News

Will Privacy Laws Impact Health IT Innovation in 2020?

April 14, 2020

by Nick Jaworski, Digital Community Builder of Circle Social, Inc.

a digital head where you can see the brain, in a circle of dots. Text reads 'health IT innovation'

It’s a new year with new challenges. 2020 might be shaking the healthcare industry with new privacy laws and regulations. The Department of Health and Human Services (HHS) intends to spend 2020 working on rules tackling privacy issues such as cybersecurity and patients’ right to their data.

The past year in health IT security was one of the worst seen in recent years, with multiple breaches each impacting several millions of patients. Patients are also growing increasingly aware of their data privacy rights through HIPAA and, in response, filed lawsuits after many of those privacy breaches.

As the need for health IT innovation increases in healthcare, providers must also change how they approach security in 2020 to keep pace with increasingly sophisticated threat landscape. Egress Chief Executive Officer Tony Pepper explained how innovation and awareness will impact those security decisions in 2020.

“In 2020, I believe we’re going to continue to see increased awareness of data breaches from patients, which will create further pressure on healthcare organizations to protect their data and comply with legislation,” he said. “This can only happen effectively if healthcare looks to the right technology to ensure patient data is secure.”

Healthcare privacy is complex. There is a delicate balance between keeping patient data secure and sharing it. Rules allowing patients to have free access to their health data can conflict with Health Insurance Portability and Accountability Act (HIPAA) or state laws to protect privacy. This might cause concerns about HIPAA violations, resulting in under-sharing of information or oversharing to avoid data blocking.

How State-Level Laws Address These Issues

A huge challenge is the increased development of health-related information created, gathered and collected outside of the scope of the HIPAA rules, such as mobile apps, wearables, personal health records, etc. This information is generally not subject to HIPAA.

California is addressing this “non-HIPAA” issue by the new California Consumer Privacy Act (CCPA). As Kirk J. Nahra, a privacy and cybersecurity partner at WilmerHale in Washington, D.C., explains, “companies that handle health data in California will have to comply with three laws in 2020: HIPAA, the California Confidentiality of Medical Information Act (which applies to certain technology companies that are not regulated by HIPAA), and the newest privacy provisions under the California Consumer Privacy Act, which take effect January 1, 2020.”

The California Consumer Privacy Act is now officially in effect, with Colorado and New York following their lead. New York also hopes to pass a new law with privacy requirements that the industry says go further than California’s.

An important element of CCPA is the right for consumers to access the data an organization holds on them, creating the need for healthcare organizations to be able to track where data is going within the continuum of care and to ensure information sharing is compliant.

CCPA allows patients to decline the sale of their data and gives them the right to sue if their information is stolen due to an organization’s negligence. Organizations that haven’t previously had to comply with laws such as HIPAA are now challenged with compliance.

Pepper shared his thoughts on these state-level laws: “This patchwork of state-level laws and industry legislation demonstrates the emphasis rightly put on protecting citizens’ data. However, whether it’s a sustainable, long-term way forward or whether it’s possible to implement an extensive federal legislation remains open to much debate.”

Patients are increasingly aware of their data privacy rights through HIPAA. At the same time, healthcare organizations have never faced a more complex privacy landscape. In 2020, the wave of state-level legislation will probably move forward.

The emphasis should be on clarity and an approach that benefits both patients and the healthcare industry. Patients need to understand the rules that apply to their health information.

What Can I Do to Protect My Client’s Information?

The number one thing that you can do to protect your client’s information is to perform a regular risk analysis of your network. Identify if you have any areas that are at risk. If you find any, it is mandatory that the issue must be resolved. Not resolving issues that could put client information at risk is also a HIPAA violation and can lead to some hefty fines.

Training and education are also important. Your employees should learn when and where they should be logged in to company electronic devices. Establish written protocols and make sure that employees are securing their stations (putting away files and locking them up, logging out of computers, etc.) every night or when they are leaving their work stations.

You should also be aware of how you are getting rid of data or devices that store data. Reformatting and deleting the memory isn’t enough. You need software that is designed to permanently wipe the hard drive.

Lastly, stay up on your cyber-security. Security patches for your computers should always be updated regularly, in addition to making use of firewalls, anti-virus, and anti-spyware software. Also, review your software vendors’ websites for any updates involving vulnerabilities and involving patches.

This article is for educational purposes only and as technology changes and improves this information should be used only for awareness and does not guarantee cybersecurity.

NBHAP Logo

A national membership association that provides education and advocacy for those in the behavioral health and addiction treatment industries.

We are the leading and unifying voice of addiction-focused treatment programs.

Join Now


Contact Us


Hours
Monday - Friday
8:00 am - 4:30 pm Pacific
(closed major holidays)


a desk with a laptop, cell phone, pen, and binder. Text reads 'SUD Treatment Provider Boot Camp webinar series'