Handling Patient-Generated Health Data Securely
Patient-generated health data is being used more and more by physicians - while it can help supplement clinical data, PGHD isn't without its own data privacy and security concerns.
Patient-generated health data, data that's gathered via digital health tools, records, apps, and other IoT devices, has seen increased usage, especially over the last several years by hospitals and clinics to supplement clinical data, but doing so isn’t possible without a degree of risk.
According to a study carried out by the American Medical Association and Accenture last year, over 50 percent of physicians said they planned to adopt the usage of PGHD at their practice within the next one to two years. It's not a surprise, especially with the advent of devices that measure data like Fitbits and Apple Watches. The usage and storage of electronically-captured PGHD is still new and not universally regulated. That doesn't mean is may not fall under state, organizational, or federal laws - like HIPAA - though.
The American Medical Association is reminding facilities this week that it has resources in house to help doctors, physician practices, and healthcare organizations ensure that patient-generated data (PGHD) is safeguarded.
Included among the tools are:
- Two webinars, "How to Conduct a Security Risk Analysis," and "Cybersecurity: A Patient Safety Issue," designed to help physicians protect patients' health information, comply with the HIPAA Security Rule, and identify and assess risk.
The “How to Conduct a Security Risk Analysis” webinar contains a sample HIPAA security work plan, along with tips for organizations just developing security programs and orgs with one already in place. It also contains recommended security rule policies and procedures, like having a data backup plan, security audit policy, and user identification and authentication programs in place.
The "Cybersecurity: A patient safety issue" webinar emphasizes the AMA’s stance on cybersecurity, namely how it’s critical it is for doctors to view cybersecurity as patient safety issue and how practices need to practice good cybersecurity hygiene.
- A cyber hygiene checklist physician's offices can use to keep office computers clean and up to date.
Included in the checklist are tips that should be common knowledge for those working in environments with sensitive data, like creating strong passwords, and updating systems and software regularly.
The list also encourages users to disable macros in Microsoft Office. Macros, a way the software automates tasks, has been a favorite vector of hackers for years when it comes to exploiting systems with malware.
“Data should be cleaned of malicious code before it’s fully incorporated into the patient’s general health record and we encourage the health IT community to be proactive in assisting physicians with this need. There’s also the concern beyond just the data. The applications that send the data can themselves be a route to attack a physician’s health IT network," Matt Reid, an AMA senior health IT consultant told the AMA's Andis Robeznieks.
- A digital health implementation playbook, something the association says provides key steps, best practices, and other resources to foster the implementation of digital health solutions.
The 102-page document walks physicians and healthcare administrators through deploying and scaling digital health technology in 12 steps: Identifying a Need, Forming a Team, Defining Success, Evaluating the Vendor, Making the Case, Contracting, Designing the Workflow, Preparing the Care Team, Partnering with the Patient, Implementing, Evaluating Success, and Scaling.
This particular line, about cybersecurity regulation, touches on how to approach patient generated data: "However, HIPAA compliance is not necessarily enough to protect PHI. Information might come into your practice through medical devices and patient apps—for example, a remote patient monitoring (RPM) service. HIPAA doesn’t apply to medical device manufacturers or patients, so physicians must be extra diligent when evaluating how to incorporate information from those sources."
The document also outlines a list of financial and legal documents that may help facilities during their contracting process, and considerations when designing an implementation workflow.
The Office of the National Coordinator for Health Information Technology's (ONC) website also has insight – and a report, “Conceptualizing a Data Infrastructure for the Capture, Use, and Sharing of Patient-Generated Health Data in Care Delivery and Research through 2024,” around how to handle patient-generated health data.
The report, issued at the beginning of 2018, says organizations need to assess data privacy and security implications when choosing patient-facing tech. After all, once a clinic collects PGHD, it could go on to mesh with a patient's medical records, which means rules around data privacy and security may apply.
While organizations should ask themselves if any privacy and security laws or regulations apply, ultimately, the ONC says the best course of action is store and transmit data with the same rigor as other PHI and to communicate to the patient who will have access to the data, and how/if it will be shared.