for release of a limited data set under the Privacy Rule.”
Recent health data sharing legislation
Over the summer, the US House of Representatives passed the 21st Century Cures bill. The health data sharing legislation was designed to overhaul drug development by giving researchers more access to certain health information.
The House Energy & Commerce Committee explained that the legislation will help invest in science and medical innovation, incorporate the patient perspective, and modernize clinical trials, “to deliver better, faster cures to more patients and loved ones in need.”
While there was some concern over patient privacy issues, the bill was also met with praise. The American Hospital Association (AHA), for example, said that it commends the House Energy & Commerce Committee’s efforts to accelerate medical care. However, AHA added that it is concerned with certain provisions aimed at ensuring interoperability of health IT.
“The bill also includes an overly broad definition of ‘information blocking’ that would result in penalties for providers’ reasonable business practices and beneficial modifications to information technology (IT) systems that improve patient care,” wrote AHA Executive Vice President Rick Pollack.
Along with the 21st Century Cures bill, the Cybersecurity Information Sharing Act 2015 (CISA) was passed by the Senate in October. CISA was created to design a framework for exchanging information regarding cybersecurity threats within various industries.
In terms of healthcare cybersecurity specifically, CISA could help industry professionals connect via a network so that they can better exchange information with one another regarding potential cybersecurity threats.
Industry experts claim that this was an important step forward for not only healthcare, but all sectors.
Booz Allen Hamilton Executive Vice President and leader of the Commercial Cyber Security Business Bill Stewart explained to HealthITSecurity.com that CISA will help healthcare cybersecurity in the short-term because the threats are only going to increase. Because of this, the industry needs to be able to find ways to continuously keep pace in protecting sensitive information.
“There’s more investment going into [security] and there’s more effort going into defending ourselves but there’s a big gap,” Stewart said. “The offensive side – the attackers – have a huge advantage.”
With technological advances, it only makes sense that the cybersecurity threats also evolve. Covered entities and business associates must ensure that security remains a top priority, even as they work to implement new systems and potentially connect to other organizations for data sharing purposes.
Image Credit: HHS