More about Data Privacy Regulations
- GDPR Subject Access Request in 5 Steps
- Data Privacy Regulations on 4 Continents
- Healthcare Compliance and ICD-10 Codes
- POPIA Compliance: South Africa's Version of the GDPR
- Get Ready for LGPD: Brazil’s Version of the GDPR
- Data Subject Access Requests: What They Are and How to Respond to Them
- Implementing GDPR: Lessons Learned
- How Data Protection Regulations Impact Enterprise Storage Management
Given the highly sensitive nature of the personal data that healthcare providers and practitioners record and store, the healthcare industry is a prime target for data protection and privacy regulators.
In this post we’ll give an overview of healthcare compliance today, paying specific attention to ICD-10 diagnostic codes. We’ll also show how NetApp Cloud Compliance can be an essential tool to staying compliant in the healthcare industry.
Healthcare Data Privacy Regulations
An individual’s health and healthcare history are extremely personal information. Many companies own or process this kind of information, with insurers (including employers), private clinics, hospitals, and medical research facilities being some obvious examples. Because of the sensitive nature of this healthcare data, it is subject to stringent data privacy regulations.
The better known compliance regulations include:
- The Health Insurance Portability and Accountability Act (HIPAA) enacted back in 1996 by the US Department of Health and Human Services (HSS) to establish standards for the protection of electronic medical records throughout the USA.
- The General Data Protection Regulation (GDPR), which became law in the European Union (EU) in May 2018, enhances the rights that EU citizens (“data subjects”) have over the collection, use and retention of their personal data regardless of the geographic location of the company gathering and using the data (“data controllers”).
- The California Consumer Privacy Act (CCPA) was enacted by the State of California in June 2018 to give GDPR-like rights to California residents, coming into effect July 1, 2020.
Diagnostic information is a good example of the sensitive personal health data protected by these and other compliance regulations. The World Health Organization (WHO) maintains an International Classification of Diseases (ICD) which contains codes that are used around the globe in personal health records and health research.
What Is ICD-10?
The ICD is a comprehensive, hierarchical classification of diseases, disorders, injuries, and other health conditions. The current revision, ICD-10, was endorsed in May 1990. Ad hoc updates are released on a regular basis as clinical and healthcare domains evolve. The next major revision (ICD-11) was released in June 2018 and will start to be applied on January 1, 2022.
ICD-10 is used by healthcare systems around the globe in order to manage reimbursement programs as well as to support evidence-based healthcare policies through monitoring country-wide and global health factors and trends. Thus, a healthcare practitioner will use ICD-10 codes to specify diagnoses and treatment regimes in a patient’s personal electronic health record. These codes, along with other healthcare information, are then used in an anonymized manner to monitor the incidence and prevalence of diseases, effectiveness of treatment protocols, levels of mortality, and so on.
ICD-10 and HIPAA Compliance
When the HIPAA compliance requirements became mandatory in April 2003, electronic personal health records (ePHR) were not as ubiquitous in the US as they are today. In order to incentivize covered entities (CEs)—healthcare practitioners, providers, and insurers—to invest in ePHR systems, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February 2009 as part of the general economic stimulus bill. The HITECH Act added even more stringent data protection compliance requirements to the HIPAA regulations and today the US healthcare industry must be HITECH HIPAA compliant.
The key HITECH HIPAA data protection compliance requirements include:
- Access control: CEs (and their business associates) that host sensitive patient data must ensure authorized access only through:
- Physical safeguards to control access to data storage facilities, workstations and electronic media.
- IT safeguards for authentication of authorized users, automatic log offs, encryption/decryption, and so on.
- Monitoring: All data-related activities must be tracked and audited.
- Data integrity controls to quickly identify damaged or lost data, with the requirement to notify regulators of data breaches.
- Backup and disaster recovery: For quick remediation of errors and failures without loss of data.
- Network security for all data transmission channels including email as well as public and private clouds.
HITECH HIPAA compliance is enforced by the HHS Office for Civil Rights (OCR). The OCR applies a tiered approach to violation penalties, as shown in the table below, with the maximum annual penalty per violation category being $1,500,000:
|Violation Category||Each Violation|
|(A) Did Not Know (of the violation and could not reasonably have known)||$100-$50,000|
|(B) Reasonable Cause (to know of the violation, but not willful neglect)||$1,000-$50,000|
|(C) (i) Willful Neglect-Corrected (within 30 days)||$10,000-$50,000|
|(C) (ii) Willful Neglect-Not Corrected||$50,000|
Source: Federal Register
In 2019 alone, the OCR issued HITECH HIPAA non-compliance fines of $15.27 million, ranging from $10,000 to $3,000,000 per CE. Among the most common violations is use or disclosure of more than the minimum protected health information necessary for the purpose it is being accessed. CEs must be especially careful to protect sensitive ICD-10 diagnostic information from falling into the hands of an entity that has no legitimate need for that information. And if ICD-10 information is being submitted to a central healthcare registry, the CE must take extraordinary care to ensure that the information is thoroughly anonymized, and cannot be traced back to the patients themselves.
ICD-10 and GDPR Compliance
The GDPR grants extensive rights to European Union citizens (data subjects) to exercise control over their personal information. Taking a risk-based approach, the more sensitive the personal information, the more stringent the GDPR data privacy requirements. Because medical diagnostic information can have a strong impact on a data subject’s rights, such as the right to be employed or insured, ICD-10 codes are considered particularly sensitive and subject to the highest levels of privacy controls:
- Consent: Data subjects must explicitly agree that their ICD-10 codes will be used in, for example, clinical trial documentation. Clinical research organizations must delete the codes immediately if consent is withdrawn.
- Privacy by Design: Healthcare companies must be able to show that they collect and process ICD-10 codes only in order to achieve a declared purpose.
- Access: Healthcare companies must be able to inform data subjects whether or not their ICD-10 personal data is being processed, where, and for what purpose. Upon request and at no charge, the company must provide an electronic copy of the personal data.
- Erasure: Data subjects can require a healthcare company to delete their ICD-10 data if continued processing is not justified or if the data is inaccurate or incomplete.
- Protection: Companies must be able to demonstrate that they have instituted advanced technological methods and administrative processes to secure ICD-10 data against loss or exfiltration.
- Notification: If ICD-10 data has been breached, healthcare companies must inform the regulatory authorities without delay and the affected data subjects notified within 72 hours.
Each European Union country appoints the supervisory authority to administer the GDPR. The fines and sanctions can be significant if a healthcare company is deemed negligent in upholding its GDPR responsibilities. In the case of proven negligence that resulted in a breach, the fine is up to 4% of annual global turnover or €20 million (whichever is more). Even if there was no actual breach, the fine for violating GDPR compliance requirements is up to 2% of annual global turnover or €10 million (whichever is more).
Healthcare Compliance with NetApp® Cloud Compliance
NetApp Cloud Compliance is a data privacy and compliance tool that applies always-on, AI-driven privacy controls to data stored in the cloud with NetApp (Cloud Volumes ONTAP for AWS, Azure, Google Cloud or Azure NetApp Files) and on Amazon S3.
The first benefit for healthcare companies is that NetApp Cloud Compliance automatically and continuously identifies files that contain sensitive healthcare data as defined by the various data privacy regulations such as HIPAA and GDPR—including ICD-10 codes. Rather than using simple search and pattern matching functions, NetApp Cloud Compliance leverages AI algorithms to contextually understand the data, generating highly accurate results with extensive coverage.
Once the relevant healthcare files have been mapped, NetApp Cloud Compliance can then automatically locate and alert to data privacy violations, facilitating quick remediation and mitigating the risk of data breaches. Other NetApp Cloud Compliance benefits include:
- Easy investigation of files containing sensitive healthcare data by file type, working environment, and other segmentation parameters.
- Real-time generation of mandatory Data Subject Access Reports that can otherwise take weeks to aggregate.
- Produces Data Protection Impact Analysis Reports for risk and management teams for ongoing assessment and improvement of the healthcare organization’s security posture.
- Retains audits and log reports that can demonstrate proactive compliance with the relevant privacy regulations.
- Ensures that sensitive healthcare data in general and ICD-10 codes in particular are migrated in compliance with regulatory restrictions.
Healthcare compliance is complex and stringent—and for very good reasons. Healthcare companies and practitioners collect, process, and retain highly sensitive personal health data that, if accessed improperly or lost, could have serious repercussions for the individual. A prime example is a patient’s diagnostic status or history, as recorded in ICD-10 codes. This information could be used against him by current or potential employers, insurance companies, or even malicious attackers seeking blackmail.
Sign up for NetApp Cloud Compliance for Amazon S3 buckets, Cloud Volumes ONTAP, or Azure NetApp Files here so that you can maintain a robust security posture for healthcare data that you store in these cloud environments.