03. Key Healthcare Data Security and Privacy Standards
Key Healthcare Data Security and Privacy Standards
ND320 AIHCND C01 L01 A03 Key Healthcare Data Security And Privacy Standards And Terminology V2
Key Points
Key Industry Regulations
Healthcare data security and privacy regulations are ubiquitous around the world. Most countries have regulations regarding data security and privacy around electronic health records with varying levels of complexity. However, for this course, we will focus on U.S. healthcare regulations.
United States:
- HIPAA: The Health Insurance Portability and Accountability Act is the key industry regulation that you should be familiar within the U.S.
- HITECH: The Health Information Technology for Economic and Clinical Health Act is also important to note and this is really just an update to HIPAA that accounts for technology.
HIPAA was passed in 1996 and then updated in 2009 under the HITECH act to evolve for digital technologies. While it might seem like EHR has been around for a while, it was only a little over a decade ago when the foundational legislation really was put in place that made the healthcare community start moving towards digitizing and putting their records in electronic format. Even now many systems are legacy systems that are built off of transcribed handwritten notes and other unstructured formats that organizations are spending large amounts of time to normalize and aggregate this info.
EU: European Union
- GDPR: The General Data Protection Regulation is generally considered more stringent than even HIPAA when it comes to protections for patients.
United Kingdom:
- DPA: The Data Protection Act really builds off of and add to GDPR
Additional Resources:
PHI
PHI: Protected Health Information
Probably one of the most important terms that you should be familiar with is PHI, which stands for protected health information.
PHI is a part of HIPAA that protects the transmission of certain types of personally identifiable information such as name, address, and other info. Certain information in an electronic medical record is considered PHI and must comply with HIPAA standards around data security and privacy. This informs not only how you transmit and store data but also data usage rights and restrictions around building models for other purposes than the original use.
PHI by nature is identifiable information and can be used to easily identify a person. However, please note that omitting this information does not ensure that a person can not be identified.
Additional Resources
Covered Entities
Covered Entities: are a group of industry organizations defined by HIPAA to be one of three groups: health insurance plans, providers, or clearinghouses. You can see from the table the types of entities in each category.
These groups transmit protected health information and are subject to HIPAA regulations regarding these transmissions.
Other Covered Entities:
Business Associates: A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
- Covered entities can disclose to BAs under Privacy Rule
- Only for a purpose allowed by the covered entity
- Safeguard data against misuse
- Comply with other requirements of the covered entity under HIPAA Privacy Rule
- Covered entities can disclose to BAs under Privacy Rule
Business Associates Agreement/Addendum (BAA): this is the contract between a covered entity and BA
Additional Resources
Covered Entites
Sample Business Associate Agreement
Business Associate Guidance
Key Healthcare Data
SOLUTION:
Government AgencyPHI Quiz
SOLUTION:
- Protecting PHI is important for maintaining patient privacy.
- According to HIPAA, PHI stands for protected health information.