Protecting Patient Data - An Interview with AHIMA’s Cheryl Martin
Search For Schools
HIPAA has aged itself out and I think the feds need to realize that. The law just doesn’t address all of the places data either moves through or resides.
Cheryl Martin, Chief Knowledge Officer of the American Health Information Management Association (AHIMA)
In November of 2019, Google stirred up controversy when it announced a deal with Ascension, a national health system, which gave the tech giant access to millions of patients’ data from their devices. In return, Google said it would process data to help Ascension better manage its clients and finances. Usually, headlines about data security are related to leaks or heists, but this massive data exchange occurred in the open. Is this a violation of U.S. privacy laws?
Both companies say they have stayed within legal parameters, but the lack of patient knowledge of the deal—not to mention the fact that identifiable data on individuals was not removed before being shared—has once again brought the conversation about data privacy to the forefront of the media.
At present, there are laws in place that hold physicians and healthcare centers to standards that subject them to expensive fines and even jail time for sharing patient data. The Health Insurance Portability and Accountability Act (HIPAA) was introduced under the Bill Clinton administration in 1996. Among its objectives are the protection of patients’ data privacy, the regulation of health insurance companies’ practices in discriminating against patients with preexisting conditions, and the establishment of civil and criminal penalties for organizations and individuals that violate its rules. However, loopholes in the legislation have become apparent during the course of the rapid digitization of the industry: regulations don’t even begin to cover tech companies, which is how Google was able to make such a deal.
The American Health Information Management Association (AHIMA), an organization in the healthcare information management (HIM) community, stands by the notion that consumers of healthcare should have access to and control over their own data. We talked to an AHIMA leader to find out more about the current ambiguity of data privacy in healthcare and what we should watch out for as this issue continues to evolve.
Meet the Expert: Cheryl DeRosier Martin, Chief Knowledge Officer at AHIMA
Cheryl DeRosier Martin is the chief knowledge officer at AHIMA where she is responsible for developing AHIMA’s knowledge as an asset to the company and its members. She has more than 20 years of experience in the industry and served as the chief information officer at both Tuomey Healthcare System and Kingman Regional Medical Center before joining AHIMA. She holds a bachelor of applied science in health information and medical records, as well as a master of arts in health information management from the College of St. Scholastica.
What are the Benefits of Logging Healthcare Data?
Before we delve into the concerns about the exploitation of patient data, let’s examine its benevolent applications. Martin explained that this data is important not only for use in medical centers and hospitals, but also for the public at large. In fact, aggregated patient data is necessary for studies in epidemiology and “that research helps society on a broad scale.”
Advancements in medicine rely heavily on the availability of patient data. Medical researchers use it to study patterns in health and explore advancements in treating diseases, like HIV and different cancers. The more data available to researchers, the better they are able to study advancements and the more likely it is that they will be able to uncover unknown treatments for illnesses.
In addition, patients’ medical data is used by hospitals to improve their operations. These institutions use analytics to identify areas of operational inefficiency, measure doctors’ performance over time, and can even identify individuals at a high risk for certain diseases.
While the benefits of data analytics are largely applicable to the healthcare industry, the collection of data exposes patients to some risks.
Why Data Privacy is Important
The significance of your data privacy can easily become convoluted in day-to-day life. We have become accustomed to not reading terms agreements when we download a new app or enter a website with cookies. We do it without thinking. But the consequences of your personal data getting into the wrong hands are very real—especially when it comes to data on your personal health.
“It’s important because the patients trust us. Whether it’s just no-big-deal data, or it’s something that could be devastating if other people knew, it really shouldn’t matter,” Martin said. “Patients perhaps don’t know where their data is, or may not even realize that their data is not protected. But they trust us to keep that data safe.”
Hackers have become interested in health and medical records. Data stored in electronic medical records includes patients’ names, their dates of birth, home addresses, phone numbers, places of work and job titles, credit card numbers, and medical insurance information. So, when hackers have access to this comprehensive data set, they can execute complete identity theft, as opposed to a one-time credit card hack.
Hackers are not the only culprits. Companies such as Facebook receive large data sets voluntarily from their users. Most of us are aware that these websites are harboring servers with data on us, but we don’t realize the full spectrum of its applications.
Whether that data is sold legally or it’s stolen, the potential to match your personal data from two (or more) websites enables data analysts to make predictions about your health that could be detrimental. For instance, insurance companies could use personal data to identify high-risk customers and preemptively raise their rates.
Unfortunately, this is not just conspiracy theory fodder. Data on your race, education level, income, TV habits, marital status, social media activity, and shopping habits can all be fed into algorithms and used to predict how much you could cost them. Low-income and minority individuals may have higher health risks. Newly married women are more likely to get pregnant. Overweight individuals are more likely to experience depression. All of these data points add up to more expenses for insurance companies, which they could pass onto specific patients in the form of higher insurance premiums.
Overall, patient data is a hot commodity and interested parties will do anything to get their hands on it—either by finding legal loopholes or thwarting the law altogether. As a result, data security is extremely important for hospital databases, which are a goldmine in the wrong hands. Martin explained the top potential threats to data breaches within medical centers themselves.
Top Risks to Patient Data
“The first threat is employees,” Martin explained. “In whatever industry you work in, you have to make sure that you hire good people.”
A surprisingly high fraction of healthcare workers are willing to sell data, according to a recent Accenture study (March 2018), which found that 18 percent of health employees would be willing to sell confidential data to unauthorized parties for as little as $500. Furthermore, 24 percent of survey respondents said they knew of someone within their organization who had sold credentials or access to an unauthorized outsider.
“As you get further and further removed from direct care with the patient, it’s easy to get wrapped up in what you’re doing and you lose sight … I think that’s where people get off course,” Martin said.
Employees can also unintentionally cause data breaches by not following security protocol. For example, they may write down login credentials and leave them out in the open, or create passwords that are easy for hackers to crack.
“You really have to make sure your employees are trained well and that you continue to train them well,” Martin continued. “As the hackers get wiser, you’ve got to continue to evolve and keep your employees aware.”
The digitization trend is the main cause of the current data security problem. “Now that data is often being stored in the cloud [as opposed to on private servers], you really have to have all your bases covered,” Martin said.
Using the cloud to store data is convenient because it allows fluid data exchange and round-the-clock access to data from any device, but with that convenience comes opportunities for data pirates. Companies should be aware that data can be compromised if they fail to implement the appropriate security measures when it comes to utilizing the cloud.
Then, there are also problems with the increasingly popular bring your own device policy (BYOD), in which employees are permitted to use their personal devices for workplace tasks and communication. On the one hand, BYOD policies seem favorable because they save organizations the cost of supplying technology. It’s especially applicable for small healthcare operations that don’t need the same complex software and hard infrastructure of large hospitals. However, allowing a BYOD device policy can create more vulnerabilities to hackers.
Habits like using texting to communicate with providers and patients sound convenient and harmless, but the problem is that it’s difficult to verify the identity of the person sending the text or to save the original message as validation of the information entered into the medical record.
“It is an efficient but extremely insecure way to communicate,” Martin said. “We spent years fighting against that practice. At the end of the day, mobile devices will always be a threat.”
Another source of vulnerability is an older device that collected data. Hospitals and medical centers may use old-school hardware to collect information (e.g., bedside medication administration devices, blood pressure pumps).
“You have all these devices that have software inside of them. When that software was created, all these privacy and security requirements certainly weren’t in place,” Martin said. These devices are much easier to gain unauthorized access to than the current hardware systems because they aren’t armed with the proper defenses to stand up to modern hackers.
Hospitals’ operations departments are often aware of this issue, but may not be taking any action because devices are expensive to replace.
The Future of Patient Data Security
While these scenarios are more than a little concerning, there is hope that we can evolve to better protect patient data. HIPAA was a good start, but there’s a long way to go in revolutionizing patient data privacy standards in the new, digital frontier.
“HIPAA has aged itself out and I think the feds need to realize that. The law just doesn’t address all of the places data either moves through or resides,” Martin said.
Martin says that 21st Century Cures Act is one of the next steps to address these needs. “It’s promoting fast and easy access for patients and their ability to obtain that through APIs, which are not protected given the way the law is written right now,” she said. “We need to address [the protection of] that data after it goes out from under the umbrella protection of HIPAA.”
The 21st Century Cures Act is not focused on patient privacy, but it does have privacy implications. First and foremost, it’s designed to help accelerate medical product development to bring advancements to patients who need them more quickly. It also aims to reduce the risks associated with participation in research-oriented data collection and sharing. In addition to the Cures Act, the aforementioned controversial Google deal has prompted senators to introduce new legislation that would stop the sale of health data—the progress of which is yet to be determined.
“I think everybody should be working for the greater good,” Martin said. “I never wanted to work directly with patients, but always knew that the work that I did could make a big difference. The better I did my job, the better caregivers could do their jobs.”
Martin’s advice to potential students and those interested in HIM careers?
“I think you could have the kind of impact as close to or as far from the patient as you want and still be making a difference,” she said. “Students should never forget that there’s a patient at the end of whatever work they are doing.”