As our digital lives expand, we’ve all found that protection of our personal data is crucial in every transaction we make. However, the most complex and sensitive personal data may be that concerning our health. Laws around the world are in force or on deck to help mitigate cybersecurity attacks and data breaches that continue to plague the industry (1).
What is patient data security & privacy in healthcare?
Let’s break down key words surrounding our most sensitive information when it comes to our digital health profile.
privacy // noun
freedom from unauthorized intrusion // one’s right to privacy.
security // noun
measures taken to guard against espionage or sabotage, crime, attack, or escape.
confidentiality // noun
the state of keeping or being kept secret or private
2018: Enforcing the General Data Protection Regulation (GDPR)
Patients in the US identified potential privacy breaches and data security as a bigger concern than the cost of healthcare (2). When patients don’t feel like their information is confidential, they may be less likely to be as truthful and even less likely to visit their doctors at all. With less information to go on, doctors may find it harder to accurately diagnose and treat illness.
World Internet Usage (3)
Q2 2020 estimates
Penetration rate as % of population
By geographic region
In other countries, patients are equally concerned with their individually identifiable health information. The European Union enacted the General Data Protection Regulation (GDPR) in April 2016 and it became enforceable in May 2018 (4). This regulation inspired new laws in many other countries and U.S. states.
2019: Big Data & Security Front and Center
Big data security and privacy issues in healthcare were front and center in 2019. Record-high breaches (5) impacted several million patients (6). In the U.S., the Office for Civil Rights (OCR) posted record years in 2018 and 2019 for HIPAA settlements and judgments (7) surrounding breaches in electronic health records (EHR).
2020: Global Movement In Data Protection
2020 Healthcare Breaches (8)
The breakdown in security triggered a global movement toward stricter data privacy and protection rules including steeper fines to address issues like cybersecurity and patient rights to their data.
Here is a look at some of the new and updated data protection rules and laws and how they address the importance of data privacy in healthcare.
2020 Updates: Data Privacy Laws
European Union: General Data Protection Regulation (GDPR)
The GDPR has been in effect since 2018, and 2020 promises to see a finalization of federal laws to comply with the Act in all EU countries including Greece, Portugal and Slovenia. The GDPR is viewed as the preeminent regulation around the world, recognizing privacy as a fundamental human right and prohibiting the collection and processing of personal data without legal basis.
The head of the European Commission, Margarethe Vestager, is calling for stricter enforcement of the laws and policies. Any organization, anywhere in the world, including healthcare, is obliged to notify the authorities in the case of a breach that compromises the personal data of an EU citizen. This applies to healthcare providers anywhere in the world, if they are treating and thereby gathering data and information on an EU resident.
Germany: Patient Data Protection Act (PDPA)
Germany adopted the PDPA in 2020 with the rollout to happen over several years. The regulations are designed to help protect personal and sensitive patient data while moving toward a more digital system that they believe will provide better care for patients. The new regulations surround security of, access to and control over information stored in a universal electronic patient record (EPR).
Patients are the primary data custodians for their own information and all entities involved in the patient’s care are required to protect the data. Data that may be stored, deleted and controlled by the patient in the EPR could include images, e.g., X-Rays, vaccination and maternity records, pediatrics and even a child’s ‘tooth bonus booklet.’
Physician referrals will be electronically transferred and in 2021, prescriptions will be downloaded to an app for fulfillment at the patient’s pharmacy of choice. The data will be transferable if the patient changes health insurers. Look for even further granularity in 2022 with data filtering and sharing via smartphone apps. In 2023, patients will have the opportunity to have their pseudo-anonymized and encrypted data stored for medical research purposes.
USA: Healthcare Insurance Portability & Accountability Act
HIPAA is now over 20 years old and the last major changes were enacted in 2013. 2020 may see the introduction of a controversial national patient identifier. Proponents believe the identifier will help with patient matching and minimize medical errors and misidentification. Opponents believe that the identifier threatens patient privacy. Medicare beneficiaries now have a healthcare identifier as of January 2, 2020. Stay tuned to HIPAA as this topic unfolds.
Health & Human Services (HHS)
Two new rules went into effect in March 2020. Issued by the HHS Office of the National Coordinator (ONC) for Health Information Technology and Centers for Medicare & Medicaid (CMS), the rules implement interoperability and patient access provisions that were outlined in the 21st Century Cures Act.
The new rules are designed to give patients secure access to, use of and the capability to exchange their health data. The data will be accessible to patients via typical smartphone apps so they can safely view, control and share through digital tools similar to those they use to schedule appointments or book flights. What to watch in 2020? How unfettered patient access to data may conflict with HIPAA or state laws (9).
California Consumer Privacy Act (CCPA)
Considered the most comprehensive data privacy act currently in effect in the U.S., the CCPA gives California residents more control over the personal information that businesses collect. When it comes to health data and privacy in California, the CCPA layers onto both HIPAA and the California Confidentiality of Medical Information Act (CMIA). The CMIA and now the CCPA impose wider and more stringent regulations and greater protection of privacy than HIPAA. Look for more U.S. states including Nevada, New York, Texas, and Washington to enact laws similar to CCPA in 2020 and beyond.
Brazil: Lei Geral de Proteção de Dados (LGPD)
The LGPD aims to consolidate and align Brazil’s rules that are spread across various legislative provisions governing privacy and personal data. Written to mirror the international standards set with the EU’s GDPR, the OGPD just went into effect in August 2020. The law applies to entities that process any personal data including health, sexual, biometric and genetic. The law differs from the GDPR in a couple of ways: anonymized data is not excluded if it is used for behavioral profiling and cross-border transfer is prohibited.
Potential data privacy regulations are on the horizon in India, South Korea & Thailand.
India: Personal Data Protection Bill (PDPB)
In August 2017, the Indian Supreme Court upheld that privacy is a fundamental right (10). This ruling led to the drafting of a sweeping Personal Data Protection Bill in 2019.
The first data protection bill of its kind in India, the proposed legislation lays out a legal framework designed to protect and regulate personal data including appropriate flow and usage by the entities that process data. Norms, accountability and remedies are outlined to address cross-border transfers, processing, unauthorized and harmful processing. A Data Protection Authority would be established to oversee all processing activities.
The bill was sent to a Joint Parliamentary Committee for further review and has potential to pass in the near future.
Thailand: Personal Data Protection Act (PDPA)
The PDPA became law in May 2019 and became enforceable a year later. This grace period allowed for subordinate regulations to be issued and for organizations to put policies in place to become compliant.
Many of the regulations outlined in the PDPA align with the European Union’s GDPR with some additional concepts unique to Thailand. Intrinsic to the law is control, consent and knowledge: individuals control how their data is collected, stored, shared and protected; they have the right to know who has their data and how it is being used and shared.
South Korea: Personal Information Protection Act (PIPA)
Part of a broad effort to secure an agreement with the European Union, South Korea is updating the PIPA as well as the Act on the Promotion of IT Network Use and Information (Network Act).
Proposed amendments will align the country’s laws more closely with the EU’s General Data Protection Regulation (GDPR), exerting tighter control over companies that handle personal data and a more defined enforcement of the laws.
How Healthcare Patient Data Privacy Needs & Awareness Drive Med Tech Innovation
While the laws surrounding consumer consent and data protection are too broad in scope to recap in full here, we see how patient awareness and patient rights are challenging and inspiring health tech innovation.
In the article How Hospital IT Can Influence Digital Healthcare Decision-Making, we explore the importance of integration: how it contributes to increased efficiency and works to boost data security while minimizing associated risk factors.
[1] Healthcare Dive, https://www.healthcaredive.com/news/healthcare-again-tops-industries-for-cybersecurity-attacks-data-breaches/552403/
[2] HIPAA Journal, https://www.hipaajournal.com/patient-privacy-and-security-are-greatest-healthcare-concerns-for-consumers/HIPAA Journal
[3] Internet World Stats, https://internetworldstats.com/stats.htm
[4] GDPR EU, https://gdpr.eu/
[5] Health IT Security, https://healthitsecurity.com/news/data-of-15m-patients-impacted-retrieved-in-lifelabs-cyberattack
[6] Health IT Security, https://healthitsecurity.com/news/11.9m-quest-diagnostics-patients-impacted-by-amca-data-breach
[7] U.S. Department of Health & Human Services, https://www.hhs.gov/about/news/2019/02/07/ocr-concludes-all-time-record-year-for-hipaa-enforcement-with-3-million-cottage-health-settlement.html
[8] Tech Jury, https://techjury.net/blog/healthcare-data-breaches-statistics/#gref
[9] Bloomberg Law, https://news.bloomberglaw.com/health-law-and-business/busy-privacy-agenda-for-2020-has-health-companies-on-edge
[10] DLA Piper, https://www.dlapiperdataprotection.com/index.html?t=law&c=IN&c2