Protected Health Information - An Interview with AHIMA’s Cheryl Martin
“HIPAA has aged itself out and I think the feds need to realize that. The law just doesn’t address all of the places data either moves through or resides.”
Cheryl Martin, Chief Knowledge Officer of the American Health Information Management Association (AHIMA)
AHIMA’s Health Information Professionals Week is just around the corner (April 18-24, 2021), which celebrates the workers who safeguard patient privacy and continually innovate data collection practices.
Since the Health Insurance Portability and Accountability Act (HIPAA) was introduced under the Bill Clinton administration in 1996, the digital revolution has virtually transformed the healthcare industry—affecting every aspect of it, from back-end hospital operational efficiency to the patient experience, such as granting the ability to receive test results from their healthcare providers online.
However, in the 15 years since the introduction of HIPAA, not much had changed in terms of the laws surrounding patient data.
Loopholes in the legislation became increasingly apparent during the course of the rapid digitization of the industry. One glaring oversight became apparent; regulations didn’t even begin to cover tech companies.
One prominent example occurred in November of 2019 when Google stirred up controversy by announcing a deal with Ascension, a national health system, which gave the tech giant access to millions of patients’ data from their devices. In return, Google said it would process data to help Ascension better manage its clients and finances.
Both companies said they have stayed within legal parameters, but the lack of patient knowledge of the deal—not to mention the fact that identifiable data on individuals was not removed before being shared—brought the conversation about data privacy back to the forefront of the media.
In late 2020, there was finally a change in legislation that heightened focus on the use and disclosure of health information.
The HHS Office for Civil Rights released the proposed modifications Dec. 10, 2020 as part of the department’s Regulatory Sprint to Coordinated Care initiative, “which analyzes federal regulations that interfere with healthcare providers and health plans’ efforts to better coordinate care for patients.”
Some of the proposed changes include strengthening patients’ access to their own health information, as well as reducing administrative burdens on HIPAA-covered providers and health plans, and improving access to protected health information (PHI) during emergencies or health crises.
The American Health Information Management Association (AHIMA), an organization in the healthcare information management (HIM) community, stands by the notion that consumers of healthcare should be the ultimate owners and beneficiaries of their own data. We talked to an AHIMA leader to find out more about the current ambiguity of data privacy in healthcare and what we should watch out for as this issue continues to evolve.
Meet the Expert: Cheryl DeRosier Martin, Chief Knowledge Officer at AHIMA
Cheryl DeRosier Martin is the chief knowledge officer at AHIMA where she is responsible for developing AHIMA’s knowledge as an asset to the company and its members. She has more than 20 years of experience in the industry and served as the chief information officer at both Tuomey Healthcare System and Kingman Regional Medical Center before joining AHIMA. She holds a bachelor of applied science in health information and medical records, as well as a master of arts in health information management from the College of St. Scholastica.
What are the Benefits of Logging Healthcare Data?
Before we delve into the concerns about the exploitation of patient data, let’s examine its benevolent applications. Martin explained that this data is important not only for use in medical centers and hospitals but also for the public at large. In fact, aggregated patient data is necessary for studies in epidemiology and “that research helps society on a broad scale.”
Advancements in medicine rely heavily on the availability of patient data. Medical researchers use it to study patterns in health and explore advancements in treating diseases, like HIV and different cancers. The more data available to researchers, the better they are able to study advancements and the more likely it is that they will be able to uncover unknown treatments for illnesses.
In addition, patients’ medical data is used by hospitals to improve their operations. These institutions use analytics to identify areas of operational inefficiency, measure doctors’ performance over time, and can even identify individuals at high risk for certain diseases.
While the benefits of data analytics are largely applicable to the healthcare industry, the collection of data exposes patients to some risks.
Why Data Privacy is Important
The significance of your data privacy can easily become convoluted in day-to-day life. We have become accustomed to not reading terms agreements when we download a new app or enter a website with cookies. We do it without thinking. But the consequences of your personal data getting into the wrong hands are very real—especially when it comes to data on your personal health.
“It’s important because the patients trust us. Whether it’s just no-big-deal data, or it’s something that could be devastating if other people knew, it really shouldn’t matter,” Martin said. “Patients perhaps don’t know where their data is, or may not even realize that their data is not protected. But they trust us to keep that data safe.”
Hackers have become interested in health and medical records. Data stored in electronic medical records includes patients’ names, their dates of birth, home addresses, phone numbers, places of work and job titles, credit card numbers, and medical insurance information. So, when hackers have access to this comprehensive data set, they can execute complete identity theft, as opposed to a one-time credit card hack.
Hackers are not the only culprits. Companies such as Facebook receive large data sets voluntarily from their users. Most of us are aware that these websites are harboring servers with data on us, but we don’t realize the full spectrum of its applications.
Whether that data is sold legally or it’s stolen, the potential to match your personal data from two (or more) websites enables data analysts to make predictions about your health that could be detrimental. For instance, insurance companies could use personal data to identify high-risk customers and preemptively raise their rates.
Unfortunately, this is not just conspiracy theory fodder. Data on your race, education level, income, TV habits, marital status, social media activity, and shopping habits can all be fed into algorithms and used to predict how much you could cost them. Low-income and minority individuals may have higher health risks. Newly married women are more likely to get pregnant. Overweight individuals are more likely to experience depression. All of these data points add up to more expenses for insurance companies, which they could pass onto specific patients in the form of higher insurance premiums.
Overall, patient data is a hot commodity and interested parties will do anything to get their hands on it—either by finding legal loopholes or thwarting the law altogether. As a result, data security is extremely important for hospital databases, which are a goldmine in the wrong hands. Martin explained the top potential threats to data breaches within medical centers themselves.
Top Risks to Patient Data
“The first threat is employees,” Martin explained. “In whatever industry you work in, you have to make sure that you hire good people.”
A surprisingly high fraction of healthcare workers is willing to sell data, according to a recent Accenture study (March 2018), which found that 18 percent of health employees would be willing to sell confidential data to unauthorized parties for as little as $500. Furthermore, 24 percent of survey respondents said they knew of someone within their organization who had sold credentials or access to an unauthorized outsider.
“As you get further and further removed from direct care with the patient, it’s easy to get wrapped up in what you’re doing and you lose sight … I think that’s where people get off course,” Martin said.
Employees can also unintentionally cause data breaches by not following security protocol. For example, they may write down login credentials and leave them out in the open, or create passwords that are easy for hackers to crack.
“You really have to make sure your employees are trained well and that you continue to train them well,” Martin continued. “As the hackers get wiser, you’ve got to continue to evolve and keep your employees aware.”
The digitization trend is the main cause of the current data security problem. “Now that data is often being stored in the cloud [as opposed to on private servers], you really have to have all your bases covered,” Martin said.
Using the cloud to store data is convenient because it allows fluid data exchange and round-the-clock access to data from any device, but with that convenience comes opportunities for data pirates. Companies should be aware that data can be compromised if they fail to implement the appropriate security measures when it comes to utilizing the cloud.
Then, there are also problems with the increasingly popular bring your own device policy (BYOD), in which employees are permitted to use their personal devices for workplace tasks and communication. On the one hand, BYOD policies seem favorable because they save organizations the cost of supplying technology. It’s especially applicable for small healthcare operations that don’t need the same complex software and hard infrastructure of large hospitals. However, allowing a BYOD device policy can create more vulnerabilities to hackers.
Habits like using texting to communicate with providers and patients sound convenient and harmless, but the problem is that it’s difficult to verify the identity of the person sending the text or to save the original message as validation of the information entered into the medical record.
“It is an efficient but extremely insecure way to communicate,” Martin said. “We spent years fighting against that practice. At the end of the day, mobile devices will always be a threat.”
Another source of vulnerability is an older device that collected data. Hospitals and medical centers may use old-school hardware to collect information (e.g., bedside medication administration devices, blood pressure pumps).
“You have all these devices that have software inside of them. When that software was created, all these privacy and security requirements certainly weren’t in place,” Martin said. These devices are much easier to gain unauthorized access to than the current hardware systems because they aren’t armed with the proper defenses to stand up to modern hackers.
Hospitals’ operations departments are often aware of this issue, but may not be taking any action because devices are expensive to replace.
The Future of Patient Data Security
While these scenarios are more than a little concerning, there is hope that we can evolve to better protect patient data. HIPAA was a good start, but there’s a long way to go in revolutionizing patient data privacy standards in the new, digital frontier.
“HIPAA has aged itself out and I think the feds need to realize that. The law just doesn’t address all of the places data either moves through or resides,” Martin said.
Martin says that the 21st Century Cures Act is one of the next steps to address these needs. “It’s promoting fast and easy access for patients and their ability to obtain that through APIs, which are not protected given the way the law is written right now,” she said. “We need to address [the protection of] that data after it goes out from under the umbrella protection of HIPAA.”
The 21st Century Cures Act, which was signed into law in 2016, is not focused on patient privacy, but it does have privacy implications. First and foremost, it’s designed to help accelerate medical product development to bring advancements to patients who need them more quickly. It also aims to reduce the risks associated with participation in research-oriented data collection and sharing.
The aforementioned controversial Google deal has prompted senators to introduce new legislation that would stop the sale of health data. In March 2020, the HHS Office of the National Coordinator for Health Information Technology (ONC) announced the Final Rule, which implements certain provisions of the 21st Century Cures Act, under former President Trump’s 2017 Executive Order 13813.
The Final Rule became effective on June 30, 2020, which, among other things, requires organizations that hold patient data to make their information more portable and accessible to individuals. Healthcare organizations will have to adjust their operations and patient interfaces to reflect the new legislation before 2022.
Martin’s advice to potential students and those interested in HIM careers?
“I think you could have the kind of impact as close to or as far from the patient as you want and still be making a difference,” she said. “Students should never forget that there’s a patient at the end of whatever work they are doing.”