The COVID-19 pandemic has had a paralyzing effect on the daily life of people in every part of the world. Governments everywhere are utilizing various technological avenues to come up with different solutions to combat it, including, but not restricted to, applications used to track and trace COVID-19 patients to help stop the spread of the virus. In fact, industry leaders like Google and Apple have announced their joint effort to leverage technologies to support governments and other health organizations to reduce the spread of the coronavirus, with user privacy and security central to the design.
As more and more apps are being used for contact tracing, privacy concerns have been raised about the systems and solutions employed.
Living as we do, in a world where healthcare is a buzzword, let’s take a comprehensive look at what patient privacy means, why it’s important, and what governments world-over are doing to protect their citizens.
Why is patient privacy important?
The importance of privacy in healthcare is a very old idea. In fact, privacy is one of the ideas touched upon by the Greeks in the Hippocratic Oath. Certain diseases can cause fear, the anxiety of social prejudice, and stigma among patients. Because of this, they hide information from healthcare professionals leading to ineffective treatment and complications.
What are the challenges to patient privacy?
The use of technology in healthcare has increased productivity manifold, especially in maintaining patient information and data use. Many hospitals have introduced PCM (Patient care management)/ EHR (Electronic Health Records) solutions that are large document filing solutions that store patient information. These solutions can share data between various medical institutions and reduce paperwork, but it has also caused a new level of complexity for data privacy and security. Particularly in the way the data is managed and transmitted. Solutions face security and privacy threats from hackers, viruses, and worms.
One of the main challenges to data privacy is Privacy Merchants. They are for-profit organizations that deal with stolen or privacy-violating information. These companies sell dossiers of private health information to the highest bidder. This information is then used to target individuals in various ways, such as targeted product marketing, disclosing employee health history, among others.
What are the different industry standards worldwide that protect patient privacy?
Patient confidentiality is not just a good idea – it is the law in many countries. The introduction of PCM/ EHR systems in medical institutions have also renewed the call for stronger healthcare privacy laws around the world. The United States, Europe, UK, Australia, New Zealand, and others have introduced/ strengthened laws to protect an individual’s privacy in recent times. These laws mandate rules on the storage and transfer of private health data.
Let’s take a look at the many different laws around the world that deal with the complexity of Patient Privacy.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The most comprehensive standard that deals with the issue of patient privacy is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The act, formulated and implemented in the USA, set down rules on how personal health data could be managed and modernized the flow of healthcare information. HIPAA provides protection of health-related information and supplements the current state and federal laws.
HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) stored by “covered entities”. Covered entities are health-care clearinghouses, health plans, health insurers, and medical service providers, etc. Some examples of information they are privy to are – health status, healthcare history, health care payment of an individual, among others. You can find more info about the security aspects of HIPAA here.
HIPAA, however, does not cover data generated by fitness trackers, social media sites, and other health data created by the patient. Health information can be disclosed by patients in emails, blogs, chat groups, or social media sites that are not covered under HIPAA too. So it was necessary to enhance HIPAA regulations and this led to the creation of the HITECH Act.
Health Information Technology for Economic and Clinical Health Act (2017)
The HITECH Act was enacted to promote and expand the adoption of IT in healthcare. The Act mandated incentives to clinicians for the implementation of electronic health records (EHR). EHR systems enable patients to manage their own data. The act also introduces significant penalties for failing to report data breaches and follow the regulations. To know more about the privacy aspect of the HITECH Act click here.
Personally Controlled Electronic Health Records Act 2012 and Privacy Act 1988
The Personally Controlled Electronic Health Records Act 2012 and Privacy Act 1988 governs how eHealth record information is managed and protected in Australia. PCEHR (My health record) is a shared electronic summary of an individual’s health history. Security measures include audit trails so that patients can see who has accessed their medical records along with the time the records were accessed. Other measures include the use of encryption as well as secure logins and passwords. It is currently an opt-in system with a unique individual healthcare identifier (IHI) being assigned to participants and the option of masking and limiting the information available for viewing controlled by the patient or a nominated representative. Get more information here.
The key privacy protections provided by the PCEHR Act include the ability for a person to control which healthcare provider organization can access information in their eHealth record, closely defined limits on the circumstances in which information can be accessed outside of those controls, the ability to view an audit trail of all access to a person’s eHealth record, civil penalties for unauthorized access to eHealth records and requirements to report data breaches.
GDPR (General Data Protection Regulation)
Unlike other industry standards on this list, the GDPR (General Data Protection Regulation) law introduced by the European Union envisaged regulating data protection and privacy. The European Union says GDPR was designed to “harmonize” data privacy laws across all its member countries as well as provide greater protection and rights to individuals.
GDPR recognizes data concerning health as a special category of data called “sensitive data” and provides a definition for health data for data protection purposes. Though the innovative principles introduced by the GDPR (privacy by design or the prohibition of discriminatory profiling) remain relevant and applicable to health data as well, specific safeguards for personal health data and for a definitive interpretation of the rules that allows effective and comprehensive protection of such data have now been addressed by the GDPR. Read more here to know about the GDPR healthcare-specific regulations.
Health Information Privacy Code (1994)
To regulate the health information collected, used, stored, and disclosed by health agencies, New Zealand introduced the Health Information Privacy Code in 1994. All agencies that provide healthcare services are bound by the code. If you’re curious for more information on the healthcare privacy regulation in New Zealand, click here.
Healthcare privacy is a complex issue. There is a delicate balance between keeping patient data private and sharing it between medical professionals to improve the care needs of patients. A plethora of software applications are available in the market that handles healthcare information. Some of these applications such as health trackers, activity trackers, nutrition trackers, etc don’t fall in the ambit of healthcare privacy laws. It is up to the individual to be aware of the potential of their data and who is allowed access to it.
Experion Technologies has developed numerous healthcare applications that are compliant with healthcare regimes around the world, including HIPAA, GDPR, PCEHR, and the Health Information Privacy Code. For any information on how to develop applications that comply with the healthcare standards of your country contact firstname.lastname@example.org.