Tips for Patient Data Protection

The year’s ending, compliance risks aren’t. As the year winds down... There’s 1 thing health tech leaders should double-check. Your HIPAA compliance readiness. The stakes are too high during the holidays. Review these essentials before January: 1. Access Controls → Who can access patient data? → Are permissions still up to date? → Ensure RBA is enforced to limit exposure. 2. Vendor Agreements → Third-parties are an extension of your security. → Are your Business Associate Agreements airtight? 3. Risk Management → Have you conducted a recent risk assessment? → Have you conducted a recent HIPAA assessment? 4. Incident Response Plans → If a breach happens, can your team act fast? → Review and test your incident response plan. → Ensure it’s a playbook your team knows by heart. 5. Security Training → Your people are your first line of defense. → Have your teams completed annual HIPAA training? → Everyone must know how to protect patient data. 6. Documentation Updates → Regulations evolve. → So should your policies. → Are your privacy and security policies up to date? Compliance is about protecting what matters... Your patients Your reputation And your business. If any points leave you wondering, “Are we covered?” It might be time to partner with an expert. 𝗣.𝗦. Are you more concerned with vendors or training?

On a near weekly basis, I read about breaches where much of the exfiltrated data was old data that the organization had no real reason to retain. See, e.g., https://lnkd.in/eaX53AWQ and https://lnkd.in/e4pVA6bT. According to IBM's 2023 Cost of a Data Breach Report, breaches cost organizations an average of $165 per record breached. Report at 2. That means that purging 100,000 records of unnecessary data could save you $16.5M in the event of a breach. Here are five tips: 1. PRACTICE DATA MINIMIZATION: Organizations should practice "data minimization." This means only collecting data that you have a good business reason for collecting and purging unneeded data when it is no longer needed. 2. ARCHIEVE DATA OFFLINE: In one recent example, the breached company apparently "ceased operations in December 2022 but, to comply with legal obligations, . . . maintained an archived copy of data previously stored on its computer systems." See https://lnkd.in/e4pVA6bT. To the extent you are only retaining old data is to satisfy regulatory requirements or just "in an abundance of caution," consider storing the data completely offline, so it is less likely to be breached. 3. CONDUCT A DATA MAPPING: These days it is common for data records to be duplicated in many places across an organization. Thus, consider conducting a regular "data mapping" to ensure that you know where all of your sensitive data is located, that you are adequately protecting it, and that you are purging it when appropriate. 4. IMPLEMENT A WRITTEN POLICY: Be sure to document your data retention and destruction policy in a written policy, and train your employees on the policy regularly. Remember to update the policy to reflect the changing realities in your organization. 5. OVERSEE THE DESTRUCTION OF DATA: Finally, when you destroy data, take reasonable steps to ensure that the data is actually being destroyed. One bank was recently fined $60M for failing to properly oversee a vendor responsible for purging personal data from digital devices. See https://lnkd.in/eutKzpU7.

If you share your customer's mental health condition across the internet and in the mail, without proper disclosure and choice, this is a "betrayal" per Federal Trade Commission Chair Lina Khan and you may be banned from using health information for most advertising purposes going forward. What are your practice points from the new multi million FTC enforcements. Eye-Openers: 🔹️C-suite who direct advertising strategy can be personally implicated in an FTC action re: unfair/deceptive data sharing 🔹️Sharing information of people who "liked" a page of a mental health service provider is sharing sensitive information At issue: data collected that includes: home and email addresses, birthdates, medical and prescription histories, payment account or driver license numbers, as well as information about treatment plans, pharmacy and health insurance plans, and other personal data, such as religious or political beliefs, or sexual orientation. Privacy Side: 🔹️Attention C-Suite: FTC can come after executives for privacy violations if they control / direct/ are involved in creating or implementing the policies or provide legal guidance. 🔹️ Don't say your services are "safe, secure and discreet" or that you will keep using data confidential but you are actually sharing with third parties - that may be deemed deceptive. Even statements like "patients come first' may be problematic. 🔹️Statements like that on the website may be misleading even if the privacy notice, a few pages in, describes sharing with third parties. 🔹️Generally a bad idea to bury sharing of sensitive information in the body of the privacy notice. 🔹️ The FTC can come after companies that are subject to HIPAA and deal in PHI. 🔹️Your regular privacy notice (and actual sharing practices) can't contradict your HIPAA Notice of Privacy Practices. 🔹️Specifically taking issue with things like "email lookalike audiences"; "conversion lookalike audiences" (based on trackers in website) and "page like lookalike audiences" (based on "likes" for your pages). Security side: 🔹️Cut off your former employees' access to data 🔹️Don't send postcards revealing personal information 🔹️Beware your Single Sign On "SSO". make sure it doesn't expose confidential medical files and patient information to other patients when those users signed onto the portal nearly simultaneously. Consequences can include: 🔹️ Permanent ban from using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes 🔹️For non-banned purposes - sharing of sensitive information is permitted only with consent 🔹️Comprehensive privacy plan 🔹️Data retention schedule Pic by rawpixel on Freepik #dataprivacy #dataprotection ##privacyFOMO

You can’t steal data that doesn’t exist. Simply not collecting certain types of info in the first place is an easy step you can take to reduce security and compliance risk. While the GDPR and other rules require affirmative justification for data collection in the first place, there is some room for judgment in terms of what you gather. Some examples of where you might limit collection are: ✅ Email capture and other signup forms Are you just collecting email addresses to which you’ll send a newsletter? If so, is there a need to collect someone’s name, phone number, and state or country of residence? Many marketing applications have fields to capture this by default, but it might not be in your best interest to do so unless you have a specific business requirement. ✅ Meeting recordings Do you frequently record internal and external video meetings, and then use the recordings to identify people for follow-ups and action items using artificial intelligence (AI) tools? This likely constitutes processing biometric data according to the GDPR. Biometric information requires enhanced protection measures under the regulation, so make sure the productivity boosts you get from these AI apps is worth the additional risk. If the recordings are just sitting there unwatched, consider not creating them in the first place. ✅ Medical intake forms and records. Oftentimes patients must complete elaborate and detailed medical history forms when seeing a certain doctor or practice, despite the fact much of this information is already captured by the organization in question. Especially due to the sensitivity of protected health information (PHI), it makes sense to rigorously review the types you are collecting. If the data isn’t vital to delivering care - or is never going to be reviewed to begin with - then don’t capture it in the first place. When in doubt, don’t collect sensitive data to begin with. For resource constrained-businesses, this is the cheapest security measure of all.

New Resources on Telehealth Privacy & Security from OCR: The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued comprehensive resources aimed at enhancing the privacy and security of Protected Health Information (PHI) in telehealth services. OCR released a guide to assist providers in educating patients about the potential risks to their PHI when using telehealth technologies. This includes discussing the types of telehealth services offered, understanding the privacy and security practices of technology vendors, and the relevance of civil rights laws in this domain. A resource titled “Telehealth Privacy and Security Tips for Patients” offers practical recommendations such as conducting appointments in private settings, using multi-factor authentication, employing encryption, and avoiding public Wi-Fi networks. As telehealth continues to reshape the healthcare landscape, it is crucial for small business owners in this sector to stay informed about these developments. Understanding and implementing these guidelines can significantly reduce cybersecurity risks and ensure the protection of patient data. I am committed to guiding small healthcare business owners through the complexities of telehealth privacy and cybersecurity. #lawyer #nurses #privacy #CybersecurityAwareness See the link to the resource in the comments.