Data Security In Digital Practice
Are you confused about your obligations for maintaining data security in digital practice?
When you start researching tech platforms to use for telehealth, you rapidly get hit by a tsunami of acronyms such as HIPAA, BAAs, GDPR, OAIC and PIPEDA.
There’s a lot more to data security in digital practice than perhaps you initially thought.
Of course all regulated health professions have a legal responsibility to keep patient data safe.
As we transition to digital practice, however, more health information starts being transmitted online, in multiple formats, and so our legal obligations heighten.
In this post I will give you a layman health professional’s overview of the common terms and concepts around data security in digital practice.
I am Australian, but the tech platforms we all use for telehealth are global, so it is crucial that we are aware of global data security standards and concepts.
Blatant disclaimer: I am by no means a global data security expert, and you must do your own research into laws and regulations in your own state, country and region to ensure you are compliant before practicing telehealth.
HIPAA stands for the Health Insurance Portability and Accountability Act.
It is a law that was enacted in the US 1996.
One important purpose of the act is to ensure that health services claiming through the US medical insurance system keep protected health information (PHI) safe.
Under the act, the health service providers are called the ‘HIPAA covered entity’, and organisations that provide assistance or support to health service providers are called ‘Business associates’.
HIPAA requires that health professionals (covered entities) utilizing tech platforms to store and convey private health information sign a Business Associate Agreement (BAA) with the tech platform (the business associate).
Platforms considered to be ‘HIPAA compliant’ have taken steps to ensure that their security fits within the requirements of HIPAA, and they are set up to generate BAAs.
You are likely to be considered a HIPAA covered entity if you are a regulated health professional in the US.
There are many tools online that allow you to answer a series of questions to determine this.
Some US state-based health profession regulators state that all registered professionals are required to meet HIPAA compliance, even if they are purely cash based and are not claiming payment through the US insurance system, so US based health professionals must check local regulation.
If you are not in the US, if you are not part of the US insurance system, and if you are not carrying out any professional activities that would require you to be registered as a health professional in the US, HIPAA does not apply to you.
Don’t fall in to the trap of believing you need to pay a premium for a HIPAA compliant platform, because as you’ll discover in the next section, this does not ensure that the platform meets the highest global data security standards anyway.
The General Data Protection Regulation (GDPR) was implemented by the European Union (EU) in May 2018.
It is generally accepted that this establishes the EU as having the highest levels of data security standards in the world.
The GDPR is not health industry specific, but it completely incorporates the transmission and storage of patient health data.
The GDPR applies to any business entity dealing with citizens of the EU.
GDPR compliant tech platforms therefore comply with all aspects of the GDPR that are applicable to their role in data protection.
As a health professional or service provider under the GDPR, you are known as the ‘data controller’.
As the ‘data controller’ you also have specific legal obligations under the GDPR.
Simply using a ‘GDPR compliant’ platform is not enough.
An example of one of these obligations is the ‘right to be forgotten’, which requires actions from the data controller to delete patient information upon request.
This would be out of the hands of the GDPR compliant tech platform.
Tech platforms that are ‘GDPR compliant’ can be assumed to comply with the highest data safety standards in the world.
This can be a reassuring feature when selecting a tech platform for telehealth, even if you are not working with EU citizens.
In Australia, the Office of the Australian Information Commissioner (OAIC) oversees the The Privacy Act, which outlines the Australian Privacy Principles (APPs).
Although Australian health professionals must do their own research into these guidelines, it is generally assumed that if a digital practice meets GDPR standards, it is likely to also meet Australia’s standards.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian law that regulates data privacy.
When you are getting started in telehealth, think about where patient data travels and sits within your digital practice.
Are your strategies for sending emails and messages, prescribing exercises and collecting and storing patient data compliant with your legal obligations?
Granted many of these websites could double as a cure for insomnia, but data security in digital practice is something we must all be aware of.
We are dealing with this issue at present. Luckily we were introduced to very good lawyers who stress all these tips.
Your piece of advice is very clear to understand and very valuable.
Thank you Karen!