digital-brainlab-journal.jpg

JournalPatient Privacy & Data Protection: Different laws around the world

As our digital lives expand, we’ve all found that protection of our personal data is crucial in every transaction we make. However, the most complex and sensitive personal data may be that concerning our health. Laws around the world are in force or on deck to help mitigate cybersecurity attacks and data breaches that continue to plague the industry (1).

What is patient data security & privacy in healthcare?

Let’s break down key words surrounding our most sensitive information when it comes to our digital health profile.

privacy // noun

freedom from unauthorized intrusion // one’s right to privacy.

security // noun

measures taken to guard against espionage or sabotage, crime, attack, or escape.

confidentiality // noun

the state of keeping or being kept secret or private

 

2018: Enforcing the General Data Protection Regulation (GDPR)

Patients in  the  US  identified  potential  privacy  breaches  and data  security  as  a  bigger   concern   than the cost  of  healthcare  (2).  When  patients  don’t  feel like their information is confidential, they  may  be less likely to  be  as  truthful  and  even less  likely  to  visit their  doctors   at   all.   With   less  information   to  go on, doctors may find it  harder  to accurately  diagnose and treat illness.

World Internet Usage (3)

  • Q2 2020 estimates

  • Penetration rate as % of population

  • By geographic region

In other countries, patients are equally concerned with their individually identifiable health information. The European Union  enacted   the   General   Data  Protection   Regulation  (GDPR)   in    April    2016    and  it became  enforceable  in  May  2018  (4).  This   regulation inspired new laws in many  other  countries and U.S. states.

2019: Big Data & Security Front and Center

Big data security and privacy issues in healthcare were front and center in 2019. Record-high  breaches  (5)  impacted several million  patients  (6).  In  the   U.S.,   the  Office   for  Civil Rights  (OCR)  posted  record  years  in   2018   and  2019 for  HIPAA  settlements   and   judgments   (7)    surrounding breaches in electronic health records (EHR).

2020: Global Movement In Data Protection

2020 Healthcare Breaches (8)

The breakdown in security triggered  a  global  movement toward stricter data privacy and protection rules including steeper fines to address issues like cybersecurity and patient rights to their data.

Here is a look at some of the new and updated data protection rules and laws and how they address the importance of data privacy in healthcare.

2020 Updates: Data Privacy Laws

European Union: General  Data  Protection  Regulation  (GDPR)

The GDPR has been in effect since 2018, and 2020 promises to see a finalization  of  federal laws to comply with the Act in all EU countries including Greece, Portugal and Slovenia. The GDPR is viewed as the  preeminent  regulation  around the world, recognizing privacy as a fundamental human right and prohibiting the collection and processing of personal data without legal basis.

The head of the European Commission, Margarethe Vestager, is calling for stricter enforcement of the laws and policies. Any organization, anywhere in the world, including healthcare, is obliged to notify the authorities in the case of a breach that compromises the personal data of an EU citizen. This applies to healthcare providers anywhere in the world, if they are treating  and  thereby  gathering  data  and information on an EU resident.

Germany: Patient Data Protection Act (PDPA)

Germany adopted the PDPA in 2020 with the rollout to happen over several years. The regulations are designed to help protect personal and sensitive patient data while moving toward a more digital system that they believe will provide better care for patients. The new regulations surround security of, access to and control over information stored in a universal electronic patient record (EPR).

Patients are  the  primary  data  custodians  for  their  own information and all entities involved in the patient’s care are required to protect the data. Data that may be stored, deleted and controlled by the patient in the EPR could include images, e.g., X-Rays, vaccination and maternity records, pediatrics and even a child’s ‘tooth bonus booklet.’

Physician referrals will be electronically transferred and in 2021, prescriptions will be downloaded to an app for fulfillment at the  patient’s  pharmacy  of  choice.  The  data  will  be transferable if the patient changes health insurers. Look for even further granularity in 2022 with data filtering and sharing via smartphone  apps.  In  2023,  patients  will  have  the opportunity to have their pseudo-anonymized and encrypted data stored for medical research purposes.

USA: Healthcare Insurance Portability & Accountability Act

HIPAA is now over 20 years old and the last major changes were enacted  in  2013.  2020  may  see  the  introduction  of  a controversial national patient identifier. Proponents believe the identifier will help with patient matching and minimize medical errors and  misidentification.   Opponents   believe that the identifier  threatens  patient  privacy.  Medicare  beneficiaries now have a healthcare identifier as of January 2, 2020. Stay tuned to HIPAA as this topic unfolds.

Health & Human Services (HHS)

Two new rules went into effect in March 2020. Issued by the HHS Office of the National Coordinator (ONC) for Health Information Technology and Centers for Medicare & Medicaid (CMS), the rules implement interoperability and patient access provisions that were outlined in the 21st Century Cures Act.

The new rules are designed to give patients secure access to, use of and the capability to exchange their health data. The  data will be accessible to patients via typical smartphone apps so they can safely view, control and share through digital tools similar to those they use to schedule appointments or book flights. What to watch in 2020? How unfettered patient access to data may conflict with HIPAA or state laws (9).

California Consumer Privacy Act (CCPA)

Considered the most comprehensive data privacy act currently in effect in the U.S., the CCPA gives California residents more control over the personal information that businesses collect. When it comes to health data and privacy in California, the CCPA layers onto both HIPAA and the California Confidentiality of Medical Information Act (CMIA). The CMIA and now the CCPA impose wider and more stringent regulations and greater protection of privacy than HIPAA. Look for more U.S. states including Nevada, New York, Texas, and Washington to enact laws similar to CCPA in 2020 and beyond.

Brazil: Lei Geral de Proteção de Dados (LGPD)

The LGPD aims to consolidate and align Brazil’s rules that are  spread  across  various  legislative provisions governing  privacy  and  personal  data. Written to mirror the international standards set with the EU’s GDPR, the OGPD just went into effect in August 2020. The law applies to  entities  that process any personal data including health, sexual, biometric  and genetic.  The law differs from the GDPR in a couple of ways: anonymized data is not excluded if it is used for behavioral profiling  and cross-border transfer  is prohibited.

Potential data privacy regulations are on the horizon in India, South Korea & Thailand.

India: Personal Data Protection Bill (PDPB)

In August  2017,  the  Indian  Supreme  Court  upheld that privacy is a fundamental right (10). This ruling  led  to  the  drafting  of  a  sweeping  Personal Data Protection Bill in 2019.

The first data protection bill  of  its  kind  in  India, the proposed legislation lays  out  a  legal  framework designed to protect and regulate personal data including  appropriate  flow  and usage by the entities that process data. Norms, accountability and remedies are  outlined  to address cross-border transfers, processing, unauthorized and harmful processing. A Data Protection Authority would be established  to oversee all processing activities.

The bill was sent to a Joint  Parliamentary  Committee for further review and has potential to pass in the near future.

Thailand: Personal Data Protection Act (PDPA)

The PDPA became law in May 2019 and became enforceable a year later. This grace period allowed for subordinate regulations to be issued and for organizations to put policies in place to become compliant.

Many of the regulations  outlined  in  the  PDPA  align with  the  European  Union’s   GDPR   with some additional concepts unique to Thailand. Intrinsic to the law is control, consent and knowledge:  individuals  control   how   their   data  is collected, stored, shared and protected;  they  have the right to know who has their data and how it is being used and shared.

South Korea: Personal Information Protection Act (PIPA)

Part of a broad effort to secure an agreement with the European Union, South Korea is updating the PIPA as well as the Act on the Promotion of IT Network Use and Information (Network Act).

Proposed amendments will align the country’s laws more closely with the  EU’s  General  Data  Protection Regulation (GDPR), exerting tighter control  over  companies  that  handle   personal data  and  a  more   defined enforcement of the  laws.

How Healthcare Patient Data Privacy Needs & Awareness Drive Med Tech Innovation

While the laws surrounding consumer consent and data protection are too broad in scope to recap in full here, we see how patient awareness and patient rights are challenging and inspiring health tech innovation.

In the article How Hospital IT Can Influence Digital Healthcare Decision-Making, we explore the importance of integration: how it contributes to increased efficiency and works to boost data security while minimizing associated risk factors.

[1] Healthcare Dive, https://www.healthcaredive.com/news/healthcare-again-tops-industries-for-cybersecurity-attacks-data-breaches/552403/
[2] HIPAA Journal, https://www.hipaajournal.com/patient-privacy-and-security-are-greatest-healthcare-concerns-for-consumers/HIPAA Journal
[3] Internet World Stats, https://internetworldstats.com/stats.htm
[4] GDPR EU, https://gdpr.eu/ 
[5] Health IT Security, https://healthitsecurity.com/news/data-of-15m-patients-impacted-retrieved-in-lifelabs-cyberattack
[6] Health IT Security, https://healthitsecurity.com/news/11.9m-quest-diagnostics-patients-impacted-by-amca-data-breach 
[7] U.S. Department of Health & Human Services, https://www.hhs.gov/about/news/2019/02/07/ocr-concludes-all-time-record-year-for-hipaa-enforcement-with-3-million-cottage-health-settlement.html 
[8] Tech Jury, https://techjury.net/blog/healthcare-data-breaches-statistics/#gref
[9] Bloomberg Law, https://news.bloomberglaw.com/health-law-and-business/busy-privacy-agenda-for-2020-has-health-companies-on-edge 
[10] DLA Piper, https://www.dlapiperdataprotection.com/index.html?t=law&c=IN&c2