The one-size-fits-all approach is outdated: There are more opportunities for healthcare providers and payers to engage with patients and prospective customers. Yet challenges still exist in navigating patient interactions while respecting their data.
According to A McKinsey reportpatients expect personalized engagement with a consistent customer experience throughout their healthcare journeys and coverage transitions.
Here are three considerations for ways HIPAA can navigate the intersection between personalization and data privacy while meeting regulatory requirements.
Understand the rules and regulations
HIPAA is constantly evolving as the Department of Health and Human Services (HHS) regularly adjusts regulations to meet the needs of the digital age. There is a fine line between what is compliant and what is not. The HIPAA Privacy Rule gives individuals important control over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires written permission from an individual before their data can be disclosed and used for marketing.
Perform a full HIPAA digital compliance audit
There are 7 key areas to consider:
- PHI/ePHI and backup storage. Good platforms should allow data tracking without the collection and processing of ePHI or PHI (personal health information), but should also allow this to be done under certain conditions. You need to consider data security, the types of PHI being collected, and backup storage that should give you maximum recovery capability.
- Types of hosting. There is no specific HIPAA certification for hosting providers. It’s important to make sure the seller is taking all the necessary precautions to remain HIPAA compliant. For example, in the case of cloud hosting, the important factors are the physical location of the servers, certifications (ISO27001 and SOC2), independent audits and SLAs.
- Business Associate Agreement (BAA). Is it possible to sign it with the supplier? Even after a BAA (Business Associate Agreement) is in place – customers should note that it requires regular updates to comply with the HIPAA Omnibus Rule.
- Data encryption and transmission. HIPAA does not specify what types of encryption ensure compliance. However, the law takes into account general technological progress.
- Audit log and change log. This means being aware of who has access to the data. An audit log and an effective review process are a must.
- 100% data control. Providers must be able to ensure that they do not repurpose the data that customers collect.
- Security overview. Both client and vendor teams should be subject to regular review and training on the latest HIPAA updates – something the legal department should coordinate. In the case of analytics providers, regular audits and pen tests conducted by independent security researchers are mandatory.
Invest in appropriate data platforms (those that can sign a BAA)
A business associate agreement, known as a BAA, is a contract between a HIPAA-compliant organization and its business partners. It forces both parties to protect personal health information (PHI) and follow the guidelines provided by HIPAA.
Under the HITECH Act (Health Information Technology for Economic and Clinical Health Act), any HIPAA-compliant business automatically becomes subject to an audit by the US Department of Health and Human Services (HHS) and can be held liable for any data breaches or unlawful data processing.
Healthcare leaders and professionals must help navigate the fine line between patient convenience of personalization and their right to data privacy.
Patients deserve to find information that is relevant to them and their specific health needs. Factors to achieve this goal require examining the nuances and understanding the people our health care system serves. With the right technology, safe and compliant use of information, and a dash of conscious creativity, we will eventually achieve the goal of personalizing patients.
Photo: LeoWolfert, Getty Images