We are experts in healthcare software development, and one of the most challenging aspects of delivering top-notch products is keeping them secure and compliant.
As cyber threats multiply over the years, keeping sensitive data secure while preserving or transferring it is often a top priority.
We’ve recently covered the best practices for data security in healthcare sector. Now it is time to address another similar, yet pretty different topic: compliances in the face of COVID-19. Regulators depend on the territory your business functions: the approach is very different in each jurisdiction.
The USA and Canada have a crazy mix of state/provincial and federal laws that complicates the matters. Some companies have a plethora of corporate lawyers that keep a close look at compliances regarding health data sharing.
Now COVID-19 brings a unique environment, regulators are able to adapt, but this brings even more.
Viktoria Yaskevich, our healthcare specialist from the sales department, told us a little about the most popular questions our clients ask in regard to HIPAA, PIPEDA, GDPR, and other regulations, acts, and documents after the pandemic have impacted the industry.
In this article, we’ll tell you how regulators in the US are trying to provide companies with guidance on health data, and how their Canadian peers deal with the same issue.
The general rule that hasn’t changed much in the face of the pandemic is the following: “Any collection, use, and sharing of personal information are limited to what is necessary and proportionate”.
However, there are plenty of subtleties, most of them are territory- (jurisdiction-) specific.
The United States of America
On US soil, there are many state laws regulating the processing, use, and transfer of private health information (PHI). Your business must be aware of. At the same time, there is also the Health Insurance Portability and Accountability Act (HIPAA) that is applicable at the federal level.
At the same time, HIPAA is pretty old (hello the 90s) and is unable to cover contemporary technologies like modern health apps in their entirety.
For instance, COVID-19 tracking applications designed by Apple and Google have raised data privacy questions.
The general recommendation from Collington Consulting, a firm that helps organizations reach HIPAA compliance, is in implementing a “comprehensive HIPAA compliance program that covers security and privacy requirements.”
In other words, oblige the rules and use common sense while sharing sensitive data in an app that is regulated by the party outdated law act.
The US Secretary for Health and Human Services’ Office for Civil Rights (OCR) has published a fresh press release and guidance on when the HIPAA permits the disclosure of PHI.
At the same time, OCR officially stated they won’t penalize healthcare providers for non-compliance with the HIPAA rules for privacy, security, and breach notification when it relates to their provide telehealth services in good faith during the pandemic.
Somehow, strict regulations became softer in the face of the pandemics that caused uprisings in remote communications.
You have to keep a close look at recently released updates on how to balance HIPAA compliance with the realities of combating COVID-19.
Data minimization, its anonymization, automatic deletion after a set time remain keys to reducing the risk of breaching data protection law as you don’t have to rely on the lack of supervision.
Even in emergency situations, healthcare companies “must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures”
Any disclosure of PHI must be justified. In cases where information for CODIV-19 treatment or prevention purposes is requested, the disclosure should be considered to the extent that it is made “in good faith” for general public health purposes, according to “Winston and Stone” law firm.
OCR temporarily allows disclosures of PHI between health organizations and business associates.
At the same time, people within the companies that are reliable for compliance must evaluate each business relationship and arrangement in relation to the HIPAA rules.
The access to the PHI for all business partners must be granted only after concluding a business associate agreement (BAA).
“Having an executed BAA in place is something OCR always looks for in these covered entity and business associate relationships.” – claim US lawyers.
Viktoria Yaskevich, our healthcare software expert, emphasized that while having access to certain functions of the software even after the release of our products for our partners, we as subcontractors, never have access to the personal or health data of their real clients – it is always encrypted while stored, used, or transmitted on healthcare provider services.
The core of compliance is the security of the PHI, so that should be the center of any measures companies are developing to share health data.
Summing up, the person responsible for the compliance in the US healthcare company must
- ensure standard data minimization practices are realized
- invest in internal/external compliance expertise
- sign BAA before sharing PHI
- remember that investments in preventing data breaches are steep n comparison with the ones for their reimbursements.
Regulation in Canada slightly differs. There is a certain set of privacy laws applicable to healthcare. The Personal Information Protection and Electronic Documents Act (PIPEDA) works at the federal level, and local laws control the operations with the data in certain provinces.
Wendy Mee, Wendy is the co-chair of the Blakes Privacy group says the following in regards to PIPEDA:
“Healthcare companies need to carefully consider what their obligations are with respect to patient data because they could be subject to varying provincial health information legislation, public-sector privacy laws, professional obligations relating to patient privacy, and private-sector legislation like PIPEDA”
According to Mee, it is important to ensure that “healthcare providers have a lawful basis to share the information, and that any sharing is limited to what is necessary and proportionate.”
The Office of the Privacy Commissioner of Canada (OPC) has issued guidance to help organizations subject to federal privacy laws understand their privacy-related obligations during the COVID-19 outbreak.
During a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing.
For the private sector, this means obtaining meaningful consent where possible.
The specialists on the field state that “it would have been helpful for the OPC to provide specific examples of when personal information may be shared for COVID-19 related purposes, including specific examples of when exceptions from the consent requirement may apply.”
Similar to regulatory advice in the US, data minimization is key to businesses keeping data secure.
OCR has released a four-part test to check if your healthcare company is in line with their guidance when considering whether a collection, use, or disclosure of personal information is necessary and proportionate:
- Is the collection, use, or disclosure demonstrably necessary to meet a specific need?
- Is it likely to be effective in meeting that need?
- Is the loss of privacy proportional to the benefit gained?
- Is there a less privacy-invasive way of achieving the same end?
If the answer to the first three questions is yes, you should make corresponding operations with the data.
However, if the answer to the fourth point is also positive, perhaps, you should choose the less privacy-invasive way.
There are similarities and differences in the regulation of healthcare data use and transfer. The number of documents and guides on this is enormous and territory-specific.
General advice both for companies in Canada and the USA is that compliance teams have to be aware of the varying provisions in federal and state/provincial privacy legislation.
Placing access restrictions on data collected for healthcare purposes so it is not accidentally shared for other reasons, and ensuring the required information is only shared with individuals who absolutely need access to it is an absolute must.
Data minimization, common sense, strong documentation, and justification of sharing arrangements will help you to avoid data breaches and remain the company that doesn’t violate the laws of the countries your business operates on.