Unlocking the Key to Compliance: Data Privacy Health Checks for Healthcare Organisations 

Healthcare companies are some of the biggest targets of cyber-attacks, with health data being a particularly sensitive form of personal data.  

Healthcare organisations store, maintain and transmit vast amounts of data to support the delivery of efficient and appropriate patient care. According to a recent study, hospital data breaches increased across the US in 2020, affecting around 26.4 million people. Healthcare data breaches have doubled since 2014.  

During the COVID pandemic, fears were expressed in the UK over thousands of National Health Service (NHS) patients’ private data being shared with strangers as details were mistakenly mixed up and sent out to the wrong people.  

The proliferation of cloud computing and AI presents opportunities and risks with respect to healthcare and data protection. Both technologies have the potential to revolutionise patient care, increasing the accessibility of critical patient data, the speed and accuracy of diagnosis, and the ability to identify and cure new diseases. Nonetheless, if these technologies are not implemented properly, there is a risk that patient privacy will be compromised.  

The starting point for data protection in the healthcare field is the relevant legislation, which contains important first principles. Under the GDPR, health data is a class of special category data, i.e. it is personal data that needs more protection because it is sensitive. Article 9 of the GDPR lists the conditions for processing special category data: 

(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Certain legitimate activities of not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law) 

When processing health data, or any other special category of data, as well as establishing the proper legal basis for processing, it is advisable to conduct a Data Protection Impact Assessment (DPIA). 

In the USA, the Health Insurance Portability and Accountability Act (HIPAA) applies. HIPAA consists of the privacy rule and security rule. The privacy rule dictates who has access to an individual’s medical records and what they can do with that information. Under the security rule, a health organisation must do their due diligence and work to keep patient data secure and safe. The security rule focuses on electronically transmitted patient data rather than information shared orally or on paper. 

Under the security rule, entities covered by HIPAA must have in place: 

  • Administrative safeguards: Policies and procedures designed to clearly show how the entity will comply with the act, including Internal Audits, outsourcing and third-party compliance frameworks,  
  • Physical safeguards Controlling physical access to protect against inappropriate access to protected data, and  
  • Technical safeguards Controlling access to computer systems and enabling covered entities to protect communications containing health data transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. 

Organisations and businesses processing significant amounts of health data will benefit from undertaking a data privacy Health Check. This process involves mitigating potential data breaches, highlighting any training needs for your team, tightening your company’s risk management and demonstrating an auditable paper trail.