In this fast-paced digital age, health data is becoming increasingly important to a variety of companies. Newly developed technologies are creating innovative ways for healthcare providers to interact with patients: AI can use symptom testing algorithms to diagnose illnesses, tech companies like Comcast, Facebook, Best Buy, and Apple are leveraging their assets and core competencies to get into the digital health care space, and fitness wearables and apps are finding new ways to utilize their large collections of digital health data and digital health data privacy. However, with the growing amount of fitness, biometric, and generic health data created, concerns for privacy protection are increasing. The goal of current extensive data collection is to expand accessibility, interoperability, personalization, and transparency with patients, and most consumers are willing to facilitate these benefits by sharing their data with some level of control. Still, Health Insurance Portability and Accountability Act (HIPAA) legislation needs to be updated to adjust for modern guidelines and regulations. Making these legislative changes can balance benefits between consumers and organizations so that health data can be used to make a positive impact instead of only being sold for advertising or tracking consumer information.
The State of Digital Health Data Privacy Laws & Regulations
Personal health information handled by HIPAA-covered entities is characterized as being individually identifiable. This includes data about a patient’s physical or mental health condition, their treatment history, and any associated payment. The following acts and policies discussed pertain to legal protections in place for personal health information and digital health data privacy.
Protection of personal health information is currently controlled by HIPAA, even though 25 years have passed since the legislation was introduced. Some of these outdated guidelines have begun to cause issues. HIPAA focuses on regulating a small group of entities that manage health data, such as health care providers and hospitals, rather than protecting the data itself. This focus has made it difficult for patients to access their own health information. It has also limited the scope of research able to be conducted by outside entities because of lack of access to the abundant data held by protected entities. HIPAA does not protect the health information that patients may create for themselves via health apps and wearables, meaning that this limited government protection allows tech companies to own the data. Legislators have introduced bills such as the Stop Marketing and Revealing the Wearables and Trackers Consumer Health (SMARTWATCH) Data Act to try to patch these types of pertinent holes in HIPAA compliance coverage.
The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act was established to financially incentivize both tech companies and health care providers to transition to interoperable electronic health records systems and to assist with health data breach protocol. Under this act, if a data breach affects more than 500 individuals, a HIPAA-covered health care provider must notify the media. In all breach cases, the health care provider is required to alert the patient and the Health and Human Services Secretary. Considering privacy, this act ensures that only authorized personal health information can be used at the minimum amount needed for mandatory, job-related purposes. HITECH also requires that entities must preemptively take action to protect digital personal health information from potential integrity breaches or unauthorized, non-confidential uses.
General Data Privacy Acts
The recent California Consumer Privacy Act has caused companies across industries to reconsider their data use policy in terms of consumer consent. Though this act was not specifically implemented to protect health data, it can still generally assist in reducing health data use without patients’ knowledge in cases not typically covered by HIPAA. Additionally, the European Union’s General Data Protection Regulation can provide additional coverage for non-HIPAA personal digital health data in some cases, similar to the California Consumer Privacy Act. A separate connected device security law enacted in California in January requires manufacturers of items such as wearables, home health devices, and smart meters to include security prevention to protect against cyberattacks on private information, though this act does not pertain to medical devices.
Government Involvement in Interoperability
Enabling digital health data privacy through legislation has been a bipartisan goal over the past decade, and the Trump administration recently enacted regulation through the ONC to increase patient accessibility to their own data. This effort could increase treatment efficiency by allowing electronic transfers of personal medical data to patients, health care providers and other related entities. Health information systems have only gained access to data sharing in recent years, even though data has been stored digitally for a decade- exemplifying the bottleneck that data protection has created. Increasing patient access to digital health records will enable interoperability, with synchronous system communications and the ability for patients to share their data with third-party apps. This new ruling could also result in an increase in the appeal of the ability of certain medical devices to connect to third-party applications with easier data sharing.
Individual state legislation, however, will continue to make efficient data regulation difficult if a national standard is not set soon. Recently, a new bill was introduced to push for the FTC to create a national policy to assist with compliance for organizations in control of personal health data. Many bills like this one exist but have yet to move toward committee consideration, which has been another hurdle in revising HIPAA compliance and coverage capacity.
Breaches and Risk Considerations for Life Sciences Companies
Almost 1,500 health care companies have been targeted for ransomware or other cybersecurity attacks since 2016, impacting 6.6 million patients. With costs of approximately $157 million and studies showing that sensitive information breaches are associated with increased mortality, this issue is something that health care providers as well as biopharma and medtech manufacturers need to consider as a major threat to their company and to the patients using their products. Costs per breach average around $406 per record, and the medical device manufacturer is almost always the party held accountable for device breaches.
The FDA provided cybersecurity guidance for biopharma and medtech companies, explaining that these entities are responsible for mitigating any potential cybersecurity risks through device or mobile app design, with risk of remote control for medical devices growing as one of the more prominent concerns. Both small and large companies face risk of cyberattack, so all organizations should consider taking measures to implement cybersecurity monitoring systems. By storing more sensitive data now than ever before, medical device and biopharma organizations are at increasingly high risk of targeted cyberattacks. Because of this, hospitals are seeking proactive medical device security from companies, with preference to entities that practice transparency in disclosing any potential vulnerabilities in their products.
Clinical trials that send information digitally often have a large population of participants, providing highly valuable data that also increases the threat of attack for biopharma and medtech companies. Using cloud-based platforms to store and manage accumulated device and app-based health information, even if de-identified, can increase vulnerability. Any data breaches can risk a company’s reputation and patient progress or outcomes, and slow or halt product advancements. Therefore, the FTC is taking responsibility for holding medical device and biopharma manufacturers accountable for any privacy or security policies promised to customers, especially surrounding cases involving health data not protected by HIPAA.
Other research found that stripping data of personal identifiers may not be enough protection, as machine-learning proved to be able to re-identify 95% of the individuals in the study. This means that manufacturers and developers must take on much of the responsibility for protecting patient’s personal health information from both an internal and external perspective, as well as analyzing variations of security measures to protect different types of health data.
Compliance and Future Considerations in Digital Health Data Privacy
Because a variety of health data privacy policies are currently being developed across multiple levels of government, patients may gain access to data rights while biopharma and medtech companies face increasing compliance challenges. The HITRUST Common Security Framework can be used to ensure company adherence to policy and guidelines on a global scale. Additionally, since interoperability has proven to be increasingly impactful, it will be important for companies in the biopharma and medical device industries to educate their consumers on the major research and development benefits that sharing personal health information can provide.
Contributions by Courtney Loughran.