At Intouch, we hear a lot of questions, concerns and misapprehensions about data privacy and data security. They come from industry friends, current and new clients, and the public. Data security was a hot topic at this year’s SXSW conference, which featured sessions like “The Coming Merger of Data and Health.” And it’s all over the news, as well. When Apple is simultaneously fighting with the FBI and releasing the new CareKit framework for mHealth apps, it’s hard to miss stories about data encryption.
Concerns about protecting data privacy and security are almost always well-founded, particularly for those of us who work in healthcare. And while we as an industry absolutely have a responsibility to ensure we collect, handle and use customer data in the right ways, it’s also important for us to call out and explain misunderstandings that might keep a brand from making the most of their marketing approach.
Here, we break down three concerns about data security and data privacy that are top of mind right now.
We Hear: “We can’t do this project because of HIPAA.”
What It Really Means: We’ve heard some common misconceptions about HIPAA — primarily, that a lot of customer data falls under HIPAA guidelines when, in fact, it doesn’t. Are you sure you’re dealing with protected health information (PHI)? While this is certainly a valid question, perhaps the better question is – what is your organization’s role in the healthcare “ecosystem”? If you are considered a covered entity (i.e., health plans, healthcare clearinghouses and healthcare providers fit this definition), then you need to be concerned with proper handling of PHI. If your organization fits within this category, then you should pay particular attention to how HIPAA defines PHI — essentially, data that can be used to determine an individual’s health history, diagnosis, treatment program, etc. De-identified health information used for clinical trials or scientific research is not PHI. HIPAA guidelines address how to handle PHI – not all health data.
For more information, see our recent post: Data Security: Know What’s at Stake and How to Keep It Safe.
We Hear: “Our budget is X — we can’t afford all that extra data-compliance stuff.”
What It Really Means: Security and compliance isn’t an add-on; it’s foundational. That being said, it’s possible to start by identifying the minimal viable product (MVP) for maintaining data compliance and scale up from there. If you’re storing PHI or PII (personally identifiable information), industry best practices state that you must ensure that information is encrypted both at rest (in the database) and in transit (in that file export to be shared with a trusted partner). From there, you can layer additional security measures, but data encryption is the key.
For more information, see our recent post: Dig Deeper, Stay Compliant With Data Retention.
Also, check out the International Pharmaceutical Privacy Consortium.
We Hear: “Our new project has to work across X regions, so we’ll just get that all approved once we’re done.”
What It Really Means: International privacy regulations are varied and ever-changing. In order to be certain that a project will be acceptable in all regions, you should know which countries to take into account, understand their policies, and only start building once that understanding is in place. For instance, you may choose to have several websites for different countries that all use the same database to ensure consistent data encryption, security, authentication, etc. There will likely be a variety of potential solutions, but finding the right one depends on understanding the specifics of each situation.
Seven Golden Rules to Safeguard Data
Concerns about protecting customer data security and data privacy are real and important. In some cases, they rightfully preclude the use of certain tactics. In general, the following seven rules will keep you safe:
- Respect patient privacy.
- Follow data security best practices.
- Know the laws.
- Know the technology.
- Know the limits.
- Be transparent regarding the potential use of the data.
- Only work with partners who understand and follow these guidelines.
Want to know more? Contact Intouch Solutions for more details on data security for your brand or project.