Protecting Patient Records in 2019 and Beyond

A program called MyHealthEData was unveiled in 2018. Through this program, the US Centers for Medicare & Medicaid Services (CMS) is promoting the adoption of IT environments that allow simpler sharing of health data to outside organizations, as well as better access. The CMS will also allow easier access to claims data by medical beneficiaries.

While MyHealthEData is a fairly new program, its goals are not. Issues of access and interoperability are central to healthcare security and management. This initiative is part of a broader cultural and technological moment, in which there is an increased desire to allow patient sharing to third-party apps, along with strengthening discussion about making historical health data available anywhere a patient is treated. This strategy could become critical for public health, linking patients to health treatments that might be most powerful for them. De-identified patient data can be a powerful means to improve care, but the threats related to big data are manifold.

In this climate, it is important to consider the protections that should be in place for the protection of HIPAA data, both today and in the future.

Patient safeguards for today
A report published in 2017 by the Journal of Medical Systems reviewed the most common HIPAA compliance security methods recommended in research articles. Below, these methods are organized according to the three types of protections mandated by the Security Rule – technical, physical, and administrative safeguards.

Technical safeguards:

• Access controls to prevent unauthorized access;
• User IDs and passwords;
• Simple passwords for backup systems;
• Personal and role-based authentication;
• Pseudonymity;
• Firewalls;
• Antivirus software;
• Mobile agents;
• Encryption through cryptography (digital certificates, digital signatures, and encryption algorithms);
• RBAC Matrix cryptography protocol;
• Decryption and verification;
• Data discard;
• Authenticated assertion issuances;
• Data transmission that meets ANSI/AAMI/IEC TIR80001–2-1:2012 and similar risk management standards;
• Fax transmission encryption via privacy enhancing technology (PET);
• Cloud computing (hybrid cloud integration); and
• Use of short-range wireless (Bluetooth).

Physical safeguards:

• Locks on laptops;
• Physical access controls, including locked spaces for network servers;
• Tamper-proof equipment;
• Security cameras; and
• Radio Frequency Identification (RFID).

Administrative safeguards:

• Full employee training programs (with game-based education), including regarding disaster recovery, response training for missing records, and prevention of unauthorized patient record disclosure via email;
• Full security plans, including monitoring and testing practices;
• Annual risk assessments;
• Hiring a Chief Information Security Officer (CISO);
• Hiring HIPAA consultants;
• Policy of manager approval related to any releases of paper patient data;
• Requirement that prohibits wireless devices for PHI storage or transmission;
• Policy on how to use social media in a HIPAA-compliant manner;
• Deidentification of research samples;
• Prevention of offsite ePHI transfer;
• Mitigation of alert fatigue;
• Routine backups;
• Generators for downtime prevention;
• Duplication of key hardware;
• Requirement of computerized provider order entry (CPOE) for any order;
• Restrictions on the interaction of ancillary systems, such as pharmacy management, with mission-critical environments;
• Fostering of a security culture, with strong computer habits;
• Digital signatures for any of the organization’s documents; and
• Business associate agreements with all cloud and other third parties.

Patient safeguards for tomorrow
Maintaining HIPAA compliance requires reasonable and appropriate measures, given the changing threat and technology environment. Approaches to HIPAA compliance that will become increasingly of use to organizations for HIPAA compliance in the future include advanced analytics, custom security infrastructure, the Gartner method of continuous risk and trust assessment (CARTA), and blockchain, among others.

Beyond the technology and approach options that are newly available to you, it is also important to consider how patient behavior and expectations are evolving. Patients have the right to their own ePHI at any time. That means they can copy their information, even from your computer screen, without signing an authorization. Once their ePHI is in their hands, the patient is accountable for safeguarding it. Providers worry that they could be expected to protect information that they are not controlling. Doctors also are concerned because they have traditionally been in charge of health information, but today, patients often want control, which means they need access to their complete records.

As indicated by ISACA member and health technology writer Susan Snedaker, studies “show that engaged and informed patients have better outcomes.” Since that’s the case, you want to provide this access.

This broader access to patient records and diversification of environments is certainly a challenge for HIPAA compliance, though, as indicated by a July study that highlighted the limitations of HIPAA’s scope. The analysis, written by attorneys Glenn Cohen and Michelle M. Mellow, Ph.D., found that the law was geared toward traditional environments and interactions – only encompassing a small portion of all digital health data. Other key data related to healthcare is available through search engines, supermarkets, and credit card firms. Examples of data through which people can infer that a person has an illness include over-the-counter purchase data from drugstores, user-generated posts on social media, and purchase data from online stores.

“The amount of such data collected and traded online is increasing exponentially and eventually may support more accurate predictions about health than a person’s medical records,” noted Cohen and Mellow.

Given how powerful this data is, it is likely that compliance will eventually turn toward incorporating other forms of information under the healthcare law.

Internal and external compliance
The steps an organization needs to take to protect its ePHI today are extensive. As security technologies and the threat environment continue to adapt, the specific methods will change. However, a core concern with and focus on security will remain at the cultural core of organizations serious about HIPAA compliance.

It is not just about what is going on within your organization but also about managing relationships with your vendors. Be certain that your business associates are ready for compliance today and tomorrow, as indicated in strong business associate agreements that indicate their knowledge of this law and commitment to meeting its provisions.