The one-size-fits-all approach is outdated: there are more avenues for healthcare providers and payers to engage with patients and future customers. Yet, problems with navigating patients’ interactions while respecting their data still exist.
According to the McKinsey report, patients are expecting a personalized engagement with a coherent customer experience throughout their healthcare journeys and coverage transitions.
Here are three considerations for ways HIPAA can navigate the intersection between personalization and data privacy while meeting regulatory requirements.
Understand the rules and regulations
HIPAA is constantly evolving since the Department of Health and Human Services (HHS) regularly adjusts the regulations to meet the needs of the digital age. There is a thin line between what is compliant and what is not. The HIPAA Privacy Rule gives individuals important control over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before their data can be disclosed and used for marketing.
Conduct a full digital compliance audit with HIPAA
There are 7 key areas that need to be taken into account:
- PHI/ePHI & backup storage. Good platforms should enable tracking data without collecting and processing ePHI or PHI (personal health information), but they should also make it possible to do so, under specific conditions. You have to take into account security of the data, types of PHI that are being collected and backup storage that should give you maximum recovery capability.
- Hosting types. There’s no dedicated HIPAA certification for hosting providers. It’s important to make sure that the vendor respects all the necessary precautions to stay HIPAA-compliant. For example, in case of cloud hosting, the important factors are physical location of the servers, certifications (ISO27001 and SOC2), independent audits and SLA.
- Business associate agreement (BAA). Is it possible to sign it with the vendor? Even once the BAA (Business Associate Agreement) is in place – customers should keep in mind that it requires regular updates to comply with the HIPAA Omnibus Rule.
- Data encryption and transmission. HIPAA doesn’t specify what types of encryption ensure compliance. However, the law takes into account a general technology advancement.
- Audit log and change log. This means being aware who can access the data. The audit log and efficient review process is a must.
- 100% data control. Vendors should be able to guarantee that they do not repurpose the data customers collect.
- Security review. Both customer’s teams and vendors need to be subject to regular review and education on recent HIPAA updates – it’s something that the legal department should coordinate. In the case of analytics vendors, regular audits and pen tests run by independent security researchers are a must.
Invest in appropriate data platforms (those that are able to sign BAA)
A business associate agreement, known as BAA, is a contract between a HIPAA-compliant organization and its business partners. It compels both parties to protect personal health information (PHI) and comply with the guidelines provided by HIPAA.
Under the HITECH Act (the Health Information Technology for Economic and Clinical Health Act), any HIPAA-related business automatically becomes subject to audits by the U.S. Department of Health and Human Services (HHS) and can be held accountable for any data breaches or improper handling of data.
It is up to healthcare leaders and professionals to help navigate the thin line between patients’ personalization convenience and their right to data privacy.
Patients deserve to find information that is relevant to them and their specific health needs. The factors to achieve that goal require exploring nuances and understanding the individuals our healthcare system serves. With the right technology, safe and compliant use of information and a sprinkle of conscious creativity, we will ultimately reach the goal of patients’ personalization.
Photo: LeoWolfert, Getty Images
