Healthcare Data Privacy Laws hero image

Healthcare Data Privacy Laws

by

In healthcare, electronic records make it easier to coordinate care, deliver better treatments, and conduct medical research. However, digital records can be abused or accessed without proper authorization, both of which are serious breaches of patient privacy.

As a way to protect patient privacy, governments around the world have enacted healthcare data privacy laws that regulate the ways in which people and organizations handle patient data. In the United States, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the most prominent law related to protecting the privacy of patients. In the European Union, the most prominent healthcare data privacy law is the General Data Protection Regulation (GDPR).

 

Understanding HIPAA

Healthcare data is extremely valuable and while privacy concerns must be taken seriously, it is also important for organizations to use this data in responsible ways, such as the pursuit of better healthcare or drug development.

The main section of HIPAA related to healthcare data privacy regulations is called the Privacy Rule. This section is designed to protect privacy while still permitting the responsible use of healthcare data.

The Privacy Rule covers the following entities:

  • Health Insurance Plans. These plans can be for individuals or groups.
  • Healthcare Providers. Any organization that administers care or medical procedures is considered a provider.
  • Healthcare Clearinghouses. These organizations process insurance claims and act as middlemen between providers and health insurance payers.
  • Business Associate. These individuals or organizations perform functions on behalf of or provide services to one of the above covered entities.

In an attempt to balance privacy and legitimate use of healthcare data, the Privacy Rule was written to be flexible. The need for responsible disclosure and a range of potential use cases were considered and these considerations were incorporated into the rule.

In trying to strike the right balance, the Privacy Rule prioritizes patient privacy and gives individual patients some rights related to their personal health information, such as the right to: 

  • obtain a copy of their health record
  • authorize their provider to send information to a third party
  • ask for corrections to their record.

The rule also says people and organizations that handle healthcare data must take all appropriate steps to safeguard the privacy of personal health information.

On the other side of the ledger, a covered entity is allowed to use and disclose healthcare data. It can do so without authorization from an individual if the purpose is: 

  • providing treatment
  • processing payment 
  • offering the opportunity to agree or object to use or to benefit a greater public good

Covered entities can also provide a limited set of healthcare data for research, public health, or healthcare purposes.

If a covered entity plans to use protected health information that isn’t related to treatment, payment, or other purposes permitted by the Privacy Rule, it must obtain written permission from the individual(s). Covered entities cannot condition treatment, enrollment, payment, or benefits eligibility based on an individual giving authorization, except in some limited situations.

The core tenet of the Privacy Rule is the notion of minimal use and disclosure. Covered entities looking to use or disclose healthcare data must develop a healthcare data privacy policy that ensures the only information released is that which is needed to achieve the stated purpose behind use or disclosure.

Under President Donald Trump, two key HIPAA-related privacy regulations were enacted. The CARES Act gave healthcare providers more latitude for the sharing of  records related to treatment of substance abuse disorders, more closely aligning existing regulations with HIPAA. The Safe Harbor Act gave the Department of Health and Human Services permission to refrain from handing out penalties for data breaches if a covered entity could show it had a recognized security framework. These evolving frameworks highlight the need for more advanced solutions to enable collaboration on data to ensure alignment with existing and future regulatory requirements.

 

Understanding GDPR

GDPR is much broader in scope than HIPAA, as it covers the protection of personal data collected outside the healthcare industry.

GDPR also has a much broader scope of data considered to be private information. Therefore, the European standard is generally considered to be much higher than the one established by HIPAA.

This healthcare privacy regulation singles out three specific types of information for protection:

  • Health Data. This data is related to the mental or physical health of an individual, including any administered healthcare services that may indicate a health condition.
  • Genetic Data. This data is related to inherited or acquired genetics of an individual that translates to their distinct physiology, including the results of a genetic analysis conducted on a biological sample provided by an individual.
  • Biometric Data. This is data created by specific technical analysis of an individual’s physical, physiological, or behavioral qualities — such as a fingerprint scan — that can then be used to confirm their unique identification.

GDPR also outlines how protected data is allowed to be processed. Sensitive data can be processed for medical diagnosis, medical treatment, or the management of healthcare systems and services. The European regulation also says that sensitive data may be processed in serious situations related to public health, such as preventing the spread of disease across borders or assessing the safety of medical products.

 

Data Collaboration and Compliance

Both HIPAA and GDPR were written with the good intentions of protecting patient privacy, but both sets of healthcare data privacy regulations do present several obstacles when it comes to the handling and legitimate use of healthcare data. Covered entities looking to use healthcare data in a collaboration with another party must have a healthcare data privacy policy focused on remaining compliant.

For instance, a covered entity looking to have its healthcare data processed by a third-party analytics provider must enter into a business associate agreement with the provider and take several other steps to ensure HIPAA compliance. Furthermore, the data provider should take steps to ensure the data is only used for authorized purposes, while the analytics provider should take steps to ensure its proprietary algorithms are not disclosed.

While the challenges presented by compliance can be significant, data collaborations can be incredibly beneficial to individuals, organizations, and society. For example, healthcare data could be used to help discover new drugs or uncover new indications for existing drugs. Data collaborations can also improve research processes. For example, machine learning algorithms are capable of driving the next generation of medical developments, but these sophisticated systems must be trained on massive amounts of healthcare data.

The results of healthcare data collaboration can range from improved patient outcomes to reduced healthcare costs all the way to saved lives. So despite the challenges of compliance, it is worth the extra effort to ensure data privacy by adhering carefully to healthcare data policies like HIPAA and GDPR.

 

How the TripleBlind Solution Can Help

TripleBlind’s complete and scalable solution for privacy-enhancing computation makes HIPAA and GDPR compliance much less expensive, simpler, and more reliable. 

Our one-way encryption technology allows both healthcare data collectors and data processors to keep their valuable assets behind respective firewalls. This solves for many compliance issues associated with data collaboration while attenuating risk. TripleBlind natively supports major cloud platforms, including availability for download and purchase via cloud marketplaces, and unlocks the intellectual property value of data.

If you would like to learn more about how our technology can simplify data partnerships, please contact us today.