Health data is one of the most valuable assets organizations in the healthcare and life sciences industry can possess. It’s also one of the most vulnerable.
Over the years, legal steps have been taken to protect healthcare data security and patient privacy. The Health Insurance Portability and Accountability Act (HIPAA), passed by the U.S. government in 1996, was the first such regulation at the federal level. But as more digital health organizations collect, store, and use health-related data and other sensitive information, legislators are responding with regulatory action.
In this blog, we’ll explore how health data breaches are influencing new data regulations, and why the compliance responsibility must be shared by data, security, and governance teams.
The Cost of Healthcare Data Breaches
Healthcare data breaches are not a new phenomenon, but the surface area for risk is growing exponentially. With it, so are the associated penalties. IBM found that the average cost of a healthcare data breach in 2022 was $10.1 million, a 42% increase from just two years earlier. This was more than double the global average of $4.35 million, making healthcare data breaches the most expensive of any industry.
Major healthcare providers such as Anthem, Premera Blue Cross, Community Health Systems, and UCLA Health have all made headlines for exposing millions of patients’ information – and were fined accordingly. But the U.S. Department of Health and Human Services also keeps a record of data breach investigations, showing that one occurs nearly every day.
Beyond the costs that hit the budget sheet, healthcare data breaches require organizations to dedicate resources to containing and responding to the incident, and are highly likely to compromise customer trust. The damage to an organization’s reputation – and subsequently, its business – may prove to be a powerful intangible expense.
Why Worry About Health Data Breaches Now?
If healthcare data breaches have been happening for years, why should we pay attention now? As with most industries, digital is the way of the future – and information that reveals consumer’s past, present, or future physical or mental health status is being handled by an increasing number of actors. Regulations are catching up with technology, which will impact how digital health companies – which historically haven’t been subject to HIPAA standards – operate and handle users’ data.
To put this into perspective, we’ll look at two legal developments in the healthcare space in the US: the adoption of Washington’s My Health My Data Act, which takes effect on March 31, 2024, and the FTC’s first enforcement action against GoodRx on the grounds of the Health Breach Notification Rule.
Together, these send a clear message: organizations that are not covered by HIPAA but are processing health information must have robust data privacy programs in place.
The My Health My Data Act
As the most prominent and broadly applicable law concerning health data, citizens and organizations alike often assume that HIPAA covers any health information collected by any entity. In reality, this is not the case.
The My Health My Data Act has therefore been adopted to close a gap, stating:
Information related to an individual’s health conditions or attempts to obtain health care services is among the most personal and sensitive categories of data collected. Washingtonians expect that their health data is protected under laws like the health information portability and accountability act (HIPAA). However, HIPAA only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections.
Who Is Covered by the Act?
Legal entities that process health data and conduct business in Washington, or produce/provide products and/or services that are targeted to consumers in Washington.
Which Data Is Covered?
Consumer health data is defined very broadly. In this case, as long as the entity processes health-related data, any non-health information associated with it (such as proxy, derivative, inferred, or emergent data generated by any means, including algorithms or machine learning) is covered.
Main Takeaways
- To process consumer health data, covered entities will have to get consumers’ consent for a specified purpose or argue that the data is necessary for the performance of a contract concluded with the consumer.
- Consumers are granted several privacy rights, such as the rights to access, deletion, and withdrawal of consent.
- Geofence tracking is prohibited around healthcare facilities.
- Covered entities are obligated to establish data access control so data access is granted on a need-to-know basis, and to implement data security measures to protect the confidentiality, integrity, and accessibility of consumer health data in alignment with the volume and nature of that data.
- Contractors acting as processors are obligated to assist covered entities by appropriate technical and organizational measures.
FTC Enforcement Action Against GoodRX
The FTC’s enforcement action against GoodRX, a digital health platform for telehealth and prescription fulfillment, is the first of its kind issued against an entity not covered by HIPAA. It follows a 2021 statement on Breaches by Health Apps and Other Connected Devices that was issued in response to “the explosion in health apps and connected devices”.
The impetus for enforcement was that GoodRX was sharing users’ personal health information with third parties, such as Facebook and Google, without having notified consumers first. The FTC ruled this a violation of the Health Breach Notification Rule (HBNR), and GoodRX had to pay $1.5 million under the terms of the settlement.
Main Takeaways
- For organizations that process health data, it’s important to note that the categories of ‘covered entity’ and ‘personal health record’ are interpreted broadly.
- The same is true with the category of ‘data breach’, which now covers unauthorized disclosure.
- Organizations should expect to be required to adopt and implement a data retention schedule, as well as a comprehensive privacy program that includes strong safeguards to protect consumer data.
The Outlook
Now that the FTC has set a precedent with the GoodRX case, it’s safe to assume that the commission will be ready to investigate and enforce penalties in similar future cases.
Organizations that are best positioned to leverage health information and personally identifiable information (PII) are those with a comprehensive, scalable data security strategy. Data platform, governance, and security teams must be able to know what sensitive information is in their possession, control who is accessing it and why, and monitor usage to detect threats and prove compliance.
The Immuta Data Security Platform helps simplify these steps and achieve HIPAA compliance through automated data discovery, data security, and data monitoring. See how it’s done step-by-step in the HIPAA Security Compliance Playbook.
