September 22, 2023
Ease Healthcare Privacy Compliance with Skyflow
If you work for a healthtech company, you’ve no doubt spent a lot of time considering and reconsidering the ways you handle protected health information (PHI) and other forms of sensitive data. With recent changes to data privacy laws like HIPAA and more changes coming at the state and federal level, you might find that your privacy posture isn’t up to the demands of the evolving regulatory landscape.
Your company probably uses PHI and other forms of sensitive data collected from your users to provide them with improved outcomes and customer experiences. You might also handle sensitive healthcare data from your users’ patients. Regardless of whose data you’re using to conduct business, it’s vitally important that you keep this data secure and private, using it in compliance with applicable laws and regulations.
In this post we’ll explore the history of health data privacy laws, the current challenges companies face, and how these laws and regulations might change in the future. We’ll also explore the ways that companies are working to comply with these requirements. Finally, we’ll talk about how the data privacy vault provides the best architectural pattern to address current privacy requirements while also helping to future-proof your company and products, so you’re ready as healthcare data protection laws evolve.
A Very Brief History of HIPAA
Congress signed HIPAA into law in 1996, but the law didn’t focus on digitally stored healthcare data when initially passed. The evolution from paper health records to digital records was in progress at the time, but digital record storage was a far cry from being the standard data storage method that it is today.
The first legislation accounting for this shift to digital data storage was the Health
Information Technology for Economic and Clinical Health Act (HITECH), which was passed in 2009. HITECH extended HIPAA security and compliance requirements to include businesses that process healthcare data. This is in contrast to the original law, which only governed healthcare providers like clinics or hospitals.
In 2013, the Health and Human Services Office for Civil Rights (HHS OCR) consolidated these two pieces of legislation in what is called the HIPAA Omnibus Rule. This is the current set of rules and laws that govern any provider or business that collects, stores, or processes healthcare data.
The latest piece of relevant healthcare regulation was crafted in response to the massive growth of healthtech wearables and devices, which had started gathering health data but did not fall under the current iteration of HIPAA. To account for this, in 2021 the Federal Trade Commission (FTC) announced that HIPAA’s breach notification rule applies to wearable tech devices and apps.
They also created a guide for developers and companies to clarify whether or not this change affects them.
Which Companies Does HIPAA Apply To?
There are two broad categories of entities that are governed by HIPAA, the first being part of the original scope of the 1996 legislation, and the second being added in 2009 following the growth of digital data storage.
The original HIPAA legislation was focused solely on healthcare providers, health insurers, and healthcare clearinghouses. Depending on the nature of your healthtech company, you may have direct interaction with one or all of these groups. A digital HR platform, for instance, might collect or store PHI or other sensitive data for the purpose of assisting users with signing up for insurance, and as such will interact with insurers or clearinghouses.
The second category, business associates, covers entities that may not be directly responsible for administering care or insurance but still utilize or process PHI, such as third-party billing services, legal representation, or benefits managers. For example, a third party platform that therapists use to chat with or provide digital video therapy sessions for patients would be subject to HIPAA despite not being directly involved with the administration of care.
How is PHI Defined?
Protected health information, or PHI, is the catch-all term for data collected in a healthcare context that falls under HIPAA protection. It covers any information that can be tied to the identity of a patient or customer. There are 18 identifiers outlined by the HHS that include many of the things you’d expect to see, like names, addresses, SSNs, etc. But, the last one, other characteristics, is extremely broad, defined as “any other characteristic that could uniquely identify an individual”.
The takeaway from the HHS is to be broad in your definition of PHI when deciding which data requires extra care and protection, following the maxim: if it looks like it might be PHI, then treat it accordingly.
Ensuring current and future compliance means being familiar with HIPAA broadly, but there are a few rules that are critical for modern healthtech businesses to pay attention to.
Which HIPAA Rules Are Most Challenging to Address?
The following three rules are critically important and can be a challenge for companies that use or stores PHI to comply with:
The HIPAA Security Rule requires you to enact adequate security measures to protect and secure the integrity of any PHI you interact with. Unfortunately, the nature of what qualifies as “adequate” is only vaguely outlined in the HHS guide. Like the definition of PHI discussed above, it makes sense to err on the side of caution when interpreting this rule.
The security rule also includes requirements around audit logging, so we’ll cover that next.
Audit Log Rule
This rule, technically a subset of the Security Rule and formally known as the HIPAA Security Rule provision on Audit Controls, requires covered entities to audit all interactions and activity within systems that interact with PHI. This has two intended effects: first, it requires you to do the work of tracking all the places PHI goes internally; and second, logging all this activity makes it much easier to detect any misuse of PHI.
The HIPAA privacy rule requires you to protect the privacy of PHI and “sets limits and conditions on the uses and disclosures that may be made of such information without
an individual’s authorization.” This rule can be difficult to follow without adequate data governance, data minimization, and security controls; without these, PHI can easily sprawl across your internal systems or into third-party services you use. Ensuring that you have knowledge of and control over how PHI flows through your systems and third-party services is essential to uphold this rule.
Complying with HIPAA Rules
Complying with these rules not only requires organizational training, but also technical solutions that let you isolate PHI and other sensitive data in a centralized location, tokenize PHI so you can reference PHI instead of duplicating it across systems, redact PHI so users get only the data that they need, and govern access. Read on to learn how Skyflow Data Privacy Vault provides technical solutions to these requirements.
Where HIPAA Falls Short
Although HIPAA and the subsequent additions to it that came in the form of the HITECH and Omnibus Rule are aimed at protecting patients, the actual substance of the legislation is notoriously unclear and requires providers and business associates to do some very heavy lifting in order to ensure their compliance. Even if your company is fully compliant and is able to successfully pass an audit by the HHS or a third party, this is no guarantee that your users’ PHI data is safe and secure.
Unlike the Payment Card Industry Data Security Standard (PCI DSS), which has a very clear and easily navigable set of guidelines, HIPAA compliance tends to be somewhat vague and open-ended. A perfect example is HIPAA’s Minimum Necessary Standard rule, which requires that companies only provide the bare minimum of data necessary internally for their services and systems to operate. For example, if a system only needs a patient’s first name, that’s all you should provide to that system, redacting or removing the middle and last name.
The issue lies in how exactly you go about following this standard. There is no set governance system or method for doing this, and the HHS does not express any preferences in its guidelines. This means that the burden falls on you and your team to comply with these rules.
To do this, you can either incur the expenses and risks of building a proprietary data governance engine, find a product that provides one that is up to the task, or operate under an “honor system” where data governance is run according to internal training and procedures. Neither of these options is really feasible for a modern healthtech company. And more to the point, neither of these necessarily makes patient data safer.
Healthcare Data Privacy is More than HIPAA
Although companies covered by HIPAA in the United States are mostly concerned with HIPAA compliance when protecting the privacy and security of sensitive PHI, HIPAA isn’t the only law they should consider.
And, the companies covered by HIPAA aren’t the only ones that need to be concerned with healthcare data privacy. For example, the California Privacy Rights Act (CPRA) regulates the privacy of data on California residents that relates to medical or health conditions
What Lies Ahead for Healthcare Data Privacy
Shifting political winds make it difficult to predict long or even short-term changes to healthcare data law, but what is clear is patients are becoming increasingly skeptical of the ways companies collect data and what they do with it.
Even if legislation lags behind consumer preferences, healthcare providers and healthtech companies are taking notice and developing new ways to give patients control over their data. This also extends to usability issues — human error is the cause of nearly a third of all healthcare data breaches, making it essential that developers build guardrails and safeguards into their apps and services.
A data privacy vault is a ready-made solution that saves you the cost of building the necessary architecture and controls.
How a Data Privacy Vault Helps with Healthcare Data Privacy
HIPAA legislation was created with the goal of pushing companies to view PHI as a unique form of data that requires special care in how it is protected and used. And while HIPAA and its successor, the HITECH act, articulate specific requirements, it’s worthwhile to exceed those requirements to protect the privacy of PHI.
Because a data privacy vault is purpose-built to protect sensitive data without sacrificing data utility, a data privacy vault provides an architectural approach to meeting and exceeding HIPAA compliance requirements. In addition to helping you isolate PHI from other data, Skyflow Data Privacy Vault also includes a wide range of capabilities to help you secure data and guarantee privacy to users and patients.
Skyflow Data Privacy Vault secures PHI (and any other sensitive health data) and separates it from other types of non-sensitive data, letting you assign special rules and safeguards around it without preventing access by authorized users, systems, and third party services.
Skyflow protects sensitive data with a combination of encryption, tokenization, and redaction techniques:
- Encrypting PHI helps you to safeguard this sensitive data, and with polymorphic encryption, you can still use sensitive data while it remains fully encrypted.
- Tokenizing PHI gives you tokens that serve as a “stand-in” for sensitive data elements. This means you can use these tokens throughout your systems without exposing the corresponding data to unauthorized users or workflows. This means that you can keep all of your internal systems running smoothly and glean insights from PHI data without putting that data at risk.
- Data redaction gives you differential control of PHI data, allowing you to remove some or all of the elements of sensitive data. This is essential for meeting the Minimum Necessary Standard discussed above.
Skyflow’s governance engine gives you total control of any and all PHI data you collect or store. This makes it easy to go beyond the limited HHS guidelines and ensure that every piece of data that patients or users provide is only shared when absolutely necessary and to the most limited extent possible.
Are you struggling to find a way to meet HIPAA compliance or interested in upgrading your security and compliance capabilities? Contact us to learn how Skyflow Data Privacy Vault can help you.