April 30, 2018
Last week, Facebook CEO Mark Zuckerberg testified before Congress regarding the latest privacy concerns surrounding the social media giant.[i] In a prepared statement, Mr. Zuckerberg conceded that the company did not do enough to prevent harmful uses of Facebook user data.[ii] Mr. Zuckerberg’s statements come in the wake of reports that Cambridge Analytica, a political consulting firm, accessed the data of over 87 million Facebook users. Facebook’s re- cent ills, combined with a tech industry eager to expand into the healthcare market, should concern healthcare providers who must ensure patient data remains secure.
Tech’s Healthcare Push
Large tech companies have long been seeking additional markets in which to offer services. The most recent target industries include automobile, internet service providers, education, and now healthcare. Pairing healthcare with tech companies such as Apple, Amazon, and Google pose attractive possibilities to connect patients to their health data, cut costs, improve record and data accuracy, reduce office visits, and centralize the maintenance of patient information.
Some companies have already begun. Apple’s website features a healthcare page which lists services ranging from patient record storage, medication administration aides, app creation, and research apps to help researchers enroll participants while simultaneously gathering medical information. Amazon recently announced a health venture with Berkshire and JPMorgan, and has already been selling medical supplies to providers while simultaneously seeking to integrate its cloud services with Alexa (the voice recognition technology popular in-home speakers) into hospital services.[iii] Undoubtedly, others will soon join. But Facebook, while not heavily involved in healthcare services, represents a tech industry largely unregulated, with proof of flawed privacy controls, and now increasingly pressed on data privacy issues. Healthcare providers must gauge whether the risks associated with tech’s recent privacy problems are worth such chances and how to mitigate that risk.
Understanding the Risk
With Facebook’s privacy lapse in the spotlight, politicians will begin exploring regulatory solutions to the problem. First, and Mr. Zuckerberg’s Congressional appearance indicates as much, elected officials will seek to understand the risks involved. Providers must do the same. Regulations can take years to pass, more to implement, and do not ensure compliance by their mere existence. At the same time, providers will hesitate to pass up new technology that could potentially save money, time, and lives. However, while not every tech vendor may be as careless as Facebook, risk remains in every company that deals with patient data.
The specific risk with tech companies often turns on whether the company has systematic privacy safeguards in place. If a tech company begins handling a provider’s patient information, the laws it must then comply with can be daunting for an organization unaccustomed to working in the healthcare field and with healthcare regulations. When tech firms handle protected health information (PHI), they are regulated by HIPAA and are then liable for any violations under the Act. PHI can come in the form of medical records, lab results, insurance information, and much more. This risk exposure comes from regulations that tech firms generally do not deal with, which healthcare providers must account for before entering into a partnership or business arrangement with those vendors.
Steps for Providers – Business Associate Agreements
Providers who wish to partner with tech firms, or any business for that matter, should do so while taking certain precautions. Chief among these are business associate agreements (BAAs). HIPAA regulations require covered entities and business associates (e.g. tech firms) to enter into contracts to ensure the business associates safeguard patient data when a business associate has access to PHI.[iv] A BAA may also limit the permissible use and disclosure of PHI from its business associate. The business associate may only use or disclose PHI to the extent the BAA allows.[v] Any further use or disclosure would subject the business associate to civil and, in some cases, criminal liability.[vi] The BAA must:
- Establish permitted and required uses of PHI by the business associate
- Specify that the business associate will not use or dis- close the PHI further than permitted or required by the contract or as required by law,
- Require the business associate to implement appropriate safeguards to prevent unauthorized access to PHI,
- Ensure the business associate will disclose PHI to satisfy a covered entity’s obligation to make PHI available to patients upon request,
- Require the business associate to comply with applicable Privacy Rule obligations,
- Require the business associate to make its internal practices, books, and records relating to use and disclosure of PHI available to the U.S. Department of Health & Human Services (HHS),
- Require the business associate to destroy or return all PHI to the covered entity when the BAA terminates,
- Require a business associate’s subcontractors who handle PHI to subject themselves to the same restrictions as the business associate, and
- Authorize termination of the BAA by the covered entity in the event the business associate violates the BAA.
These are only HIPAA requirements. Covered entities may want additional contract language to best suit their unique interests and needs. For instance, a covered entity may want indemnity from the business associate for damages caused by an unauthorized use or disclosure of PHI. A covered entity may also wish to audit the business associate’s practices involving the safeguarding of PHI. In times like these, when tech companies have struggled to prioritize user privacy, covered entities must take patient privacy into their own hands. A comprehensive BAA does just that.
Steps for Tech Firms – Get Compliant
Tech firms/companies can protect PHI by first complying with the contract provisions laid out in the BAAs between themselves and the covered entities for which they do business. Tech firms should implement these fundamentals when offering healthcare product lines.
- Establish Physical Safeguards — To comply with HIPAA, business associates need to physically secure their offices, files, devices, networks, and data locations that contain PHI. This involves controlling office and work environments to prevent access by unauthorized individuals. Business associates must secure all computer equipment and electronic media that contain PHI. Here, the tech industry possesses broad capabilities and may even drive innovation for this requirement. Simpler precautions like refraining from leaving computers or other devices that contain PHI in cars or unsecured locations should be put into policies and procedures. These policies should be given to new employees along with attestations that each new hire must sign. These policies should then be re-emphasized through annual education and training. Business associates should also be aware that PHI can be stored in less-obvious places, such as copier memories or unmarked boxes and unlocked filing cabinets.
- Technical Safeguards — Technical safeguards like encryption and strong passwords ensure tech firms maintain patient privacy in most instances. Firms must take additional precautions when using a subcontractor. This includes entering into sub-BAAs, and ensuring the subcontractor also uses encryption and strong passwords. All devices containing PHI should be encrypted and password protected.
- Administrative Safeguards — Installing administrative safeguards, and compliant infrastructure as a whole, starts with policies and procedures. A tech firm should develop and implement policies and procedures to prevent, detect, contain, and correct security and privacy violations. The firm should also designate a Security Official and a Privacy Official. The firm’s employees should know who each official is and be able to name them if asked.
Other administrative safeguards include:
- Ensuring that only authorized staff can access PHI/ electronic PHI,
- Establishing procedures to identify, respond to, mitigate, and document security incidents,
- Creating emergency response procedures for data back- up and recovery in case of natural disaster, system failures, deliberate attacks (e.g. ransomware), or other incidents,
- Having systems in place to determine if PHI has been altered or destroyed, and that anyone who accesses PHI is authorized and has legitimate need to do so,
- Providing security and privacy training for all staff, including creating passwords and addressing breaches, and
- In case of a data breach, following guidelines on disclosure, such as notifying the affected individuals.
While Congress questions Mr. Zuckerburg, the tech industry remains both a driver of innovation and an increasing privacy concern. Healthcare providers looking to capitalize on tech’s innovations must ensure they have BAAs with these companies. When tech fails to protect patient privacy, healthcare providers will ultimately bear the burden.
[i] McKinnon, John D. “Facebook’s Ills Pose Regulatory Puzzle” The Wall Street Journal 10 Apr. 2018: B1. Print.
[iii] Farr, Christina. “As Amazon moves into healthcare, here’s what we know – and what we suspect – about its plans.” CNBC 27 Mar. 2018. Web. 10 Apr. 2018. https://www.cnbc.com/2018/03/27/amazons-moves-into-health-what-we-know.html.
[iv] Business Associate Contracts.” HHS 25 Jan. 2013. Web. 13 Apr. 2018. https://www.hhs.gov/hipaa/for-professionals/covered-entities/ sample-business-associate-agreement-provisions/index.html.