Getting Ahead of Privacy and the CCPA – Healthcare Needs to Move Beyond HIPAA


This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

Privacy concerns are on the rise. Over the last couple of years, survey after survey have clearly shown a dramatic rise in overall consumer privacy awareness and concern – driven primarily by the never-ending litany of ongoing data breaches that make the news.

The healthcare industry has been somewhat shielded from
this, seemingly due to the trust that patients extend to their doctors and, by
proxy, the organizations they work with. HITECH and HIPAA legislation have
acted as a perceived layer of safety and protection.

But healthcare is not immune from privacy issues.

Most people aren’t even aware of the hundreds of data breaches of unsecured health information in the last 24 months which are being investigated by the U.S. Department of Health & Human Services Office for Civil Rights. In fact, research indicates that consumers still trust healthcare organizations with their data more so than many other industries.

But for how much longer?

Studies show that, although trust is still high, consumers are becoming increasingly concerned about privacy in healthcare. The perceived shielding that federal legislation provides and the implicit trust healthcare enjoys are both decreasing as other industries continue to receive arguably well-deserved scrutiny over their privacy and data protection practices.

What About the CCPA?

Many medical and healthcare organizations that are covered entities under HIPAA mistakenly believe they are fully exempt from consumer privacy legislation, such as the California Consumer Protection Act (CCPA). The CCPA does have an exemption for HIPAA protected data and current CCPA regulations are neither clear nor final. However, most legal opinions indicate that many types of data collected by healthcare organizations that are not regulated by HIPAA most definitely will be covered by the CCPA.

Data sources such as website cookies, health apps, conferences, marketing initiatives, fundraisers and more represent personally identifiable information that does fall under the CCPA. As such, medical organizations that handle that kind of data must be CCPA compliant. While EHR databases may be exempt, the CCPA’s definition of personal information is much broader and includes almost any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Of course, both HIPAA and CCPA have specific requirements for compliance, and preparing for the CCPA is something most healthcare businesses should already be ahead of.

Beyond compliance issues, sustained public attention and
skepticism over privacy issues will come to the healthcare industry sooner or
later – and along with it will come potentially mammoth impacts to medical
businesses. And because of the impending rise in public awareness and media
scrutiny, hiding under the cover of compliance with HIPAA and the CCPA is no
longer a viable choice.

The CCPA isn’t the end result of the rise of privacy
concerns, it’s a bellwether for what’s to come, and it’s time for healthcare organizations
to step up.

Getting and staying in compliance with both HIPAA and the
CCPA are obviously critical, but they are only a first step. As healthcare
begins to embrace big tech and the incredible promise those partnerships can
bring, the medical industry must think far beyond legal compliance and embrace
real data privacy principles as core operating commitments and key competitive

Choice and Accountability

Patient trust in healthcare isn’t permanent or unassailable,
and being trusted doesn’t absolve healthcare organizations from ongoing
transparent communication. In the modern and connected world, trust must be
earned on an ongoing basis with both transparency and consistency of action.

Companies that use personal healthcare data must be
transparent about their practices and provide consumers a sense of control by
giving them a real choice to opt in or out whenever possible. Organizations
also need to communicate clearly with consumers about where their data is coming
from, why it’s being collected, and how vendors and service providers are used
in providing the services that they need.

Transparency must also be in lockstep with consistency of
action. That means healthcare businesses must not only be clear about their actions,
they must enable public accountability mechanisms such as advisory boards,
complaint processes, official advocates, ombudsmen and more.

Protection and Security

Patients have a right to know their healthcare data is
private and safe. Medical organizations should not only use advanced security
technology and governance for all data, but also communicate to consumers about
how their data is protected – whether mandated by legislative requirements or
not. Encryption, data minimization, retention and deletion protocols, and other
privacy-related organizational measures should be enacted and communicated.

a Difference and Add Value

Personal healthcare data is sensitive and should be used to
advance medicine, improve outcomes and make the world a healthier place – not
solely for financial gain. Beyond legal compliance, healthcare must embrace
respect and ethics, with a public commitment to using personal data to add
value to people’s lives. Organizations must also clearly communicate the
difference they are making by using personal data, both for the individuals
themselves and to healthcare and medicine as a whole.

While these principles may seem counter-intuitive to some,
this moment is actually an incredible opportunity for healthcare organizations
to embrace these principles and get ahead of their competitors.

Other industries have clearly demonstrated that those who embrace privacy are rewarded, while those who do not are punished. Financial gain will come by acting beyond privacy compliance, whereas waiting for the inevitable incidents that will damage and degrade patient trust, whether a data breach or public relations issue, is not a sound business strategy.

The healthcare industry has the opportunity right now to build upon its history of patient trust, but that opportunity won’t be realized by simply maintaining the status quo.

Dan Linton, CIPP/US, CIPP/E, CIPM, is the Global Data Privacy Officer at W2O, where he supports internal and client data privacy and protection practices with a specific focus on GDPR, CCPA and the impact of global privacy legislation on healthcare marketing and communications.

The post Getting Ahead of Privacy and the CCPA – Healthcare Needs to Move Beyond HIPAA appeared first on The Health Care Blog.

from The Health Care Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s