Protecting patient privacy and patient rights

Many countries around the world have enacted legislation for the protection of patient privacy. In the United States, legislation for protecting patient privacy was first signed into law in 1996 and is known as the Health Insurance Portability and Accountability Act (HIPAA). It has been revised and updated several times since then. Two of HIPAA’s main components are the Privacy Rule and the Security Rule.

The Privacy Rule states the specific situations for which healthcare data can be used. In particular, any information that can be used to identify the patient (known as protected health information (PHI)) can be freely used for the purposes of medical treatment, bill payments, or other certain healthcare operations. Any other uses of the data require written authorization from the patient. A covered entity is an organization that is required to comply with HIPAA law; examples of covered entities include care providers and insurance plans. In 2013, the Final Omnibus Rule extended the jurisdiction of HIPAA to include business associates or independent contractors of the covered entities (which most healthcare analytics professionals can be categorized under if working with clients in the United States). Therefore, if you work with healthcare data in the United States, you must protect your patients’ data or face the risk of fines and/or imprisonment.

If you are a healthcare analytics professional, how should you protect the electronic patient health information (e-PHI) in your data? The Security Rule answers this question. The Security Rule breaks down the safeguarding methods into three categories: administrative, physical, and technical. Specifically, according to the website of the US Department of Health and Human Services, healthcare data scientists should:

(US Department of Health and Human Services, 2017). More specific information about safeguarding techniques can be found on the HHS website and includes the following guidelines:

• Covered entities and business associates should designate a privacy officer in charge of HIPAA enforcement and maintain training programs for employees who have access to e-PHI
• Access to hardware and software containing e-PHI should be carefully controlled, regulated, and limited to authorized individuals
• e-PHI sent over open networks (for example, via email) must be encrypted
• Covered entities and business associates are required to report any breaches of security to affected individuals and the Department of Health and Human Services

Outside of the United States, there are many countries (particularly Canada and those in Europe) that have enacted healthcare privacy laws. Regardless of the country you live in, it’s considered ethical practice in healthcare analytics to protect your patients’ data and privacy.