In the U.S., the HIPAA Privacy Rule protects a subset of individually identifiable health information known as Protected Health Information (PHI), that is created or maintained by a covered entity or business associates acting on their behalf. The Privacy Rule protects PHI in all forms, electronic, oral, or paper. Examples of PHI include names, Medical Record Numbers (MRN), dates directly relating to the individual, health insurance information, and biometric indicators. The rules and regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protect both the privacy and security of sensitive patient health information and also define covered entities as health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with a transaction for which the U.S. Department of Health and Human Services (HHS) has adopted a standard. The Rules also define a business associate as a person or entity that performs functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Examples of business associates can include a third-party billing or coding company, an attorney whose legal services to a health plan involve access to PHI, an independent medical transcriptionist, or an IT consultant.
The use and protection of PHI have evolved over time, from medical information used for treatments of specific ailments (prescriptions) being recorded on clay tablets in ancient Mesopotamia to medical data being recorded and stored in both paper and digital formats in the modern day, including wearable devices and mobile applications. In the early days of modern healthcare, patient records were often kept on paper and were accessible only to a limited number of people. These people were typically health professionals directly involved in the patient's medical care. Due to the nature of this format, important records such as a patient's medical history were easily lost or damaged.
Wearable technology are electronic devices that are worn close to the skin, including smartwatches, blood pressure monitors, sensors, and fitness trackers. These devices are used by approximately 30% of Americans. The data recorded by these wearable devices are only protected by HIPAA if they are an extension of a service provided by a covered entity and the data is exchanged between the covered entity and the wearable technology company. Due to this limitation, data tracked by devices such as smartwatches and fitness trackers, are not protected by HIPAA. Similarly, mobile applications used for monitoring sleep, weight loss, and family planning are not protected by HIPAA.
In 2022, the company Meta came under scrutiny due to the presence of their Meta Pixel code on the websites, patient portals, and appointment scheduling pages of health care providers. This code collects information such as button click data, information input into fields, and other user-specified data. Although this tracking is intended to improve the user experience of the website, the data collected and sent to Meta could contain the PHI of patients. The issue was that Meta was not a business associate of the covered entities from which they were collecting data and express consent from the patient had not been obtained.
The use of PHI, particularly in electronic medical records or research studies, have been established as an integral part of our healthcare industry. The protections enacted by HIPAA offer benefits to consumers, including the right to access and request corrections to their medical records and limits on how health information can be used and shared with others. Benefits for healthcare professionals include providing a more accurate and effective way for healthcare professionals to create and access a patient's medical record. But, as with any technology, risks, and challenges can result due to its implementation, including security concerns, especially due to the centralized nature of the data. Upon the occurrence of a data breach, state laws, in addition to HIPAA, may apply regarding the notification requirements. Notification to affected individuals must be provided in a reasonable time frame, and due diligence must be exercised to notify those involved. Examples of the consequences of not doing so for an organization can include a loss or revenue, decline in market share, and financial penalties. The consequences for the individual who is the victim of a data breach can include identity fraud.
After a cyber breach, you need a team ready to hit the ground running. We’re here for you 24/7/365. That’s our promise.
Our incident response project managers, data analytics experts, and review specialists are seasoned professionals who understand the magnitude of the situation your company is facing and the related expenses.We are here to ensure timely, accurate notification of affected parties.
CyTrex Cyber helps entities that need assistance managing a cybersecurity incident or that want to learn more about cyber breach management. Insurance carriers, law firms, businesses, government agencies, and educational institutions depend on us for cyber incident response support.
© 2023 CyTrex Cyber, Inc