How health tech can secure patient data post-CURES Act
It’s the central conundrum at the heart of telehealth: How can patients gain access to their most vital medical records without putting privacy at risk? The question is not just one of user activity – historically, healthcare providers have been wary of providing electronic health records (EHRs) directly to patients, due to concerns related to both privacy and control.
Yet with the Department of Health and Human Services’ (HHS) CURES Act final rules effective as of April, necessity has dictated innovation. Healthcare providers will still face hurdles on their way to giving patient’s access to their data, and the HHS has provided eight exemptions to these rules, including privacy exemptions, that will give providers some leeway in data decisions.
Aside from these exemptions, however, the CURES Act is open-ended. Health information providers must get EHRs to the right patient—and they need health tech to do it.
The regulation hurdle
The central promise of the CURES Act is its information blocking ban, which prohibits health information providers from restricting patients’ access to their EHRs. The HHS announced these rules with no small degree of fanfare, calling them a “new day for interoperability”—that is, there are now more options than ever for record holders to send the right data to the right patient’s smartphone.
But there are security concerns.
Health information providers may be required to send patients their data when they request it, but the CURES Act isn’t the only law on their minds. HIPAA, as well as state and local regulations, can impose harsh penalties on organizations that put private patient data at risk. These EHR providers want to know that the third parties they partner with can keep information secure, the same way patients want private access to their own healthcare information.
It’s a tall order to provide this information securely, the same way consumers “handle their finances or travel,” as one HHS official put it. But it can be done.
Bridging the privacy gap
There are a few key hallmarks of a healthcare application developed with privacy in mind. Specifically, health tech companies can focus on the following standards to show EHR providers and patients that their data remains secure, even as these records become more readily accessible.
Transparency. Healthcare data can be submitted by the user, uploaded from their smartphone, or transferred from an EHR provider in compliance with the information blocking ban. Clear guidance on what data comes from where and to where it can be sent creates transparency—a necessary first step for trust in privacy.
Server-side protection. HIPAA strictly regulates who can access patient data, meaning health tech companies would do well to review any existing BYOD policies. Data stored on a company server may include information that falls under HIPAA protection, meaning server access should be configured to only allow access to verified individuals.
Multi-factor authentication. The HHS’ goal is to make health information as accessible as financial information via our smartphones. These health tech apps can set a standard for heightened security from the start, both to ensure only the patient has access to data, and to convey the seriousness with which patients should approach using these apps.
Interoperability. The healthcare system encompasses thousands of hospitals, networks, and providers, with tens of thousands of staff keeping the care (and data) running. Pushing and pulling data via these legacy databases is part of the challenge in developing APIs, but it’s a necessity. Getting information from the EHR provider to the patient’s smartphone and onward to a doctor or hospital’s system should happen entirely within the app—screenshots and ad hoc data transfer solutions are simply far less secure.
Privacy policies for health tech
Setting the right tone from the start will be critical as health tech rolls out its post-CURES Act Final Rules suite of applications. Multi-factor authentication and a clear UI are a good start, but the core of any security-focused app will be its privacy policy.
These statements listing the ways a company gathers and manages a user’s data often go ignored, but they’re vital in conveying what users can and should expect from their healthcare apps. Health tech companies would be wise to ensure their privacy policies are read and understood, as they lend clarity to patients accessing their EHRs.
The key information patients look for may include:
Risk reduction measures. Data anonymization or identity tokenization is more than a nice-to-have when it comes to health information. These and other privacy-minded measures reduce the risk involved with a potential breach, and users will want to know what techniques are in place to add protection to their data.
Third-party access. One of the chief concerns surrounding healthcare data privacy lies in advertising. Companies could target patients with goods and services related to their medical information, but this may not be feasible due to HIPAA regulations. Explicitly addressing what third parties an application shares its data with shows patients what they can expect when it comes to data use.
Patient rights. Patients will gain access to the EHRs via health tech apps, but what information can they get from the apps themselves? Information about what data is being collected and for what purpose can be coupled with clear guidelines for gaining more specific information about the app’s own user data file.
Building the future of health tech
Privacy has increasingly become a central focus for the tech world, and the development of new healthcare apps utilizing EHRs can be a proving ground for health tech companies. Getting the rollout right requires careful planning and consideration.
The HHS knows this. They’ve implemented an 18-month grace period before the full suite of EHR requirements goes into effect, allowing for information providers and health IT developers to get up to speed with the new rulings.
Between now and October 2022, health tech companies will be assessing what their privacy standards and policies will look like. While the best practices of design, user experience, and performance will all maintain relevance, developers should put their strongest emphasis on privacy. Doing so will not only draw more interest from the EHR providers, but also ensure the trust needed to provide patients with the options and clarity they deserve from their healthcare.