The use of new technologies such as digital health applications, telemedicine, and information exchanges can provide game-changing benefits for providers and patients alike. However, with increased sharing comes increased risks to both the security and the privacy of patient information.
Most digital health and telemedicine companies are aware of data security and breaches. However, an arguably more important compliance area is the intentional sharing of protected health information (PHI) with third parties, whether for data mining, research, or marketing and purposes. Because data sharing and data mining will only continue to grow across the health care industry, providers and vendors must understand when and how they can share PHI, including monetization opportunities, and when they must obtain the patient’s express authorization. This article highlights some key privacy laws and rules digital health and telemedicine companies should consider before sharing, mining, or monetizing patient health information.
Data Sharing and Data Mining: A Cornerstone of Healthcare AI and Machine Learning
The unknown of big data opportunities can either leave companies unnecessarily fearful of sharing the PHI of their patients, or conversely, overly lax and eager to share PHI. Data mining, which allows providers to discover patterns and extract connections by examining large data sets, can benefit patients as a whole because it makes certain services more precise and powerful. Consider, for example, how genetic counseling becomes more effective when more data is mined from patients with diseases and chronic illnesses. A recent report by HFMA and Humana showed 70% of providers believe seamless health data sharing is essential to success under value based care models. Similarly, a Pew Research survey indicated that while Americans are sensitive about maintaining their personal information, 52% would find healthcare data sharing acceptable. Interoperability of shared data is one of the most important aspects of this industry trend.
Even Bruce Greenstein, Chief Technology Officer of the Federal Department of Health and Human Services, pledged at HIMSS18 to share more health data between federal departments and with the public. “The American people own the data that is in HHS, not a bureaucrat that has been there for 20 years and thinks that they have the control because other people might misuse it,” he said. “People outside of our building will do much better things with it than we are doing with it alone right now.” Data sharing must be done in a meaningful, cohesive manner. Shared data must be readable, usable, and available to other providers. As data sharing becomes more accepted throughout the health care industry, companies must take steps to ensure their data sharing complies with state and federal regulations which protect patient privacy and the choice not to share PHI.
Health Data Mining and Sharing Under HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law which governs the use and disclosure of PHI by covered entities, defined as health plans, health care clearinghouses, and health care providers who electronically transmit PHI. The general rule is that PHI cannot be disclosed without the patient’s authorization. However, certain uses and disclosures of PHI for treatment, payment, and health care operations (TPO) do not require patient authorization if the TPO conditions under HIPAA are met. Fortunately, many data sharing arrangements can be structured to meet the TPO exception and therefore would not require the patient’s authorization. Even if a provider shares PHI under the TPO exception, it must still comply with minimum necessary disclosure requirements, agreed upon patient restrictions to the use and disclosure of PHI, and other state laws which may be more stringent in how providers can share patient data. We discuss the use of de-identified data below.
Monetizing Health Data and Using Patient Information for Marketing
As with many things, the rules get more complex – and restrictive – when money gets involved. If PHI is shared (or even used) in exchange for remuneration or for marketing purposes, additional requirements must be met. This sometimes includes the requirement that the provider obtain the patient’s express authorization to use or share the data, even if the disclosure would otherwise have met the TPO exception. For example, if the covered entity receives payment for sharing the data, that disclosure no longer meets the TPO exception. In that case, the covered entity must obtain a valid patient authorization that specifically states the disclosure will result in remuneration to the covered entity. The same holds true for uses or disclosures of PHI for marketing purposes (e.g., a third party vendor wants to pay the provider to send an email blast to a select group of the provider’s patients).
A practice pointer regarding authorizations: An authorization is not the same thing as patient consent. An authorization is a detailed document that gives covered entities permission to use PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. A valid authorization must specify a number of elements, including a description of the PHI to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date or event, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.
Data Sharing in Research or Clinical Trials
HIPAA contains specific rules related to the use and disclosure of patient data for research or clinical trials. For example, if PHI is used for research or clinical trials, providers must obtain approval from an Institutional Review Board or privacy board waiver of authorization, receive an authorization from an individual to create a research repository, use the PHI through the collection and use of a limited data set, or use the PHI through the collection and use of de-identified information. Data is de-identified by removing individually identifiable health information from patient information, leaving no reasonable basis to believe that the de-identified information can be used to identify an individual. Under HIPAA, de-identified information is not considered PHI and is therefore not subject to HIPAA’s privacy regulations. However, de-identification of data is not a turnkey solution to privacy and security compliance, and there are use cases and applications where it is beneficial to use the complete PHI data set.
What If I’m Not a Covered Entity?
Not all digital health or telemedicine companies are covered entities under HIPAA. But even if HIPAA does not apply, state law still applies, and can cover information broader than just PHI. In addition to patient privacy protections under federal law, it is also important to be aware of state law restrictions, which are often more broad, nuanced, and stringent than the requirements under HIPAA. Federal and state privacy laws must be read together in harmony, applying the most stringent provisions from each in the event of a conflict. Additionally, there may be unique requirements related to patient authorizations or this map of breach notifications across all 50 states, including reduced notification time lines. There may be other nuances such as California’s 14 point font requirement. Moreover, the nature of the clinical records affects the applicable privacy and security laws. Mental health treatment records, substance abuse records, and HIV diagnoses are typically considered ultra-sensitive records which require providers to take additional actions to maintain their privacy. For these reasons, many digital health and telehealth companies voluntarily choose to follow the HIPAA guidelines, even if they are not formally a covered entity.
Cyber Attacks vs. Deliberate Privacy Violations
Most cybersecurity experts concur that no company’s data security is absolutely impenetrable. Addressing ransomware and hack-based breaches, including developing a cybersecurity incident response plan, has become part of doing business in the healthcare industry. These are essential compliance considerations. While big data breaches make the headlines, and sometimes result in government settlements, the public can be forgiving on providers, particularly if the data breach was a cyber-attack not attributable to carelessness.
In contrast, there has yet to be a notable HHS Office of Civil Rights settlement based on a covered entity sharing/selling PHI to a third party without first obtaining proper patient authorization. When such an event occurs, the public may be less likely to forgive and forget, as the company made a deliberate decision to sell patient data without authorization, and was not the victim of a cyber-attack. The White House’s FY 2019 budget cut OCR funding by approximately 20% compared to last year, which leaves some uncertainty as to the level of enforcement actions. However, protection of patient privacy is not only important to the federal government, it is important to many patients who feel they should own and control their health data.
Outside OCR, the FTC has issued fines and settlements against online health companies for improper online privacy practices based on the notion they are “unfair and deceptive acts or practices.” The two primary concerns in this niche are: 1) truthful advertising of the health app’s capabilities, and 2) transparent privacy practices regarding user data. Fortunately, FTC has published a number of helpful resources for health technology companies, including Best Practices for Mobile Health App Developers, Marketing Your Mobile App, and the Mobile Health Apps Interactive Tool.
The opportunity for big data to drive transformative healthcare solutions is evident, but the challenges in achieving that opportunity – whether technical, institutional, operational, or legal –complex. The regulatory landscape, which seeks to limit the misuse of confidential health information and protect legitimate privacy and security concerns, must be navigated by those digital health or telemedicine companies seeking to mine or monetize health care data.