Data privacy and security in healthcare is key. Your healthcare data is worth up to 40 times as much as credit card data on the black market. Why? Well, the nature of healthcare data is far more personalized and detailed than financial data, and can be used to affect insurance premiums in an unfair manner, commit fraud or to blackmail and extort.
Because of this, the healthcare industry is protected by some of the most stringent data security regulations around. In the US, the primary regulation is HIPAA – and it’s crucial to be aware of the requirements before embarking on a healthcare enterprise.
First things first: HIPAA is a federal regulation, not a certification. There is no official body providing HIPAA certifications, rather, it is a set of standards and codes that must be adhered to in order to follow the law, and governs the course of action the federal and state governments can take in auditing healthcare providers (hospitals, clinics, etc) for their adherence to personal health data management standards
HIPAA relates to any business that is handling Personalized Health Information (PHI). Those businesses are either covered entities, that deal with patients directly or business associates, who are granted access to patient data by a covered entity. Business entities need to have strict enough security in order to be trusted with data from covered entities
PHI is any data that:
So, you may be thinking, why bother with all this work? Well, there are a few factors that make taking security seriously unavoidable in healthcare:
In this section, we will speak specifically about digital health solution vendors, although the same general best practices are relevant to all healthcare businesses.
What do I mean by Digital Health? Digital health technologies use computing platforms, connectivity, software, and sensors for health care and related uses. These technologies span a wide range of uses, from applications in general wellness to applications as medical device, and can address a wide range of healthcare issues.
For any cloud-based healthcare application, most of these will be covered as standard by the cloud provider (e.g. AWS/Azure). When these providers claim ‘HIPAA compliance’, this is what they are referring to.