HIPAA and New Privacy Risks with Tech Firms
When you see your physician, often you are asked to sign a form that you have received their privacy regulations and that they agree to abide by the HIPAA rules. HIPAA or the Health Insurance Portability and Accountability Act are federal privacy rules and regulations that protect an individual’s medical and other personal health information. This applies to everyone that handles medical records, like physicians’ offices, health plans, hospitals and other health care providers. It requires certain protections when handling the information electronically.
HIPAA has basic requirements that require necessary security measures to safeguard the confidentiality of personal health data. The regulations also demand that health providers follow strict guidelines and restrictions regarding the use of the patient information or disclosure of personal health records without the patient’s consent. The federal policy also gives rights to patients over their health records. It necessitates that patients have the right to examine their own records, and to make and request corrections if they choose.
CMS Interoperability and Patient Access Regulations
On March 9, 2020, the US Department of Health and Human Services (HHS) finalized their rulings regarding the new policies CMS Interoperability and Patient Access Regulations. CMS covers the Centers for Medicaid and Medicare Services. The final rule (CMS-9115-F) provides a permanent ruling on the Administration’s promise to start putting patients and their privacy first. Now, when patients need it the most, they can have immediate access to their patient records. The policy was written with an understanding that the patient should be respected and that they know best about how to use the information in their record.
These historic rulings give patients far more control over their own data. The main goals of the CMS policies are to call for patient access to health information, encourage innovation and development, and to focus on ending information blocking from the patient. Patients are now in charge. This gives them more control over their healthcare and the ability to correct misinformation on their record. Patient control is at its core for the policy to create a value-based health care system.
Patients generally believe that their health information is secure. Even with all these new policies and regulations that are designed to make the patient feel more in control and that their data is secure unless they choose to sign a release. This is not always the case. When a national emergency is declared, medical records are available to the government, the CDC, or any other chosen or designated agency designed to respond to the circumstance. There is no “opt-out” in the participation of this data sharing.
The new CMS policies are taking advantage of telehealth networks and information sharing programs that are already in place. These systems can share patient information in real-time and other data to help speed up responses in a national emergency or other crisis. All telehealth systems are connected and integrated with a national response system that responds to the specific needs of homeland security.
The data that is given to homeland security and other designated response facilities is a dissemination of healthcare data, specific disease information, video surveillance, facial recognition technologies, facility surge capacities, and the number of reactions of mobile response teams. In the end, national and community safety comes before your personal privacy and medical records are made available upon request regardless of patients’ consent. These records can also be made available to others via Freedom of Information Act (FOIA) requests.
Private Tech Firms
There should be some concern from patients and perhaps further scrutiny by lawmakers. The president of America’s Health Insurance Plans (AHIP), Matt Eyles, made a statement that his opinion of the new ruling by the CMS Interoperability and Patient Access regulations would allow private technology companies to profit, sell, and distribute the health records of patients. Patients should be alarmed and many that have been following the rulings already are.
The problem lies in the fact that private tech firms operate beyond the reach of regulations provided by the Health Insurance Portability and Accountability Act or HIPAA. The most shocking comment that Eyles said was, “We remain gravely concerned that patient privacy will still be at risk when health care information is transferred outside the protections of federal patient privacy laws. Individually identifiable health care information can readily be bought and sold on the open market and combined with other personal health data by unknown and potentially bad actors. Consumers will ultimately have no control over what data the app developers sell, to whom or for how long.” This could involve serious risks and compromise patients’ privacy and could be possibly malicious if bad actors used the information to discriminate or disrupt the patients’ lives.
Leaving private tech firms out of the compliance loop from the HIPAA regulations creates a risk for patients that they don’t approve. In fact, Eyles went on to give statistics regarding studies on how patients feel about their privacy versus the convenience factor that the new regulations are aiming for. He stated, “Sixty two percent of consumers say that stronger protection of their personal privacy should outweigh any efforts to make it easier to access consumer health care data, and 90% believe that private technology companies should be held to the same privacy standards as health insurance providers.”
It makes sense that the regulations should be standardized and any corporation that wishes to be in the healthcare information market will simply have to understand that compliance is part of the health data protection business. Allowing loopholes for private firms is just another way of allowing corporations to take advantage of citizens and consumers. By selling or distributing this information, Americans can face a number of issues including employment discrimination, housing discrimination, financial discrimination, and so much more.
Protect Patients and Protect Your Corporation
Regardless of where your corporation stands, whether your company falls on the side of compliance with HIPAA or as a private firm, you’re allowed the loophole, it would be smart to not take advantage of patient information. Trust from citizens and consumers can make or break a business. The reputation of a company can be destroyed over just one data breach accusation. When consumers don’t feel safe, even if the information isn’t true, they discontinue business with that company and they take their money elsewhere.
As a business, it can be very easy to work with patient data, and still protect the personal identifying information or PII by using redaction throughout your data storage and distribution. Taking the responsibility upon yourself, as a corporation or even a small business to find a way to comply with data privacy regulations means that going forward, any future changes that your company may face in the future, your reputation with the consumer remains intact.
An easy way to comply with privacy regulations, is to use redaction software to remove identifiers from the data you collect. CaseGuard has an intelligent redaction system that uses AI and machine learning to automate the process of removing data points to make redaction an easy process. It also includes many other features that are useful in keeping your business compliant in countless ways. It can be used to redact, translate, transcribe and even add captioning to video. There are multiple uses, which makes the program a money saving investment by protecting the company’s reputation, helping maintain compliance to multiple regulations, and integrates to automatically redact specified information from audio, video, and documents. Review what CaseGuard can do for your company, and stay above the fray, leave consumers, patients, and citizens with a positive view of your company and its name, because once your reputation is earned, that is value that takes every corporation the distance to success.