Protecting personal data beyond HIPAA

Safeguarding protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) is important, but what responsibilities do hospitals have to protect other types of personally identifiable information (PII)? What concrete steps can hospitals take to follow through on these responsibilities? Meg Grimaldi, Director of Compliance at Martin Luther King, Jr. Community Hospital in Los Angeles, and Sarah Bruno, Matthew Mills, and Jade Kelly, Partners at Arent Fox LLP, answered these questions in a Health Care Compliance Association (HCCA) webinar titled, “Navigating the Rest of the Iceberg: Privacy and Security Compliance Beyond HIPAA.”

Grimaldi began by reminding hospitals of the different types of information they encounter and the manner in which they encounter them. Aside from PHI gleaned through medical records, for example, hospitals may take in data used in accessing patient portals or submitted through event registrations and surveys. When gathering such information, hospitals must weigh the benefits of detriments of easy to use portals with the need to verity identity. User IDs, passwords, and personal questions are no longer sufficient to protect data; instead, hospitals should implement two-factor authentication—something a person knows, such as a User ID and password, with something a person has, such as a card or mobile device. Some hospitals may even consider utilizing biometrics. Hospitals should carefully consider the need to use cookies, which store data. If using cookies, session cookies are less risky because they do not save personal information beyond a single session. The use of long-term cookies must be carefully safeguarded.

The hospitals, themselves, may handle payment information or employee information submitted through secure portals, or may farm these duties out to third parties, but they remain no less responsible for the protection of the PII. Hospitals must ensure that business associate agreements (BAAs) or other contracts hold third parties accountable for handling types of data.

In general, hospitals should implement safeguards such as network segmentation, security scans, penetration testing, and encryption. In addition, they should routinely review software patching solutions, implement active alerts in intrusion detection systems, and periodically perform test backups. When data is no longer needed, hospitals should destroy it.

Bruno noted a need to categorize data as falling into the purview of specific laws, including HIPAA, the Children’s Online Privacy Protection Act of 1998 (COPPA) (P.L. 105-277), and various other federal and state laws, as well as industry standards. In addition, hospitals should take note that European countries accept a much broader definition of PII than the U.S., and that care should be taken the handling of information from European nationals. The hospital’s website should disclose its privacy practices. Mills discussed laws and industry standards that govern debtor data, including the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to provide their customers with notice of the institutions’ privacy practices and to safeguard sensitive data.

Kelly discussed hospitals responsibilities with respect to employee data, including noting in many cases that employee medical information should be kept separate from personnel files and accessed only by certain authorized individuals. Employer must also be sure to comply with the Fair Credit Reporting Act (15 USC § 1681 et seq.) and any applicable state laws.

Grimaldi discussed the need to inform employees of the location of PII policies and procedures and make sure they are easily accessible to employees. Hospitals should diversify training materials to discuss types of data beyond PHI so that they understand what must be protected. It is crucial for hospitals to use plain language, skipping jargon, abbreviations, and acronyms, to ensure that each employee understands what is being discussed. For example, many employees may understand the importance of not clicking on strange emails, but may not know that the tactic is referred to as “phishing” and may thus not understand directions about responses to phishing campaigns. It has been suggested that information needs to be communicated seven times before it is truly understood, so it is important to deliver information in various modes, including training, newsletters, and staff huddles. Hospitals should train employees in various social engineering techniques that are relevant to the particular organization.

Bruno noted that hospitals must create a culture in which employees feel comfortable letting the organization know about potential and actual breaches, which are inevitable, whether through a malicious hack or a lost laptop. Once a breach is identified, a number of individuals should be involved in the response, including the privacy officer, the head of marketing, and the chief information security officer (CISO).