A one-size-fits-all approach is out: Healthcare providers and payers have more ways to engage with patients and future customers. However, the problem of guiding patient interactions while respecting patient data remains.
according to McKinsey reportpatients expect personalized engagement and a coherent customer experience throughout their healthcare journey and coverage transitions.
Here are three considerations for HIPAA to navigate the intersection between personalization and data privacy while meeting regulatory requirements.
Understand the rules and regulations
HIPAA has continued to evolve since the Department of Health and Human Services (HHS) regularly adjusts regulations to meet the demands of the digital age. There is a fine line between compliance and non-compliance. The HIPAA Privacy Rule gives individuals important control over whether and how their protected health information is used for marketing purposes and disclosures. With few exceptions, the rule requires written authorization from individuals to disclose their data and use it for marketing.
Conduct a comprehensive digital compliance audit with HIPAA
There are 7 key areas to consider:
- PHI/ePHI and backup storage. Good platforms should be able to track data without collecting and processing ePHI or PHI (personal health information), but they should also be able to do so under certain conditions. You must consider the security of your data, the type of PHI you are collecting, and the backup storage that should provide you with maximum recovery.
- Managed type. Managed service providers do not have specific HIPAA certification. It is important to ensure that suppliers follow all necessary precautions to maintain HIPAA compliance. For example, in the case of cloud hosting, the important factors are the physical location of the servers, certifications (ISO27001 and SOC2), independent audits and SLAs.
- Business Associate Agreement (BAA). Is it possible to sign with the supplier? Even though a BAA (Business Associate Agreement) is in place, clients should keep in mind that it needs to be regularly updated to comply with the HIPAA Consolidated Rules.
- Data encryption and transmission. HIPAA does not specify the type of encryption to ensure compliance. However, the law takes into account general technological advancements.
- Audit log and change log. That means knowing who has access to the data. Audit logs and an effective review process are required.
- 100% data control. Suppliers should be able to ensure that they do not change the purpose of data collected by customers.
- Security review. Both client teams and suppliers need to be regularly reviewed and educated about recent HIPAA updates – something the legal department should coordinate. For analytics vendors, regular audits and penetration testing by independent security researchers are mandatory.
Invest in an appropriate data platform (a platform capable of signing BAAs)
A business associate agreement, known as a BAA, is a contract between a HIPAA compliant organization and its business partner. It compels both parties to protect personal health information (PHI) and follow the guidelines provided by HIPAA.
Under the HITECH Act (Health Information Technology for Economic and Clinical Health Act), any HIPAA-related business is automatically audited by the U.S. Department of Health and Human Services (HHS) and is responsible for any data breaches or misconduct in the processing of the data .
Healthcare leaders and professionals have a responsibility to help draw the line between patients’ personalized convenience and their right to data privacy.
Patients should find information relevant to them and their specific health needs. The factors that make this happen require exploring the nuances and understanding the individuals our healthcare system serves. With the right technology, safe and compliant use of information, and conscious creativity, we will ultimately achieve the goal of patient personalization.
Photo: Leo Wolfert, Getty Images
