Change is coming to protect healthcare data privacy  as the industry continues to evolve in new ways that existing legislation has not addressed. As discussed in Data Privacy: Preparing for the Future of Healthcare Privacy, there are a variety of industry and technological advances that are pressuring lawmakers to shift the way that data is protected in healthcare.

Prior legislation focused on which types of organizations and datasets were in scope of the law and protected, while newer privacy laws outside of healthcare indicate that the next step is likely to include protection of the data itself and the rights of the patient.

Historically Protected Data and Affected Companies

Historically, health data were collected within healthcare systems and stored in specialized datasets. As individuals moved through health care systems, they interacted with healthcare providers, which would lead to the collection of data about the patient, the services they received, and their clinical outcomes. A traditional health data collected might information like:

• Basic demographics (name, DOB, age, weight, ethnicity)
• Vital signs
• Medications
• Procedures
• Diagnoses
• Allergies
• Lab results
• Biometric identifiers (fingerprints, retinal prints, etc.)

Everything above would be considered protected health information (PHI) and covered under HIPAA, when collected by a “covered entity”. Any organization that meets this definition and violates data privacy laws by releasing or misusing PHI would be penalized under HIPAA by way of fine or criminal prosecution.

However, once PHI is de-identified, separating personally identifiable information (i.e. name, phone number, email address, DOB, etc.) from protected health information, covered entities and partners no longer need to adhere to HIPAA.

Vulnerabilities with de-identified Datasets

Organizations would then be able to utilize this de-identified data for research, marketing, or monetization. Organizations, such as insurance providers or electronic health record (EHR) vendors, can aggregate, de-identify, and then commercialize health data on secondary markets by selling it to research firms, pharma companies, universities, etc.

However, it’s been proven that this typical data privacy safeguard may not be as reliable as once thought. Research has shown that it is possible to use de-identified data, combine it with another comprehensive data set, and re-identify individuals.

A recent example is Cambridge Analytica combining voting records with Facebook user data to produce targeted ads. In terms of health data, a researcher at Carnegie Mellon used de-identified health insurance records (purchased through an insurance company) and local voting records to properly identify the governor of Massachusetts.

Vulnerabilities continue to exist even with anonymized data. Modern day consumer health data is similar to traditional health data collected in the healthcare system. It can include demographics, vital signs (like heart rate and blood pressure), activity level, and diet, but is collected outside of the healthcare system and the umbrella of HIPAA.

The Rise of Personal Health Aggregation

The advent mobile health tracking with fitness trackers, smart watches and smart phones has given companies like Google, Apple, Samsung, and others access to this personal information as nontraditional health data handlers. Because they are not defined as covered entities, the consumer’s consent allowing companies to collect, store, and utilize these types of data is not covered by the law.

As an example, Fitbit, requires a name, email, password, DOB, gender, height, and weight to create an account. 2 Users choose to provide food logs, weight changes, sleep, water consumption, and female health tracking. The device itself is able to collect/estimate number of steps taken, calories burned, heart rate, sleep stages, geolocation, etc. For providing this data to Fitbit, they offer services to give sleep insights, personalized exercises, and activity goals.

While Fitbit does state that none of the information collected is ever sold, that is still a considerable amount of personal health data that can be used by Fitbit and its partners.
Amazon’s 2018 acquisition of PillPack, giving them access to insurance co-pays and records for their user base. 3 Microsoft’s cloud division Azure is competing with Amazon AWS and Google to store medical records in the cloud, even though they have not commented on how patient data would be part of their business or how they plan to protect it. 4 And, even after being embroiled in several data privacy scandals, Facebook launched the Facebook Preventative Health tool that uses profile data and basic demographics to recommend tests and treatments to users.

The collection and use of health data aren’t restricted to big tech companies. Small developers and start-ups can create health and wellness apps in the Google Play Store or Apple App Store and are not governed by federal patient data privacy and security regulations. These organizations possess far fewer resources to protect potentially sensitive data. An article from WSJ exemplifies this, as the author downloads a pregnancy tracking app and quickly started to receive targeted ads for maternity wear on Instagram, even though there was no business relationship between the app developer and maternity clothing line.

Benefits of being a Healthcare Data Privacy Leader

Although there is not yet an exact date on the next wave of healthcare data privacy regulation, there are still important advantages to being a first mover. Companies can begin to implement technology and policies to get out in front of data privacy in their industry. This will allow them to spread the cost of compliance out over a longer period and become more prepared to adjust to the specifics of the eventual regulation.

These investments will also help build consumer trust and brand loyalty in the short and long term. Personal data privacy, especially online, is a topic top-of-mind for consumers. A Pew Research survey found that 91% of Americans believe people have lost control over how their information is collected and used online, while 74% believe it is very important to be in control of who can get their information.

Consumers are making it known that data privacy is an important factor when they engage with companies and it is an opportunity for companies to build long-lasting loyalty. Companies that emphasize data privacy and preemptively refine their policies will begin the process of building trust. They will also be the best prepared for regulation and their leadership in compliance will solidify their track record as an organization that protects their customer’s most personal information.

Omada Health, a health-tech vendor founded in 2011 who specializes in digital therapeutics, has taken a proactive approach to patient data privacy and has seen it contribute directly to their success. Omada uses the same standards to protect patient data in their application as traditional HIPAA covered entities have used to protect PHI. They will not sell deidentified data, a common practice of health apps and direct to consumer health companies.

Sean Duffy, CEO and co-founder of Omada, emphasizes that “patients want to focus on getting better, not having to constantly check their privacy settings” and “keeping compliance [at the company’s] core” is critical to success when operating in the healthcare industry. 9 Omada is finding significant success capitalizing on the rapid growth of digital health while continuing to prioritize the bedrock patient privacy principles of the healthcare industry to build a foundation for long-term success.

Begin your Healthcare Data Privacy Leader Improvement Process

As we continue to see expanded regulation and consumer demand for data privacy and protection it is critical companies begin to prioritize improvements and investments in the space.

Companies should begin by reviewing their current privacy policy and healthcare data privacy leader lifecycle management process. They need to be sure they can answer the following questions:

• What data is being collected and stored?
• Why is specific data collected, how is it used, and with whom is it shared?
• How long is the data stored?
• What steps have been taken to secure stored data and ensure deidentified personal data is not share inappropriately?
• What process for responding to a data breach?

If companies cannot rapidly answer the above questions, they do not have a clear data privacy policy and should assess their current data lifecycle management, data governance, and compliance processes. Compliance requires a clear understanding of the current state before improvements can be made.

After successfully assessing their current state, companies should think about steps they can implement to stay agile and respond to changing data privacy regulation. This ensures clear goals and milestones to work towards, while maintaining the flexibility to adapt to unforeseen changes. Companies who actively prioritize being a healthcare data privacy leader and data privacy in general to stay ahead of the curve will be best prepared to succeed.

Contributions by Kevin Merchak and Alex Schneider.