HIPAA and Privacy Considerations in HEOR

Big data analytics, data collection, and mass digitization have expanded the limits of what is possible in healthcare and HEOR. As a consequence, privacy matters related to the use of confidential health information have increased since it can be a target for criminals and/or be misused. This is why all patient data must be regulated and kept safe by laws such as HIPAA Privacy Rule and HITECH.

Privacy Issues in Healthcare

While the medical community, healthcare providers, and Health Economics and Outcomes Research (HEOR) professionals are trying to get the most out of valuable data, they must strive to meet the security and privacy challenges that arise with it.

Evidence-based decisions are an essential part of healthcare, but such information is hard to process, standardize, and use effectively. It’s evident that care is improving with better-informed clinical decisions, disease tracking, and adverse effects monitoring of drugs and medical devices, thanks to this identifiable health information.

Big data must also protect the privacy of patients while improving care. This is essential in today’s world, especially since the COVID-19 pandemic accelerated the use of digital technology. Threats to privacy, data breaches, and hackers exposing sensitive data happen on a regular basis. Therefore, HEOR stakeholders need to ensure safe methods to store and protect data.

The Importance & Challenges of Privacy and HIPAA

Keeping patient privacy and protecting data in the United States follows the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes national standards for ensuring this privacy and was enacted into US law in 1996. In the case of Europe, the General Data Protection Regulation (GDPR) defines a strict standard for patient privacy.

Both regulations make it compulsory to address privacy concerns with big data in healthcare and establish a robust policy personally identifiable information. Entities that handle healthcare data should use software and IT solutions that are HIPAA-compliant to prioritize compliance with regulation and privacy agreements. Once these solutions are in place, covered entities should anonymize sensitive information, so data cannot be tracked back to a specific individual. 

The two following challenges must be addressed:

1. Removing identifying information from patient records can result in a significant loss of value for health research projects.
2. Adding statistical noise to data to obfuscate attempts at identification and anonymizing it can diminish the value of the original dataset.

What are the 5 Provisions of the HIPAA Privacy Rule?

The Health Insurance Portability and Accountability Act of 1996 consists of 5 titles:

Title I

• Protects health insurance coverage for workers and their families who change or lose their jobs.
• Focuses on healthcare access, portability, and renewability.
• Regulates availability of group and individual health insurance policies.
• Limits restrictions a group health plan faces on benefits for preexisting conditions.
• Covers “creditable coverage,” which includes Medicare and Medicaid.
• Enables individuals to limit the exclusion period considering how long they were covered before enrolling in the new plan after periods of coverage break.

Title II

• Prevents healthcare fraud and abuse.
• Simplifies administration.
• Establishes policies for privacy and security of individually identifiable health information.
• Requires the Department of Health and Human Services (HHS) to increase healthcare efficiency by creating standards.

HHS initiated five rules to enforce administrative simplification: 

1. Privacy Rule.
2. Transactions and Code Sets Rule.
3. Security Rule.
4. Unique Identifiers Rule.
5. Enforcement Rule.

Title III

• Standardizes the amount to be saved by every person in a pre-tax medical savings account.
• Makes medical savings accounts available to employees covered under an employer-sponsored high deductible plan for a small employer and self-employed individuals.

Title IV

• Enforces the application of group health insurance requirements.
• Specifies conditions for group health plans regarding coverage of persons with preexisting conditions and modifies continuation of coverage requirements.

Title V

• Repeals the financial institution’s role in interest allocation rules.
• Provisions for company-owned life insurance for employers.
• Amends provisions of law relating to people who give up US citizenship or permanent residence.

What are the most common HIPAA privacy violations?

The HIPAA Privacy Rule was established to protect health data and help reduce fraud, abuse, and waste. Penalties could range from millions of dollars in fines and/or arrest. Learn which are the most common HIPAA privacy violations to avoid severe penalties and put preventive measures in place:

1. Data breaches. Getting hacked is one of the most common privacy violations. Over the last few years, data has been stolen from multiple healthcare network servers, including information of millions of patients with Social Security numbers, addresses, and insurance information. This data is then leaked or sold.
2. Releasing patient information after the authorization period expires. HIPAA Privacy Rule permits disclosing of information with authorization forms, however, these forms have expiration dates. A new form must be completed if a request to reveal this information comes past the expiration date. Sometimes, not enough attention is paid to this, resulting in unauthorized data releases.
3. Employees accessing files dishonestly. This is a common HIPAA violation. Even if it’s done out of curiosity, it’s still unauthorized and wrong. This problem escalates when accounts are shared between physicians and their employees. With standing physician systems, other staff may assume they will not be caught or held accountable.
4. Losing devices. Patient health information can be stored on laptops, tablets, desktop computers, and removable devices. As such, these can be stolen or lost, resulting in a violation of HIPAA. Companies may implement encryption protocols or cloud solutions on their devices with remote access to mitigate this situation.
5. Improper filing and disposal of documents. Human errors occur when using paper-filing systems. When getting rid of documents, they may accidentally be disposed of without first being shredded.

Protect Your Data at all Costs

Privacy laws such as HIPAA express the need to protect data in an increasingly digitized world with growing cyber security threats. The ability to protect health data must be at the forefront of any uncovered or covered entity, including those working in the HEOR field. 

When it comes to HEOR, stakeholders need to take HIPAA Privacy Rules into consideration when gathering or utilizing data. In reality not using big data is not an option for many organizations, therefore they must keep their data sources secure and abide by federal regulations.