Note: This is the first blog in our healthcare series on “Data Privacy in Healthcare and The Role of Technology.” This blog series deep-dives into data privacy and transparency in the healthcare industry. It explores in detail the compliance and disclosure requirements in the global pharmaceutical industry and the international laws and regulations that guide them.
This blog series also discusses the traditional manual methods of anonymization currently prevalent, how industry 4.0 solutions can automate and vastly improve conventional anonymization, and how Gramener’s AInonymize solution can transform clinical trial disclosures and regulatory compliance in the healthcare industry.
Precap: This article will introduce the concept of data privacy and general regulations on data privacy in the healthcare industry and the role of technology in it.
Check out other parts of the series:
- Data Transparency and Disclosure Requirements in Healthcare (Part 2)
- Introduction to Handling Data Privacy Laws and Requirements in Healthcare (Part 3)
- Data Privacy Protection Techniques To Safeguard Patient Data (Part 4)
Table of Contents
According to a report rolled out by HIPAA, “from 2009 to 2021, 4,419 healthcare data breaches involving 500 or more records were reported to the Office for Civil Rights of the Department of Health and Human Services (HHS). These breaches, mocking the data privacy in healthcare, resulted in the unauthorized loss, theft, exposure, or disclosure of 314,063,186 healthcare records.”
Ubiquitous Data, Ubiquitous Access
Today, digital data is pervasive and everywhere. Thanks to ubiquitous computing and IoT, everyday objects can be embedded with microprocessors to perform functional tasks and communicate both with humans and each other.
An excellent example of ubiquitous technology is Fitbit. Worn like a watch on the wrist, a Fitbit is a physical activity tracker that can record the wearer’s information related to gym activity, cycling, swimming, running, walking, etc.
The Fitbit can track calorie burn, step count, heart rate, and more. It can also track stress levels and notify the user of any unusual activity, such as an irregular heartbeat. The user can easily access this information via a smartphone app.
Yet another good example is Amazon’s audiobook server, Audible. A registered user can listen to an audiobook on the smartphone app while traveling and continue from where he or she left off on Amazon Echo at home.
Ubiquitous computing and IoT have rendered everyday objects in any room into computers. These devices, equipped with high-speed internet, can gather information from their surroundings, creating a vast treasure trove of private and confidential data vulnerable to leaks or breaches.
What is Privacy?
To protect individual privacy, we need a standard set of regulations to implement across many ecosystems.
Unfortunately, privacy is a complex issue, and there is no one-size-fits-all silver bullet for all situations. Defining privacy in the context of any specific domain can be tricky and poses the following challenges:
- Whose privacy is at risk?
- Is the individual’s privacy vulnerable during a specific timeframe?
- To what extent can you protect the said privacy?
Addressing the questions mentioned above requires a detailed understanding of a particular system or application and the consequences of implementing privacy regulations.
In this article, we will introduce the concept of data privacy in the context of the healthcare industry and the role that technology can play in it. We will also explore general regulations on data privacy in the healthcare industry.
Specific Case Examples and Costs Associated with Healthcare Data Privacy Breaches
Sadly, healthcare data breaches continue to increase, both in frequency and size, affecting several tens of millions in the US alone. They can expose sensitive personally identifiable information (PII) like names, addresses, and social security numbers.
They can also leak sensitive health data such as patients’ medical histories, health insurance information, and Medicaid ID numbers. Redaction of medical records can stop the misuse of patient’s private information.
The CAGR (compound annual growth rate) for healthcare data will reach 36% by 2025, more than manufacturing (30%), Financial Services (26%), or Media and Entertainment (25%). By 2027, the digital health market predicts to generate revenue of up to $256.30 Bn.
Healthcare providers such as health insurance companies, pharmacies, urgent care clinics, and hospitals possess invaluable information related to patients, which makes them a prime target for cybercriminals and identity thieves.
A 2017 Accenture survey revealed that healthcare data breaches affect 26% of all US consumers. About half of the breach victims suffer medical identity theft, resulting in up to $2,500 out-of-pocket costs on average.
Examples of Biggest Violation of Data Privacy in Healthcare
Below are 3 of the biggest healthcare data breaches in recent US history, tabulated by the Office for Civil Rights (OCR) of the dept. of Health and Human Services (HHS):
- NewKirk Products, the issuer of healthcare ID cards, announced a data breach in 2016, affecting up to 3.3 Mn patients. Among those impacted were customers of the insurer Blue Cross Blue Shield, one of the biggest national providers of health insurance. In addition to primary care provider information, hackers were also able to access sensitive personal information, such as names, including those of dependents, birth dates, premium invoice information, Medicaid ID numbers, and group ID numbers.
- Arizona-based healthcare provider Banner Health disclosed a similar attack in 2016 that affected the records of up to 3.7 Mn patients. A cybersecurity firm hired by Banner Health to investigate unusual activity on its private servers discovered two attacks involving payment systems data and patient records. The data breach included names, healthcare information, credit card numbers, doctors’ names, expiration dates, social security numbers, internal verification codes, birth dates, and addresses.
- Medical Informatics Engineering, an electronic medical records software company, announced a data breach in 2015 that affected up to 3.9 Mn patients across 11 healthcare providers. The affected patients were notified via mail that their personal information, such as names, diagnoses, social security numbers, birth dates, mailing addresses, phone numbers, and other sensitive data, had been stolen.
Overview of Regulations for General Data Privacy and Specifics About Data Privacy in Healthcare
The need for data protection and privacy has steadily increased with the proliferation of online economic and social activities. The procurement, use, and distribution of personal information with third parties, often without consent or even notice to the consumers, exacerbates the problem.
As of Dec 2021, 137 out of 194 countries have adopted legislation to protect data privacy, as per the United Nations Conference on Trade and Development (UNCTAD). While regions like Asia and Africa show adoption levels of 57 and 61 percent, respectively, the least developed countries register adoption rates of just 48 percent.
2018 and 2019 recorded the highest-ever data breaches and big data security issues in healthcare, affecting millions of patients. OCR posted unprecedented judgments and settlements related to electronic health record breaches.
The failures of 2018 and 2019 forced the hands of national governments and international agencies to enforce stricter data privacy protection rules. They also enacted more stringent fines to check violations of patients’ data rights and cybersecurity issues.
Following are some of the most well-known global regulatory standards and initiatives:
The General Data Protection Regulation (GDPR)
GDPR was enacted in the European Union (EU) in Apr 2016 and came into effect in May 2018. It is often viewed as the golden standard for data privacy regulation worldwide.
The GDPR recognizes privacy as a fundamental human right. It strictly prohibits the illegal gathering and use of personal data. Under GDPR laws, in case of a compromise of the personal data of an EU citizen anywhere in the world, it is the responsibility of the concerned party to report the breach to the authorities.
This rule applies to all organizations, including healthcare operators, who treat patients and gather data and information about them.
Patient Data Protection Act (PDPA)
The PDPA was adopted by Germany in 2020 with a gradual rollout to span several years. The regulation seeks to protect sensitive and private patient data while evolving toward a digital system that provides better care to patients.
The control, access, and security of information stored in a universal electronic patient record (EPR) comes under the purview of these regulations.
Healthcare Insurance Portability and Accountability Act (HIPAA)
HIPAA is a US federal law that was enacted in 1996. It requires the development of national standards to protect confidential patient health information from disclosure without patients’ knowledge or consent.
The HIPAA Privacy Rule has been issued by the US dept. of Health and Human Services (HHS) to implement HIPAA requirements.
Health and Human Services (HHS)
In Mar 2020, two new rules – the Office of the National Coordinator for Health Information Technology (ONC) Final Rule and the Centers for Medicare and Medicaid Services (CMS) Final Rule, issued by the HHS in the US went into effect.
The ONC Final Rule codifies the 8 reasonable and necessary exceptions to information blocking, activities that are allowed to deviate from the accepted norm of free sharing of electronic health information (EHI).
These exceptions include preventing harm, privacy, and security of electronic health records (EHR).
The CMS Final rule allows payers to hold third-party application developers accountable under specific privacy provisions. These provisions include mentioning secondary data uses within the privacy policy and intimation to patients of said data uses.
California Consumer Privacy Act (CCPA)
The CCPA is the most comprehensive data privacy act currently in use in the US. It gives Californians greater control over the personal information that businesses collect.
The regulations imposed by the CCPA are broader and more stringent than HIPAA and offer greater protection of privacy. In the near future, more US states will follow in the footsteps of California and enact their versions of the CCPA.
Act on the Protection of Personal Information (APPI)
With the adoption of APPI in 2003, Japan became one of the earliest adopters of data protection regulations in Asia. The review takes place every 3 years to keep pace with emerging new trends and technologies.
One such review led to an amendment in 2021, subjecting public universities and government-run hospitals to the same rules as private universities and hospitals.
In addition to several new provisions, the amendment requires businesses to report data breaches involving information such as medical history, etc., to the Japanese government (PIPC). The affected individuals will also have to be notified.
Does Technology Like AI Help or Hurt Data Privacy in Healthcare?
Healthcare data is invaluable to many companies willing to look the other way when following ethical and privacy norms.
Regulatory standards like HIPAA only cover patient data from healthcare operators, like hospitals and insurance companies. A recent study showed that HIPAA has failed to keep up with the advances in industry 4.0 technologies like artificial intelligence.
HIPAA has no jurisdiction over tech companies. This was demonstrated in 2017 when Facebook released its suicide detection algorithm that gathers data from user posts using AI to predict their mental state and prevent suicides
The positive intent notwithstanding, Facebook is accumulating users’ mental health data without their consent. Furthermore, beyond its stated purpose, it is difficult to know the use of said data.
Similarly, HIPAA does not regulate genetics testing companies like 23andMe and Ancestry. These organizations can analyze DNA to provide information about ancestry, physical traits, health, etc.
These companies can legally store genetic data for up to 10 years. They can also sell the data to other companies.
Fortunately, where there is a challenge, there also lies opportunity. Today, AI plays a vital role in protecting the privacy of end users, tech applications, and even institutions. A 2019 Gartner study revealed that, by 2023, more than 40% of privacy compliance technology will be AI-powered.
Privacy watchdogs are in a race against time to ensure that all safeguards to protect personal data are in place. This is only possible with the help of technology.
Automation, scale, and speed have made AI applications irresistible in the eyes of customers and businesses alike. AI can process exponentially more data than humans, especially when working within aggressive timeframes.
Gramener’s healthcare data privacy and anonymization solution, AInonymize, can help submit CSR documents 86% faster than conventional manual processes while adhering to the highest standards of risk-protection accuracy.
In the upcoming articles in this series, we will explore how AInonymize can help pharma operators automate data redaction and meet the stringent demands of regulatory compliance with relative ease.
Conclusion
In this article, we explored how the rapid and unchecked proliferation of digital data can make confidential and sensitive information vulnerable to data leaks and breaches.
We also shared specific case examples of healthcare data privacy, regulations governing healthcare data privacy, and the potential challenges and opportunities of implementing industry 4.0 solutions like AI.
Stay tuned for the next article in this series, where we explore data transparency and disclosure requirements in healthcare. We will dive into the key disclosure regulations, such as EMA0070, and the current technologies operating in this space and their impact.
See you soon!
