Safeguarding Against Data Breaches
At the end of December, Health IT Security published the article, ‘How Technical Safeguards Prevent Healthcare Data Breaches’ by Sara Heath. The article discusses the importance of healthcare organizations using technology to safeguard health data. HIPAA, Heath writes, has flexible technical safeguard requirements intended to cater to each individual practice. The three suggestions they have for protecting healthcare organizations involve:
- Protection against hacking. HIPAA outlines a handful of suggested procedures that can be adopted at varying intensities by different organizations. They also emphasize the usefulness of audits to benchmark these practices and procedures.
- Protection against phishing scams. HIPAA offers guidelines as to what to look for since the number of these scams continue to grow.
- Encryption of health devices. Even the article noted that there are limitations with encryption.
These are very prescriptive steps to take when it comes to safeguarding against data breaches – but one step not included here is de-identification. Safeguarding PHI is an exercise in risk management – by sharing and storing PHI, the legal, financial and reputational risks rise exponentially. Properly de-identified data means that the identifiers that could re-identify individuals in the data would be generalized, suppressed or removed to protect patient privacy. HIPAA de-identification guidelines stipulate that any time health data is being shared for a purpose outside treatment of the patient, that data should be de-identified first. When a risk-based approach is applied, there is no individually identifiable information. And without information that re-identifies patients, immediately or indirectly, it’s not PHI as defined by HIPAA. This is supported by the NIH, “De-identified health information, as described in the Privacy Rule, is not PHI, and thus is not protected by the Privacy Rule.” Something to consider when dealing with data breach precautions.
- Turn Data Assets into Business Opportunity Under CCPADecember 19, 2019
- How does risk-based anonymization work?December 18, 2019
- Why should I use Expert Determination over Safe Harbor?December 18, 2019
- What do I need to know about GDPR, HIPAA and CCPA to meet our regulatory and privacy obligations?December 18, 2019
- Should we invest in building our own de-identification capability?December 17, 2019
- GDPR and The Future of Clinical Trials Data SharingMarch 18, 2019
- Advancing Principled Data Practices in Support of Emerging TechnologiesMarch 15, 2019
- “Zero Risk Does Not Exist”February 7, 2019
- Is Anonymization Possible with Current Technologies?January 9, 2019
- Comparing the benefits of pseudonymisation and anonymisation under the GDPRDecember 20, 2018