With the rising adoption of healthcare apps and wearable devices that gather medical data, the importance of data privacy for healthtech companies is greater than ever.
Broadly defined, “healthtech” is any technology that assists with someone’s healthcare. While this includes applications from traditional healthcare providers, it also includes technology that handles healthcare data, like fitness apps, nutrition apps, or biometric wearables. This means that the companies behind these technologies — healthtech companies — often deal with protected health information (PHI).
Healthtech companies greatly benefit consumers, but working in this space also means plenty of risks. For example, HIPAA is a set of rules that governs how organizations use and protect the PHI of their patients and customers.
Companies that work with PHI must ensure they’re HIPAA-compliant, lest they face fines, lawsuits, or closures. However, HIPAA is only a starting point if you want to provide truly robust privacy protections for your customers.
In this article, we’ll look at how your healthtech company can implement greater privacy safeguards by using a data privacy vault in your applications. We’ll also discuss why it’s important to exceed the bare minimum of what is required by law for PHI, as doing more for data privacy can actually win you customers and improve your healthtech products.
But first, let’s lay the groundwork with a brief treatment of HIPAA and PHI.
Understanding HIPAA Compliance and PHI
HIPAA is the baseline of compliance for protecting patient health data. Commonly considered the legislation which codified medical data privacy in the United States, HIPAA represents the minimum bar for safeguarding PHI that any healthtech company must meet.
Why PHI is Unique
Financial data, such as a reissued credit card or an updated credit score can change, and we have standards, such as PCI, to regulate the use of this data. Personally identifiable information (PII), such as a home address or a driver’s license number can also change. For handling PII, we have regulations like GDPR or CCPA.
However, PHI is a unique kind of data because the majority of PHI typically doesn’t change. For example, laboratory results or entries in a patient’s medical history are fixed. Because of this, HIPAA takes the protection of client health data very seriously.
How PHI is defined
One of the key ways that HIPAA protects patients in the US is by defining what sort of data is considered PHI. Essentially, PHI is any information that can be used to identify an individual and that is related to the following:
-
That individual’s past, present, or future physical or mental health or condition
-
The provision of healthcare to that individual
-
Payment for the provision of healthcare to that individual
That means that if someone’s name, contact information, photo, or ID number is attached to the health-related data point, it’s also considered PHI, and it needs to be kept safe.
HIPAA rules apply to what the US Department of Health and Human Services (HHS) calls “Covered Entities and Business Associates” as well as any health-related applications that deal with PHI. So, if your business takes health data and ties it to any kind of identifier for a specific person, then it is very likely to be subject to HIPAA. If you’re operating without HIPAA compliance, then you’re liable to face some serious penalties, including hefty fines, customer remediation costs, and even being added to a public list of breaches commonly referred to as the HIPAA Wall of Shame.
From the vantage point of simple compliance, it’s hard to overstate the importance of HIPAA for healthtech companies.
How a Data Privacy Vault Protects PHI
Fortunately, protecting your customers’ PHI data is possible. The HHS provides guidance on how to de-identify PHI. Companies can detach health data from identifiers so that it can no longer be used to identify an individual.
However, the challenge for healthtech companies is ensuring that they’re doing this correctly. There’s no room for mistakes. If you try to “roll your own” solution, you take precious engineering resources from your core business needs, and you’ll lack the confidence that you’ve covered all your bases.
Instead, many of today’s healthtech companies are looking to the data privacy vault architectural pattern. A data privacy vault — and specifically one that is designed to deal with healthcare data — allows you to securely store identifiers for customers in an isolated, encrypted data vault that’s separate from normal transactional data. This kind of healthcare data privacy vault enables you to de-identify health data, protecting both your customers and your business. By providing tokenization, masking, and redaction capabilities, a data privacy vault makes working with protected data much less risky.
Now that we’ve discussed the risks of non-compliance and the solution for protecting customer PHI, the big question is this: Is it worth it? Instead of adopting tried-and-tested tools to secure your customer data fully, would it be acceptable just to assume some risk and hope for the best? Let’s consider this.
Reducing the Risk (and Scope) of a Data Breach
Perhaps your company is already up and running without a data privacy vault, and you’ve implemented other mechanisms for protecting your customers’ PHI.
You may feel like you’ve already invested a lot and don’t want to sink more effort into something that feels like a net-neutral investment. But it’s important to realize that you can still end up on the HIPAA Wall of Shame with a breach that impacts as few as 500 customers, even if you have basic protections in place.
Not only that, but the best repayment to your customers for their trust in you is building a more trustworthy system.
While it may seem you’ve met HIPAA’s standards for de-identification of PHI, reducing even a small risk of a breach by introducing a data privacy vault can win even greater trust from your customers.
Take a look at the above example architecture. Notice that only tokenized, masked, or redacted information would be passed between different parts of your systems, allowing you to exceed HIPAA requirements and keep you off the Wall of Shame.
Building Customer Trust
Building a privacy-centric system will do more than just keep you out of trouble. It can also be a great tool for driving customers to your business. By protecting customer data, you can actually make better use of it. Isolating customer PHI in a data privacy vault allows you to use that data in various workflows and extract valuable insights without compromising identifiable data.
Choosing a good tool for managing PHI will also require you to establish various data governance policies and access controls. By specifying these operational pieces of your business, you can ensure your customers’ trust is well placed.
Given the high demand for privacy in any consumer technology today— and especially in healthtech — prioritizing these policies and standards sets your company apart as a leader in privacy, differentiating your business from competitors.
Conclusion
If you still want to learn more about HIPAA compliance or how a data privacy vault can help you with other aspects of HIPAA, there’s plenty of information out there for that.
Fortunately, with the great tools available on the market, building a secure solution for your healthtech business is completely possible and easy to start immediately. Protecting your customers from compromised PHI is serious business, so make sure to use the right tools to safeguard your customer health data.
Also published here.
