There is a generalized recognition in many legal jurisdictions around the world that healthcare data is an especially sensitive type of personally identifiable information and must be protected from misuse. While the specific provisions and requirements have national nuances, the intent is essentially the same. Organizations managing healthcare data are subject to the following compliance requirements and regulations:
For US healthcare institutions, the Health Insurance Portability and Accountability Act (HIPAA) mandates a set of federal requirements for protecting individually identifiable health information. These apply to both "covered entities" (those providing direct care) and "business associates" (of which there are many and varied types).
The HIPAA Privacy Rule mandates protections for health information that's held or transmitted in any form or media, for data that can be associated with an identifiable person, such as the physical and mental health of a patient (past, present, and future expectations), the history of healthcare given to a patient, and payment mechanisms (past, present, or future).
The HIPAA Security Rule requires that healthcare institutions put in place appropriate administrative, physical, and technical safeguards to assure the confidentiality, integrity, and availability of protected health information. For example, if data has to be sent to another person or institution and there is a significant risk of unauthorized disclosure, data encryption is required.
Finally in terms of HIPAA, there is a recognition that healthcare workers themselves need to be ever vigilant of privacy and security issues. Section 164.308(5) requires that every organization in the US healthcare industry offer a security awareness and training program for its staff, including management.
The Health Information Technology for Economic and Clinical Health Act (HITECH) was introduced in the US in mid-February 2009, as part of the American Recovery and Reinvestment Act (see details below). It offered billions of dollars in funding for building a national interoperable medical records system, introduced a data breach notification requirement (Section 13402), and demanded evidence of tiered "meaningful use" of the medical records system by certain dates. Breaches of unsecured protected health information affecting 500 or more individuals are listed in a publicly accessible database managed by the US Department of Health and Human Services Office for Civil Rights. Clearly, healthcare organizations need the ability to know when they have been breached, and are required to share this publicly. The threat of public shaming and reputational damage appears to not have been sufficient given the almost 2,000 data breaches listed by the US Health and Human Services data breach web site in June 2017 [i].
The American Recovery and Reinvestment Act (ARRA) was passed in mid-February 2009, offering the United States a $787 billion stimulus package, including an allocation of $19.2 billion for healthcare. A core initiative in healthcare was a new interoperable electronic health record (EHR) enabling the secure exchange of patient health information across all involved providers across the nation, as well as giving patients online access to their own EHR. Healthcare organizations needed to demonstrate meaningful use to qualify for subsidy payments. An interoperable EHR introduces significant data privacy and security concerns for all healthcare providers, such as keeping your own patient data safe, securing patient data sent from other providers, and ensuring HIPAA privacy and security compliance by cloud EHR providers.
The Affordable Care Act (ACA) was introduced in March 2010, ushering in an era of significant healthcare reform for the United States. Among other provisions, it mandated the sharing of certain types of patient information between healthcare providers and the government. For example, Code Sections 6055 and 6056 require the collection of social security numbers of spouses and dependents for reporting to the IRS. The implication is that healthcare providers are now holding additional classes of sensitive information not just for patients, but for family members as well, information which must both be protected and shareable with government agencies under specific circumstances.
The HIPAA Omnibus Rule of 2013 introduced changes to various privacy and security requirements in HIPAA in order to bring them into alignment with the HITECH Act. New provisions include elevating the duty of care for protecting personal health information among business associates and their subcontractors (in addition to covered entities), increasing the penalties for noncompliance to a maximum of US$1.5 million per violation, adding genetic information to the definition of personal health information, and expanding the coverage of types of electronic media, among others.
With the increasing proliferation and usage of mobile devices across all stratas of the global population, healthcare providers are developing healthcare related apps and devices. The US Health and Human Services department published specific guidelines in January 2016 covering these so-called "mHealth" applications and devices. Essentially, any app or device that works with personally identifiable health information must comply with HIPAA, and if a HIPAA covered entity is involved with an app or device, HIPAA almost certainly applies. Note that non-personally identifiable health information, such as steps taken and distance covered, are excluded from the HIPAA requirements.
The UK Data Protection Act of 1998 sets the legislative framework for healthcare institutions across the United Kingdom in relation to data privacy and security. Requirements include data minimization (collection of only the data that is required for a specific purpose), data security, data relevancy, and data currency. Organizations should not keep data for longer than necessary, and must provide access to the data subject when requested to do so. Data controllers – the entities responsible for controlling the data – are responsible for ensuring appropriate access controls are maintained, and guarding the data so it is not transferred into another legal jurisdiction without equivalent data security requirements.
The National Health Service (NHS) also offers a set of security policies and guidelines for NHS organizations in the public sector, with regional variations across England, Scotland and Wales. Provisions include mandatory annual training on information governance, and the establishment of processes for removing access rights to data and systems when an employee is terminated. The NHS Care Record Guarantee promises confidentiality and security of patient information, and the NHS Confidentiality Code of Practice sets out mandates when sharing information with other organizations.
The Nursing & Midwifery Council (NMC) is the regulator for nurses and midwives in England, Wales, Scotland and Northern Ireland. The NMC's Code sets out the professional standards expected of registered nurses and midwives, including privacy, security, and confidentiality of patient health information. Code 5 establishes people's right to privacy and confidentiality whether alive or dead, and sets out the determinants when deciding whether to share confidential patient data with others. Code 10 requires the maintenance of clear and accurate records, and the security of those records.
By virtue of their chosen occupation and the region in which they practice, nurses and midwives are also subject to the data protection guidelines in the UK's Data Protection Act.
As with the NHS and NMC, members of the British Medical Association (BMA) are subject to the UK's Data Protection Act. This covers the lawful use of personal and health data, the responsibilities of GPs (general practitioners) as data controllers, and the need for explicit consent from patients when sharing personal health information with other healthcare professionals and entities. Balancing the competing requirements around patient data privacy – in light of the Data Protection Act – is an issue of ongoing concern for the BMA.
The BMA has a couple of other resources related to data security, as well. The fourth part of its Confidentiality and Health Records Tool Kit, for example, outlines requirements for securing patient health information from both external and internal threats. It also expects members to follow professional standards, act in accordance with privacy conditions in an employment contract, and follow various other legislative and health industry requirements, such as the Access to Health Records Act of 1990, the Computer Misuse Act of 1990 (such as not accessing computer material under another person's user credentials), and the NHS Care Record Guarantee (for NHS England).
The new General Data Protection Regulation(GDPR) in Europe, due to be enforced from late May 2018, sets out the requirements for protecting personally identifiable information, with special considerations required for sensitive information on natural citizens of the European Union. The GDPR harmonizes the data privacy and protection regulation of the 28 member states of the European Union, and requires the use of technical and organizational safeguards over covered information. There are significant financial penalties for organizations that fail to adequately safeguard personal data, breach notification requirements, and specific mandates around consent, the responsibilities of data controllers and processors, and the need for data protection assessments.
The Medical Board of Australia works within the legislative framework established by the Australian Privacy Act of 1988 (and subsequent updates), which holds that health information is one of the most sensitive types of personal information that can be held about an individual, and thus must be subject to adequate protections. One recent update to the Privacy Act introduced mandatory data breach notifications.
The Medical Board separately has a Code of Conduct of Good Medical Practice, sections in which cover confidentiality and privacy of patient health information (Section 3.4) and control the security and access to medical records (Section 8.4).
As with the Medical Board of Australia, healthcare professionals are required to practice within the provisions of the Australian Privacy Act. The Association also has a Code of Ethics that addresses the protection of patient information (Section 2.2), with patient rights such as access, confidentiality, consent for disclosure, and that records will be kept securely. The Code of Ethics was introduced in 2004, and underwent substantial updates during 2016.
Considering these many compliance requirements, it is impossible to get away from the fact that healthcare organizations have an elevated and broad duty of care for the health information stored on patients.