By Kelly McLendon, RHIA, CHPS; Andrew Rodriguez, MSHI, CHPS, MSHI, HCISPP, C; Chris Apgar, CISSP, C|CISO; and Julia Huddleston, CIPP/US, CIPM, CCSFP
The COVID-19 public health emergency has forced privacy and security professionals in healthcare to adapt to new realities and practices for the indefinite future.
Tasks such as implementing evolving guidance from regulators like the Office for Civil Rights (OCR) and applying enforcement waivers to rules like HIPAA and SAMHSA 42 CFR part 2 substance abuse rules (Part 2); safeguarding protected health information (PHI) from external sources, like contact tracing and epidemiological reporting; and safely scaling up alternative care technologies like telehealth have been added to the already-full plates of privacy and security professionals.
All the while, bad actors continue to probe for vulnerabilities in the digital ecosystems of hospitals and health systems. Vigilance and the need for effective cybersecurity controls has only increased with the disruption wrought by the pandemic.
Privacy and Security—Better Together
It won’t be a surprise to anyone in healthcare that our industry is the most vulnerable to cyberattacks. Medical and patient records are brimming with detailed and highly sensitive information, making them lucrative targets for digital criminals, according to Ernst & Young.
Greater investment in cybersecurity technology, training, and strategy is certainly warranted. However, cybersecurity is only part of the protection that must be afforded to all personal information. Healthcare also needs to increase the time and budgets associated with privacy compliance, which historically have been low compared to security, but will only increase in visibility and importance as cyberthreats grow more numerous and sophisticated.
Security and cybersecurity are primarily hardware- and software-based. Privacy, which focuses on the electronic use of data, relies less on technology and more upon information use and management.
Digital transformation and world-changing events, like COVID-19, has created an urgent need for more robust regulations and laws concerning privacy and security. Among US industries, healthcare is one of the few with robust privacy and security laws—specifically, HIPAA and 42 CFR Part 2.
As a world leader in healthcare privacy regulations, HIPAA sets a very high bar with its Privacy Rule and Security Rule, along with 42 CFR Part 2 which sets protections for substance abuse patients and records. The Privacy Rule elucidates patient’s rights in relation to their protected health information (PHI), as well as requirements and protections for covered entities and business associates. These rules are well known in the US, though often misinterpreted. They also are held up for examination by states and countries crafting similar privacy legislation.
However, even these “gold standard” laws are—despite some updates—limited by the definitions and scopes that were laid down when the laws were enacted in 1996 and 1975, respectively, and may be insufficient for meeting today’s threats to health information.
The US and the rest of the world are awakening to the fact that more privacy laws, rules, and regulations are needed to protect the vast expansion of personal information. To shore up US regulations, it would be beneficial to look at modern healthcare privacy standards in other parts of the world, many of which were initially developed with HIPAA as a cornerstone.
Asia and the Middle East
In the past several years, many countries in Europe, Asia, and the Middle East have dramatically expanded privacy laws.
For example, Singapore enacted the Personal Data Protection Act (PDPA) in 2014. As the Personal Data Protection Commission Singapore states, this law was established based upon “growing concerns from individuals about how their personal data is being used.”
Data protection laws to govern the collection, use, and disclosure of personal data is necessary to address these concerns and to maintain individuals’ trust in organizations that manage data. By regulating the flow of personal data among organizations, the PDPA also aims to strengthen and entrench Singapore’s competitiveness and position as a trusted, world-class hub for businesses.
Abu Dhabi in the United Arab Emirates has robust security laws promulgated by the Abu Dhabi Department of Health, based in large part upon US standards, but they have not yet enacted corresponding privacy laws. However, like other nations with substantial business considerations, they are diligently investigating and strategizing about how best to implement national privacy laws to protect personal information.
In the past there have been global security and privacy standards, such as those that the International Standards Organization (ISO) has implemented over the years, but there was no coherent national overarching type of modern privacy law built to protect individual’s data privacy on the fully connected digital world of computers, smartphones, the internet, and the “internet of things.”
The European Union
When examining privacy laws around the world, the strength of a country’s rules often mirrors the privacy protections already enshrined as rights for the population.
For example, the US does not have a national right to privacy. Instead, privacy is enshrined in a confusing—and often contradictory—patchwork of state laws and regulations.
The opposite approach was taken by the Council of Europe, which made the right to privacy part of the 1950 European Convention on Human Rights, which states, “Everyone has the right to respect for his private and family life, his home, and his correspondence.”
From this foundation, the European Union (EU) sought to ensure the protection of this right through legislation—the General Data Protection Regulation (GDPR), which governs data protection and privacy in the EU and the European Economic Area (EEA)—all 28 countries of the EU, the United Kingdom (UK), Norway, Lichtenstein, and Iceland.
Since the GDPR was enacted in 2018, more than 50 other national privacy laws have been implemented, including Argentina, Australia, Brazil, Canada, Czech Republic, and Denmark.
GDPR applies to companies and delineates personal rights. Under certain conditions, the GDPR applies to companies that are not in Europe. The scope of GDPR is so wide and includes multitudes of organizations with operations outside the EEA that privacy and security experts need to understand when and how the GDPR applies outside the EU.
The law was designed to give individuals more control over how their data are collected, used, and protected online. The law applies to organizations that target or collect personal data related to individuals in the EEA personally. Although GDPR is primarily a privacy law, there are elements of security included as well. GDPR has a severe set of penalties that have already been levied, making compliance mandatory for any organization to which it applies.
Studying the fundamentals of GDPR illuminates one’s understanding of what privacy laws can be, since as new ones emerge, they will inevitably draw from their predecessors in scope and requirements. GDPR is primarily a privacy law, but there are some related security elements; any one of numerous security frameworks, such as the NIST Cybersecurity or a HIPAA Security Risk Analysis, may be used to assess the security controls mandated.
Personal Information. In trying to strike a balance between an individual’s rights and legitimate business needs, GDPR defines personal information as follows: “Personal data” means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Furthermore, the GDPR only applies to personal data processed in one of two ways:
- Personal data processed wholly or partly by automated means (or information in electronic form)
- Personal data processed in a nonautomated manner, which forms part of, or is intended to form part of, a “filing system” (or written records in a manual filing system)
This definition is much wider in scope than HIPAA’s 18 identifiers, because economic, cultural, and social identity are included. This wraps the law around social media and many more digital presences than HIPAA was ever intended to address.
Data Controllers and Processors. GDPR is focused on the businesses that collect and mange personal information, as well as several privacy rights for individuals. As for the businesses that collect and manage personal information, there are many kinds and they are located all over the world.
With GDPR, hospitals are referred to as data controllers, which is equivalent to HIPAA’s covered entities. They may also have businesses that work with their data called data processors, which are similar to HIPAA’s business associates.
Data controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Whereas the data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Whether or not GDPR applies to a particular organization is a matter of complex legal applicability best managed by legal counsel.
Data controllers are required to take into “account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this regulation.”
Similar to the concept of risk management utilized by NIST and US security infrastructure, the gist is to implement appropriate security and privacy controls, such as encryption, access controls, determination of the terms of personal information collection and utilization, amending, correcting or modifying personal information (PI), terms of data processors agreements, retention timeframes and data destruction. Data processors are allowed to operate with the PI only according to agreed-upon contracts and with the principals of data protection by design and default. Data controllers and processors are required to institute data necessity and minimization, which is similar to HIPAA’s minimum necessary principle.
Other areas of the rules include breaches, privacy notices, policies, training, data privacy impact analysis (DPIA), audit and evaluation, data transfers, internal and external reporting, documentation of compliance, and enforcement.
GDPR Individual Rights for Personal Information. Under the law, individuals—which can be patients—have an assortment of privacy rights, which in turn create private rights of action. This is unlike HIPAA, but similar to the California Consumer Privacy Act (CCPA). Some of these rights expressly require individual opt-in or consent, while others are based upon requests from the individual for execution of the right. Many of these rights are similar to HIPAA’s nine rights, but there are significant differences as well.
- The Right to Access Information (Article 14). Including confirmation of PI being processed, who is doing the processing of what information, where does it take place, and why their PI is being processed. Also, to know who, where, and how long their PI is being stored. Similarly to HIPAA, the individual (patient or their representative) can look at the information in the record system within which it is contained or get a copy.
- The Right to Erasure or To Be Forgotten – (Article 17). This right is not similar to anything in HIPAA, addressing erasing and forgetting personal information if consent is withdrawn and there is no other legal basis for the processing. This is a very significant right that is not complementary with privacy laws like HIPAA for treatment records, for which a concept of erasure or destruction of information being controlled by the individual is not feasible. In a US hospital, certain classes of the personal information may be subject to this rule under GDPR—for example, web-derived browsing habits gathered from internet cookies—but any treatment-useable information would not apply.
- The Right to Rectification – (Article 16). Similar to HIPAA’s amendment request right, this right allows for incorrect or incomplete information to be amended.
- The Right to Restrict Processing – (Article 18). Complicated restrictions may be requested on the use of the PI; this is similar in context, but very different than, HIPAA’s right to request restrictions.
- The Right to Data Portability – (Article 18). Rules about individuals receiving electronic files and formats of PI.
- The Right to Object – (Article 18). The right to object to the processing of their information, including profiling: where there is a legal basis or public or legitimate interest or for direct marketing. For example, a patient can object to PI related to their prescription medications being used for marketing purposes.
- Breach Rights – (Articles 4, 33 and 55). Breach rights, determination, and reporting are included.
California Sets the Tone
GDPR represents a tipping point for privacy laws in that it is setting a pattern of rights and responsibilities that other countries or states can draw from.
In the US, the California Consumer Privacy Act (CCPA) is the leading privacy law by a US state, especially since its scope is also wider than the state’s natural boundaries, encompassing many companies managing data of California residents, and it was the first comprehensive privacy law in the US. The approach CCPA takes is different from GDPR, although there are many similarities. With its vast economy, California is ranked with other world-leading privacy laws.
Washington state and several others are poised to create their own privacy laws, but as of now have not. Other privacy initiatives that are fueling the rise of US privacy regulations are the 21st Century Cures Act (Cures Act) and the Interoperability and Information Blocking rules, which contain privacy protections.
Once implemented in late 2020 or sometime in 2021, the Cures Act will dramatically alter the methods by which patients and other third parties will be able to request and receive their own disclosures of their patient information. There will be extensive privacy and security considerations to address within the EHR systems that store and will have to allow application programmer interfaces (API)., some of which have not been worked out. The Cures Act envisions easy access from third-party applications under the rules, but upon close examination there are a great deal of unknowns related to privacy to be worked through. There also is a looming issue that once an automated request and delivery of patient information has been accomplished and the information is passed out of the EHR, upon entry into the requesting device HIPAA will no longer apply. That means the receiving entities, in the absence of a law like CCPA, would be able to sell and use the patient information without regulation other than from the Federal Trade Commission. This is an example of how new scenarios are arising that will require more extensive privacy laws, especially ones beyond the limited scope of HIPAA.
There is also a new NIST Privacy Framework, similar to the NIST Cybersecurity Framework, which serves as a first shot at a standard for privacy across all business sectors, including healthcare. These frameworks are listings of privacy controls drawn from numerous sources that can and should be implemented. They can be used, with some modification to make them useable as an assessment tool, to assess privacy compliance across the scope of their standard. While they do not in and of themselves have the force of law, they are often used in assessment mode to document a privacy or security program’s compliance.
CCPA Fundamentals. Similar to GDPR, which served as a reference point, CCPA addresses digital PI with a scope directly addressing the residents of California. However, as is true with GDPR, the structure of the applicability widens the scope dramatically upon examination. GDPR and CCPA differ in approach but are similar in intent. Both laws focus on PI for natural persons, although their definitions differ, which makes application of both tricky, especially in light of the extraterritorial scope of the two laws.
CCPA applies to any for-profit entity that does business in California and meets one or more of these conditions:
- Has $25 million dollars of annual gross revenue
- Annually buys, receives, sells, or shares the PI of 50,000 or more consumers, households, or services for commercial purposes
- Derives more than 50 percent of its revenue from selling consumers PI
These conditions affect many organizations inside and outside California and applicability is not easy to calculate. Therefore, many businesses have determined, rather than risk enforcement, to put privacy compliance programs in place that cover CCPA and other related privacy laws. As for healthcare covered entities and business associates, they may easily be subject to both HIPAA and CCPA; understanding how and where the differing laws apply is now required for privacy compliance.
Per the Compliancy Group, CCPA includes a HIPAA exemption which is two-fold, with the first part dealing with the PHI that is collected by a covered entity or business associate. The second part is less clear, dealing with covered entities that maintain PHI in a certain way.
Part 1 of the CCPA HIPAA exemption (California Civil Code 1798.145(c)(1)(A)): PHI collected for the treatment, payment, or healthcare operations would qualify for the CCPA HIPAA exemption. However, health information that is collected for other purposes would not fall under the CCPA HIPAA exemptions and would be subject to the stricter privacy laws set forth by the CCPA.
Part 2 of the CCPA HIPAA exemption (California Civil Code 1798.145(c)(1)(B)): A covered entity may qualify for the CCPA HIPAA exemption under part 2. Part 1 exempts PHI, while Part 2 exempts providers, under certain circumstances. A covered entity governed by the HIPAA privacy, security, and breach notification rules, is exempt from the CCPA to the extent the covered entity properly safeguards PHI under HIPAA. This means that if a covered entity is not compliant with one or more HIPAA regulations, the covered entity is not in complete compliance with the CCPA.
CCPA grants California residents new rights for their PI and imposes data protection requirements on organizations that conduct business in the state of California. Don’t be confused that conducting business means an elaborate storefront-type operation. Web transactions for California residents, wherever they may be, are a form of conducting business. In that light, it is easy to see that a lot of entities will have CCPA applicability. Unlike HIPAA, CCPA provides some rights of action against companies and consumers or courts may seek relief.
Security is not addressed in CCPA except to the extent that there is a right of action for certain breaches and there is a duty to implement and maintain reasonable security practices. Reasonable security practices are similar to the approach of GDPR, not being specific as to which security frameworks or controls are to be utilized. In this case either the NIST Cybersecurity Framework or HIPAA Security Rule should suffice to implement and maintain reasonable industry-standard security control and compliance programs.
CCPA Personal Information. PI is described as capable of being associated with, or could reasonably be linked, indirectly or directly, with a consumer or household.
In the CCPA, personal information is defined as: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
According to the CCPA, personally identifiable information (PII) is a broad category of all kinds of data ranging from the most straightforward and intuitive personal data to things that might not at first sight seem like personal data at all.
CCPA is meant to apply to broad categories of data defined as PII, which is essentially personal information or PI, and includes the following list. Some items on the list are less obvious than others; part of the challenge with this law is understanding what applies and when.
- Direct identifiers such as real name, alias, postal address, Social Security numbers, driver’s license, passport information, and signature
- Indirect identifiers such as cookies, beacons, pixel tags, telephone numbers, IP addresses, account names
- Biometric data such as face, retina, fingerprints, DNA, voice recordings, health data
- Geolocation data, such as location history via devices
- Internet activity, such as browsing history, search history, data on interaction with a webpage, application, or advertisement
- Sensitive information such as personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information
In the CCPA, personal information has no format or medium limitation, which means that even pictures or sounds can qualify as personal information if they fall under the definition in the law.
Individual Rights for Personal Information. A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
- The categories of personal information it has collected about that consumer
- The categories of sources from which the personal information is collected
- The business or commercial purpose for collecting or selling personal information
- The categories of third parties with whom the business shares personal information
- The specific pieces of personal information it has collected about that consumer
Similar to GDPR and the HIPAA Privacy Rule, CCPA provides for defined rights for individuals under the law. These rights are again similar to the other rules but there are differences, again increasing the difficulty of complying with numerous privacy laws. For example, there is no right of amendment (rectification), a seemingly large omission that perhaps can be added in later versions. Likewise, there is no right to restrict, object to processing.
- The Right to Opt-out for PI Sales. Must enable and comply with a request for opt-out of the sale of PI to third parties, including a clear link for “Do Not Sell My Personal Information” and not requesting reauthorization for at least 12 months. This right has no direct analog in GDPR, but individuals may use other associated rights to achieve the same effect.
- The Right to Disclosure of Access of Information. Individuals have the right to request copies and access to their information, and also to request additional details about their PI, its uses and purposes, and third parties with which it shares information
- The Right to Deletion or Erasure. The right to have PI deleted from businesses that collected it, subject to some exceptions. Does not say there is a right to be forgotten, as in GDPR, but the effect is nearly the same.
- The Right to Data Portability. Rules about individuals receiving electronic files and formats of PI. Must be able to transmit PI from one business to another.
- Breach Rights. Breach rights, determination, and reporting are also included in CCPA.
The Way Forward
HIPAA has allowed the US to maintain its perch as the world leader in healthcare privacy and security. However, even this landmark law faces an uphill climb in a modern world.
First, there is much more PI—in both healthcare and the vast universe of business information outside healthcare—captured, processed, sold, and used than what is protected by HIPAA. But the scope of the HIPAA privacy rule has proven fixed and inflexible, unable to keep up with the explosion of PI that is commonly managed within mobile apps and other platforms.
Second, the COVID-19 response has added new uses and needs for data acquisition and sharing. The difficulties of managing information gathered from remote sites and the move to telehealth as a primary care delivery model, to name just two examples, have created information security and cybersecurity challenges that will realistically take years to unwind.
These challenges grow more formidable in the face of the country’s state-oriented approach to privacy laws, which have had the unfortunate consequence of creating a patchwork of regulations, jurisdictions, and definitions. Determining what information is protected and what businesses are subject to compliance measures can quickly descend into a confusing morass of inconsistent compliance that would be nearly impossible to manage.
Patients are clamoring for more protections, and many states are responding with protections that overlay HIPAA with differing approaches. It is also worth noting that many AHIMA members are at the forefront of US healthcare privacy compliance. The movement toward more laws and regulation may mean an increase in budgets associated with privacy compliance, which historically have been low compared to security.
It’s possible that national privacy legislation will emerge in the US, but no initiative seems destined to succeed at this time. The US does not formally recognize privacy as a human right. However, HIPAA provides the federal government with a precedent to apply a centralized, standardized approach to a widely scoped privacy law.
Tomzik, Kristine. “What Hospitals Need to Know about GDPR – 2019.” Unpublished.
SB-1121 California Consumer Privacy Act of 2018; Amended Sept 2019; Section §1798.100 of the California Civil Code.
Republic of Singapore. Singapore Personal Data Protection Act. December 7, 2012.
Kelly McLendon (firstname.lastname@example.org) is managing director of CompliancePro Solutions. He has been a HIM practitioner for more than 40 years, and speaks on HIM, privacy, security and legal records around the world.
Chris Apgar (email@example.com) is CEO and president of Apgar & Associates, LLC, and a nationally recognized information security and privacy expert.
Andrew Rodriguez (AMRodriguez@shrinenet.org) is the privacy and information security officer for Shriners Hospitals for Children.
Julia Huddleston (firstname.lastname@example.org) is CFO/COO of Apgar & Associates, where she works with clients on privacy issues related to federal and state laws, and provides guidance around certification readiness, compliance assessments, security risk analysis and policy and procedure review and implementation.Leave a comment