“State healthcare laws are all over the place; it is fun; it’s why we’re all here,” said Web Hull, CIPP/G, CIPP/US, privacy, data protection, compliance advisor at Iron Mountain Information Management. He, along with three other healthcare privacy professionals, came together to talk about the basic tenets and developing issues in the field at a preconference workshop at this month's IAPP Global Privacy Summit in Washington, DC. The workshop, “Healthcare Privacy—Diagnosis vs. Prognosis of Hot-Button Topics in Privacy,” surveyed the issues that healthcare privacy professionals struggle with every day and will struggle with in the days to come.

As Hull suggested, one of the biggest struggles is caused by the varying healthcare law regimes. The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) began regulation of electronic protected health information (ePHI). Detailed privacy and security rules under HIPAA were not promulgated until 2003, but these laws alone do not represent the totality of the regulation over ePHI in the U.S. HIPAA allows for further regulation at the state level, creating the possibility that a healthcare provider will have to worry about different privacy compliance laws even within the U.S. HIPAA only sets a minimum standard for ePHI, which has invited many states to create further more stringent regulation.

If that is not problematic enough, Debra Bromson, senior corporate counsel at Jazz Pharmaceuticals, pointed out that even at the federal level in the U.S., “the government has yet to harmonize its guidance.” There are four agencies that may potentially enforce privacy actions in the healthcare field. The Federal Trade Commission has the power to regulate and enforce privacy promises under its unfair and deceptive practices. HIPAA grants authority to the Office for Civil Rights in the Department of Health and Human Services to enforce privacy issues in healthcare with maximum penalties of up to $1.5 million for one type of violation. Recently, even the Food and Drug Administration has stepped into privacy regulation, issuing guidance documents for “low risk” wellness devices such as smart wristbands and other activity/health-monitoring technologies.

Bromson also suggested that these low-risk wellness devices could be subject to regulation by the Federal Communications Commission if they are using the radio spectrum, which many of the devices do. With several different regulators at the federal level, it is hard for “covered entities” (those healthcare providers, insurers and “business associates” regulated by HIPAA) to know where to seek guidance and what will be enforced. The increasing prevalence of health-related apps that collect and use ePHI create more difficulties for covered entities attempting to comply with all the different regulations.

“There are over 100,000 health-related apps,” said Valita Fredland, CIPP/US, CPO at Indiana University Health, “since I’ve said that there are probably 110,000.” These health apps do not fall under the regulation of HIPAA until they are used by a covered entity, such as a healthcare provider or insurer, to provide care or insurance. That being said, most of these apps are made by developers without any thought to HIPAA privacy regulation, or any regulation for that matter. With 90 percent of clinicians using health-related apps in their daily practice, covered entities have to be careful to choose apps wisely, paying close attention to what information is being collected and how it is being protected.

Fredland also spoke about the growing tension between two ideals in the field of medical treatment. “Evidence-based medicine” is a concept that is becoming increasingly popular in healthcare. “The more providers know about a population assigned to them, the better they will take care of their population,” said Fredland. By using medical-related data for research to find trends and patterns, healthcare providers can better predict and treat health problems in their patients. The potential of evidence-based medicine led Fredland to suggest, “If we could get the Google, Microsoft and Apple information, we would know more than them and be able to use it to provide better care.”

Valita Fredland, CIPP/US, Indiana University Health chief privacy counsel/officer

However, all the promise of big data is in direct conflict with privacy regulation that greatly limits the use of ePHI. Evidence-based medicine has great potential, but regulations of ePHI make it extremely difficult to aggregate all the evidence. Although search engine companies like Google collect health-related information all the time through search history, use of this type of information by covered entities under HIPAA is a difficult legal issue that has yet to be explored fully.

Another major issue healthcare providers are facing, along with many other businesses, is the bring-your-own-device (BYOD) phenomenon. “We are only seeing the beginning of the issues with BYOD,” explained K Royal, CIPP/E, CIPP/US, privacy counsel at Align Technology. BYOD, as you likely know by now if you’re in the privacy field, is the practice that allows employees to use their own phones, etc., for work purposes, including accessing information such as ePHI that is regulated by privacy laws. This means employees may be limited in their use of their own devices to protect ePHI from being lost.

In the U.S., Royal is able to protect her organization from data loss by having employees agree to have their devices wiped of all information if the device goes missing. Alternatively, in the EU, organizations cannot have such a policy because employees have broader rights to the information on the devices they use, which makes it much more difficult for EU healthcare providers to protect themselves when allowing BYOD.

Putting aside the confusing overlaps of regulation, the value of more information to effective treatment and the pervasiveness of technology in everyday care, healthcare privacy professionals still face major challenges ahead. As Royal noted, the value of stolen medical records is now higher than consumer credit information, making the healthcare industry a new target for cyber-attacks. Medical records are already some of the most regulated and protected data sets worldwide, but it seems that in the next few years, the necessity and difficulty of protecting them will only increase.

This will once again place the privacy professional on the front lines of new healthcare issues.