By Adam H. Greene, JD, MPH, partner and co-chair of the Health Information Practice of Davis Wright Tremaine LLP and former Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT.
If you are reading this, then it is likely that you, or someone with whom you work, has a great idea. One that you hope will change health care for the better, while hopefully earning you a good living at the same time. A great idea is always the foundation to starting a successful venture, but it is rarely enough. If your idea involves health care, it also is imperative that you consider information privacy and security early on in, taking steps to protect the information with which you are entrusted and to protect your business from related risks.
This article will explore five privacy and security steps that you should take to protect consumers, comply with law, and allow your great idea to flourish.
Privacy and Security by Design – It is much more effective to try to integrate privacy and security into your app, device, or service from the start, rather than trying to add safeguards after development is complete or discover that your business model raises privacy law concerns. For example, for any piece of information, consider how to minimize the amount of personal information collected, whether the information needs to be maintained, when is the earliest that it can be deleted, how will consumers be notified and given meaningful choice if their information is being used for something other than providing the service. An additional resource on “privacy by design” is available at http://www.privacybydesign.ca/. Similarly, consider information security from the start, coding an app or device software to minimize potential exploits, encrypting information when possible, building a secure architecture around information systems, and creating procedures to maintain security (such as configuration security checklists and regular internal information security audits).
Risk Analysis and Management – Over the past few years, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has focused its attention on the importance of risk analysis. OCR is the primary agency that administers and enforces HIPAA. If you are maintaining protected health information subject to HIPAA, OCR expects that you will conduct an accurate and thorough risk analysis. (See When HIPAA Applies to Mobile Applications and Mobile Health: How to Comply with HIPAA). If your device or app handles protected health information and is being used by a health care provider or health plan, OCR expects that it will be included in the health care provider or health plan’s risk analysis. Even if you fall outside of HIPAA, a thorough risk analysis remains an invaluable foundation for information security. In simplest terms, a risk analysis involves locating where your sensitive data, such as protected health information, is received, maintained, transmitted, and disposed of, and identifying reasonably anticipated threats to such information. Threats can include carelessness (e.g., forgetting to turn a firewall back on or donating a mobile device without erasing sensitive information), maliciousness (a hacker or employee seeking to obtain credit card information or social security numbers), environmental threats (such as the air conditioning failing and exposing a server to high temperatures), and natural threats (floods, earthquakes, etc.). The risk analysis should address where threats might exploit vulnerabilities (such as a failure to backup data or to encrypt), leading to unauthorized access or disclosure, alteration or corruption of data, or lack of availability of data. A good resource for risk analysis is guidance from OCR available here and guidance from the National Institute of Standards and Technology available here.
Cyber Insurance – The one law that we must all adhere to is Murphy’s Law: Anything that Can Go Wrong, Will Go Wrong. Even if you create reasonable privacy and security safeguards, a data breach may occur. Between costs of notification, potential government enforcement, and the ever-present threat of a class action suit, a single large breach could cripple your company. Accordingly, the moment you are handling sensitive data, such as health information, you should consider whether you have adequate cyber or other insurance to protect against the costs of a data breach.
Work with Customers and Consumers to Build Trust – It is not enough to put in place good privacy and security; you must be able to effectively communicate it to both customers and consumers. Sophisticated health care providers are increasingly sensitive to where their protected health information is going and may want assurances that you have a robust data security program in place. Merely signing a HIPAA-compliant “business associate agreement” or adding a “HIPAA Compliant” seal to marketing materials may not be enough. Less sophisticated customers may need assistance understanding how to use your device or app in a compliant manner. FAQs or a white paper may assist them with understanding concepts such as whether to include data residing on your mobile device or app in their risk analyses. Consumers may need help understanding how they can use the mobile app or device in a way that helps protect their information, and whether their information is being sold or used for marketing purposes.
Don’t Go It Alone – There is a wealth of resources, paid and free, available to assist with building privacy and security into your mobile app or device. Some challenges may benefit from an experienced lawyer, information security professional, while others may be able to be handled in-house with resources from relevant associations and groups, such as the Health Information and Management Systems Society (see http://www.himss.org/ResourceLibrary/mHIMSS.aspx).
For example, the author is involved in the creation and kickoff of the Health Care Cloud Coalition (HC3). HC3 is focused on supporting health care cloud computing companies, including small- and medium-sized mobile technology companies that offer software-as-a-service, to: (1) help establish a common understanding of how HIPAA and other laws apply in a cloud environment; (2) explore whether existing programs can be leveraged or new programs need to be created to reasonably demonstrate to customers and the government that cloud providers have robust safeguards that address health care laws and cloud-specific threats; and (3) seek guidance from and maintain transparency with government stakeholders, such as OCR. Information about the June 19, 2014 kickoff meeting is available here.
There is no reason that any good idea in health care needs to fail due to a lack of attention to information privacy and security. But good data privacy and security, and compliance with applicable law, does not happen by accident. It needs to be a priority from the start. By paying attention to privacy and security early, it will allow you to better focus on your primary mission of changing health care for the better.