Short for the Health Insurance Portability and Accountability Act of 1996, HIPAA is a set of regulations that protect sensitive patient data in the healthcare field. In order to claim HIPAA Compliance, companies working with protected health information (PHI) must have the correct security measures in place to ensure that this data is properly safeguarded.
As technology has continued to develop, alongside patient expectations, the rules around how patients can access their records is changing. One important aspect of HIPAA is the fact that patients must be able to receive a full copy of their records. However, in the mobile-first era, there are new requirements concerning the ease with which this should be possible.
New access rules
Earlier in 2021, fresh “information blocking” and health IT interoperability rules went into effect. These long-anticipated regulations, part of the 21st Century Cures Act, are intended to make it more straightforward for patients to access their records — including by way of smartphone apps — while also making it more straightforward for organizations to be able to share records that could be used to improve patient treatment.
Under the rules, healthcare providers and other relevant parties (such as the developers of certified health IT systems) must let patients access electronic health records via an application of their choosing. It’s a game-changing move and one which will not only empower existing entities working in this space, but also likely lead to a jump in the number of apps that are developed for accessing critical health information.
It will additionally mean a likely steady ramping up of patients requesting access to their data in this way, instead of the traditional approach of having to request paper copies.
Potential security challenges
The Right to Access rules is great for patients, who ethically should have full access to the health information that concerns them. However, they also pose potential security challenges. Balancing the importance of patients being able to access their records and the equally pressing needs for data security is a tough high-wire act to pull off.
Figuring out the correct blend of ease of access and the need to safeguard against unwanted intrusion isn’t unique to medical data and Right to Access regulations. It’s a challenge in a broad range of areas where convenience butts up against privacy, but the effects are particularly pronounced in this specific domain.
For ethical reasons, organizations dealing with personal medical information do not want to see that data potentially exposed inappropriately as part of a potential data breach. Breaches can also result in reputational damage for the company in question: the last incident any company wants, let alone in such a sensitive domain. In addition, they face serious penalties under the law in the event of a breach. Such fines and disciplinary action can come from the Centers for Medicare and Medicaid Services (CMS) and USA Office of Civil Rights (OCR).
Data security safeguards
There are multiple data security safeguards that can be put in place by companies working in this area, alongside Right to Access. From an organizational standpoint, they should carry out regular audits in order to make sure that technical and administrative measures comply with the necessary HIPAA rules regarding security and privacy. In addition, they must create clearly defined policies and procedures to maintain adherence to these rules, and carry out effective staff training. All steps needed to become HIPAA compliant must be documented, as should details of any organizations that PHI is shared with. Finally, they should ensure that processes are laid out for documenting breaches and lettings know what has happened, should such an event occur.
This organizational aspect must be accompanied by robust technological knowledge and precautions. Enterprises should make certain to know exactly where data is kept. Electronic Private Health Information (ePHI) can be kept on a server located on an entity’s premises or in a remote data center, accessed via the cloud.
Whatever the arrangement, measures must be put in place so that only authorized personnel are able to gain access to the data. It is of utmost importance that there is proper verification when it comes to requestor identity. Going forward, both companies and users must be aware of upticks in possible social engineering attacks, such as phishing threats, that will seek to gain illegal access to users’ valuable medical data.
The world is changing
This is still a new, developing area and both companies and patients are learning together about the right balance and measures to take. However, this is an area of such importance that it is no excuse to make mistakes. When it comes to handling the technical side of this, it’s essential to invest in the proper tools. Data masking solutions can help with confidentiality, while robust user access management measures will ensure that the right people — and only those people — are able to gain access to certain data.
This area is only going to become more of importance going forward as patients become, quite rightly, more empowered. Making certain that the right balance is struck now between Right to Access and data security is something every enterprise working in this area should strive to do. Patients everywhere will thank you for it.
