The trust between a patient and their care team largely rests on the privacy of their protected health information. This is the basis of data privacy which refers to the protection of sensitive personal health information contained in a patient’s medical record. More than 92 percent of patients believe privacy is a right and their health data should not be available for purchase, according to an American Medical Society (AMA) survey. With 75 percent of patients in that same survey reporting they are worried about the privacy of their health data, what are the best practices health care organizations should take to comply with regulatory laws and maintain trust with patients? What is health data privacy? Health data privacy is the responsibility to protect the sensitive information contained in medical records. This includes the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual or the past, present or future payment for the provision of healthcare for the individual. The HIPAA Privacy Rule established in 2003 includes national standards to protect individuals’ medical records and other individually identifiable health information. It applies to health plans, health care clearing houses and certain health care providers that conduct transactions electronically. The primary purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s PHI may be used or disclosed by covered entities. Why is health data privacy important? Protecting medical history, treatment and insurance data is paramount to the trust needed between patients and healthcare providers. Trust is vital so that patients will share accurate and comprehensive information with their doctors while knowing that their data is confidential. Healthcare professionals rely on this secure and accurate health information to make the most informed treatment decisions, coordinate care and improve patient outcomes. The integrity of the medical record is paramount to the overall state of health care. What is the difference between data privacy and data security? There is an intersection of data privacy, security and healthcare technology. It is common for data security and data privacy to be discussed in tandem; however, there are key differences between them. Data security focuses on protecting data from any unauthorized third-party access, breaches or other threats. It involves implementing policies, and technical, administrative and physical safeguards to keep data safe from external, and sometimes internal, threats. Data privacy focuses on who can access and use personal health information. Sometimes called information privacy, it involves policies and practices that govern how health information is collected, used and shared. The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) by covered entities and gives patients the right to access their own medical records while restricting unauthorized access. Privacy rules are also important to ensure that data deletion and destruction policies are followed. Bottom line: Data security protects PHI from unauthorized users, while data privacy makes sure that data is collected, used and shared appropriately. What steps should a health care organization take to ensure data privacy? Organization-wide approach. Develop a security and privacy culture. Make sure everyone in the organization is aware of the importance and expectations regarding data privacy. Executive buy in. Involve the Governance Board in the privacy policy review. Include broad representation, such as: Chief Operations Officer, Human Resources, Clinical, Finance, Marketing, Legal, Chief Data Officer, etc. Understand and evaluate risk. There are several frameworks to use to evaluate risk. The NIST Privacy Framework is one. Develop a Risk Registry. This document can be as simple as an excel spreadsheet to identify potential risks within the organization. It also serves as an ongoing log to track and manage risks and mitigation plans. Use the registry weekly and communicate the information to the executive team. Establish organizational privacy policies. Outline what the organization is doing to protect sensitive information. Include what the organization/staff should and should not do. To enhance policies in a mature organization, continue to review applicable laws (HIPAA, state, international if applicable) and share information with legal counsel to draft and/or update the policy documents. Review privacy resources. There are several free online resources to utilize when developing and updating the organization’s privacy policies. A few include: gov, CISA checklist. The AMA has a guide of Privacy Principles for a national privacy framework based on individual rights, equity, entity responsibility, applicability and enforcement. Further there is an AMA guide for app developers and app privacy attestations collected by EHRs. Consider third party attestation. HITRUST is a globally accepted standard for security and privacy. Plan for training. Develop an organizational plan for training to make sure everyone knows the expectations for proper data handling. Look at role-based training – especially for those who are handling protected health data. To streamline the time involved in setting up the training, consider using a learning management tool to support your training exercises. What are the best practices for data privacy? Organizational awareness. Make sure everyone in the organization is clear on the importance and policies of the privacy programs. Conduct initial and follow up with annual training. Limit access. Review those with high level credentials for data access on an ongoing basis. Inventory. Create and review a list of physical assets, data assets and who needs access to those assets. Keep an updated inventory of all systems and applications that includes cloud based and on-prem. Interview the leaders of the business (about which applications they are using, where the data is stored, who manages it, etc.) and update it annually. Lifecycle management. Look at log files, end of support for software, legacy applications, and be ready to modernize or move data. Look at vendors for turnaround time for support. Retention schedule. Keep track of applicable laws for all the different types of records that are used by the organization and how long the data must be retained. Tie it back to the data inventory. For example, emails may be kept for two years, and then work with IT to process through the destruction policy. Assess risk of third-party vendors. Continue to check in annually to confirm the vendor’s risk posture. Contractually require that third party vendors comply with the organization’s privacy policy and then audit annually to confirm. How does archiving support data privacy? With the average hospital using 10 EHRs and health systems keeping 18 different EHRs up and running, there is a large data footprint to keep in compliance for privacy and security. As EHRs are replaced, the legacy data needs to be retained to meet regulatory compliance and future needs. A smart solution involves an active archive like HealthData Archiver®. Archiving data centralizes legacy data into one location which eases the burden of implementing and monitoring privacy controls and auditing. Further privacy related benefits include the ability to perform data management checks such as audit logs, break the glass functionality, role-based access and purge functionality. How does Harmony Healthcare IT support data privacy? Leading healthcare providers of all sizes trust our team to consult on and deliver legacy data management solutions that support interoperability, security, and privacy requirements. Further, our Secure Record Delivery functionality allows legacy data stored within HealthData Archiver® to be available to an EHR or patient portal endpoint. And, our Record Release Service allows customers the option to outsource their release of information process to an experienced, secure agent who can facilitate information release to patients, payers, lawyers or employees. For more information about our take on data security and privacy, check out our webinar: Data Privacy & Security Best Practices for Hospitals & Clinics We look forward to hearing how we can support your lifecycle data management effort. We’re here for you.