Data Governance,
Data Privacy,
Data Security
Isn’t All Health Data Sensitive? Yes, But Safeguarding Some of It Is Even Trickier
While it is widely accepted that all health information carries a level of sensitivity, certain types of data are deemed especially sensitive, elevating the stakes for both patients and regulatory bodies. This heightened sensitivity often emerges in cases involving mental health records, reproductive health details, and pediatric data, among others.
Experts indicate that there is no universal standard for classifying particularly sensitive health information, as individual privacy concerns can vary significantly. Regulatory attorney Adam Greene from Davis Wright Tremaine highlights the point by contrasting the sensitivity of an X-ray of a broken wrist, which may seem innocuous to many, but could be viewed as highly sensitive by a professional athlete.
This complexity is compounded when considering the motives of cybercriminals, who frequently target sensitive health information such as mental health records and plastic surgery documentation, recognizing their potential for extortion. A notable increase in ransomware attacks against plastic surgery clinics in 2023 led the FBI to issue warnings, underscoring the vulnerability of these healthcare providers to cyber threats.
Challenges in Regulation
Navigating the legal landscape surrounding ultra-sensitive health data presents its own challenges. Regulatory attorney Kirk Nahra of WilmerHale emphasizes that the evolving nature of laws like HIPAA adds layers of confusion. While HIPAA does not inherently categorize health information by sensitivity, exceptions exist, such as the recent adjustments following the Supreme Court’s Dobbs decision concerning reproductive health data.
In response to this ruling, the U.S. Department of Health and Human Services has integrated additional privacy protections, aiming to shield reproductive health information from investigations that could impose legal repercussions on healthcare providers. Nevertheless, this rule faces legal scrutiny, with fifteen state attorneys general arguing that it hampers the states’ ability to pursue investigations into Medicaid fraud and related issues.
Substance Use Disorder Protections
Long-standing regulations under 42 CFR Part 2 already provide protective measures for substance use disorder records. However, these regulations can also create barriers for healthcare providers treating patients outside federally assisted programs. The discrepancies between Part 2 and HIPAA can obstruct access to crucial medical histories, complicating care for these individuals. Recent HHS efforts to align the two regulatory frameworks aim to facilitate better communication among healthcare providers.
Implementing Solutions
As the healthcare landscape grapples with these complexities, the proposed updates to the HIPAA security rule introduce potential solutions. Regulatory attorney Amy Magnano notes that network segmentation, a proposed feature within the updated rule, allows for sensitive data to be stored in separate, more secure locations within electronic medical record systems.
In addition to federal regulations, state laws continue to evolve, further complicating the management of sensitive health information. The Washington state My Health My Data law illustrates how regional legislation can introduce additional requirements for data handling, potentially hindering research endeavors due to stricter privacy measures.
Proactive Measures for Businesses
In light of these challenges, healthcare organizations must proactively assess the categories of health data they manage for potential sensitivity. Regulatory considerations should include whether any given dataset entails additional privacy requirements beyond standard protected health information. Organizations should also collaborate with electronic health record vendors to address the capabilities of their systems in safeguarding extra-sensitive data, and establish patient consent protocols where necessary.
