Data Privacy and Governance in Healthcare

Data privacy is regulated by the implementation of regulations set forth by Health Insurance Portability and Accountability Act (HIPAA) for health care industry (HHS, 2018). The law prohibits the sharing of protected health information without the consent of patient, which include individual’s present, past or future physical or mental health condition, provision of health care to the individual, present, past or future provision of health care to individual besides the identity information which can be used to recognize individual like, name, address, date of birth, and social security number. Anonymization of protected health information is achieved by either qualified statistician or by removing specific identifiers from the data (2018).

Similarly, security rule of HIPAA outlined the regulations regarding the security standard for the protection of electronic protected health information to store or transfer the information in electronic format (HHS, 2018). Security rule applies to health care providers, health care clearing houses, health care plan etc. General rules to safeguard the health information encompass administrative, technical and physical practices by ensuring confidentiality, integrity, availability, breach and compliance while creating, storing and transmitting the health information. Administrative safeguards are ensured by realizing security personnel, evaluation, information access management, security management process and workforce training and management. Physical attributes include facility access and control along with workstation and device security. Technical implementation requires strict access control, encrypted transmission, integrity and audit controls. HIPAA mandates the risk analysis and management of security rules to evaluate risks, implement security measures identified from risk analysis, document the measures and maintain continuous security protections. In the event of breach, HIPAA mandates the reporting of breach without any delay. Penalties imposed in lieu of HIPAA violations fall under four categories (HIPAA Journal, 2018):

1. Tier 1 (lowest): unaware of HIPAA violation while exercising due diligence

2. Tier 2: knowingly violating HIPAA laws

3. Tier 3: willful neglect of HIPAA laws with corrective measures

4. Tier 4 (highest): willful neglect of HIPAA laws without corrective measures (2018)

Some of the best practices of cyber security by Ntiva (2018) to protect sensitive health care data include automated software patching and updates, employee training program, IoT device tracking, strict access control, network segmentation, leverage AI driven technologies, implement incident response plan, data encryption, data loss prevention and mobile device management.

References:

HIPAA Journal (2018). Health data breach statistics. Retrieved from https://www.hipaajournal.com/healthcare-data-breach-statistics/

HHS (2018). Summary of the HIPAA Security Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

HHS (2018). Summary of the HIPAA Privacy Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html