Organizations engaging with personal healthcare data need to pay close attention to the rapidly evolving regulatory environment. Over the next few years, the compliance requirements around personal healthcare data are set to evolve at breakneck speed. Surviving and thriving in this environment of regulatory change will require a more strategic approach to managing personal data.
For decades, personal healthcare data was regulated by a patchwork of federal and state-level, industry-specific data protection rules that left significant gaps in coverage. As a result, an individual’s healthcare data – and all personally identifiable data within organizations working with healthcare information – fell under data protection rules only in some circumstances. Not surprisingly, today most individuals do not understand when their healthcare data is protected by data privacy rules and when it is not.
Now, the advent of new state-level data privacy laws, such as the California Consumer Privacy Act (CCPA), and the possibility of a comprehensive federal level law means it’s likely that those gaps in regulatory coverage will be filled, creating a range of new compliance requirements. These new data privacy rules – covering the previous gaps – present an opportunity for healthcare industry organizations to enhance the trust within their data relationships. Let’s look at an example of what is happening to see both the challenges and the possibilities.
Exploring CCPA and healthcare data
The impact of the CCPA on healthcare data privacy compliance will be significant, and so it makes a good case study for understanding what is to come. Until the CCPA – which comes into force in January 2020 – healthcare data privacy and security in California was primarily regulated through HIPAA. However, HIPAA only applies to “covered entities” holding “protected health information.” HIPAA’s focus is primarily health insurance, so organizations in scope include hospitals, clinics, insurance providers and clearing houses that process medical data.
In contrast, the CCPA applies to all for-profit organizations that do business in California that operate above certain revenue and data processing thresholds. The CCPA exempts personal data protected by HIPAA and California’s Confidentiality of Medical Information Act (CMIA) – so some types of personal healthcare data continue to be covered by the existing rules. However, CCPA now covers most other personal data created, processed and exchanged by the healthcare industry – filling in the gaps.
Understanding three big changes CCPA brings
CCPA will significantly alter the rules of the game for personal data in the healthcare industry. Below are three key ways in which organizations will need to rethink data privacy:
- Under CCPA, all individuals within healthcare organizations have their data privacy protected, including their personal healthcare data. Currently, individuals who are not patients within healthcare organizations are not covered by HIPAA, from a personal data perspective – including doctors, nurses, and other employees. CCPA changes all of this in California. When it comes into force, all of the personal data of non-patients engaging with HIPAA-covered healthcare organizations will be covered by the regulation. As a result, HIPAA-covered organizations (as well as other healthcare organizations) will now need to have policies and processes for the protection of all of their employees’ personal data, including any healthcare data they may hold. They will also have to protect any employee data shared with third parties. There has been some temporary relief with passage of California Assembly Bill 5 (AB5), but it doesn’t exempt organizations of all requirements under CCPA.
- With CCPA, other types of organizations that handle personal healthcare data will need to put protections in place. Thousands of organizations operating in California that are not covered by HIPAA – from pharmaceutical companies to the makers of watches that capture health statistics – will now need to comply with the CCPA’s requirements for all of the personal data they hold and process. This includes personal healthcare data, which is of a particularly sensitive nature. These organizations will need to put in place new approaches for securely managing all of this personal data. They will also need to communicate these changes to the individuals impacted. Many US consumers are not aware that their personal healthcare data isn’t legally protected under many circumstances, and so these communications will need to be undertaken with care. However, there is a real opportunity here to enhance consumer relationships if these activities are done well.
- Healthcare companies doing business in California will have to apply CCPA to their entire US organization. Healthcare organizations often operate in state-based silos because of the nature of state-specific regulations. However, CCPA breaks down the silos from a data protection perspective. Healthcare industry organizations that process data on California residents will have to apply CCPA data protection policies and processes across their entire corporate network, managing this personal data in a more coherent way. This may create steep compliance challenges for many organizations not used to operating across state boundaries.
These are significant changes to the way personal data – and healthcare data in particular – needs to be handled under CCPA. They will require impacted healthcare organizations to make substantial changes to the way they obtain, process and store this information. Organizations may be tempted to try and comply by implementing a variety of point solutions to tackle individual issues. However, this would be a costly and inefficient approach given the scale of the changes that have already happened, and of those to come.
Preparing for the healthcare data revolution
For organizations in the healthcare industry, the impact of CCPA is just the beginning. A number of states, including Washington and New York, are working on putting their own CCPA-style regulations in place. At the federal level, a new data privacy bill is viewed as having enough strong support from both Republicans and Democrats to actually make it into law before the next presidential election cycle. Hearings are being held, and draft legislation, including a bill in the Senate, is making its way through the legislative process.
Change is coming, and it is coming soon. Healthcare industry organizations operating outside of California will soon have to face the same kinds of issues described above. In such an environment, a strategic approach to meeting personal data requirements over the long term makes sense. Tactical fixes aimed at short-term CCPA compliance may not be scalable to manage the coming multi-state or US-wide personal data rules. A proactive, enterprise-wide approach to data privacy enables organizations to scale compliance across multiple regulations quickly and easily.
It also empowers the organization to engage in a more proactive and responsive way with individuals. Prepared organizations can concentrate on enhancing the relationship of trust they have with their customers while competitors are still working hard to comply. Healthcare organizations that choose to implement an intelligent approach to data privacy once will be able to thrive in an environment of intense regulatory change.
Photo: LeoWolfert, Getty Images
Published at Thu, 07 Nov 2019 21:45:55 +0000