Missing Piece Blog

Addressing Healthcare Practitioners’ Medical Data Privacy Concerns

As an ABA practitioner or behavioral healthcare practitioner who collects patients’ information for medical data systems, you may be concerned about how the information is collected and stored. You’re not alone. 

A study titled “Privacy and Security Concerns Regarding Electronic Health Information” on the website of the National Library of Medicine notes a general concern about the security of collected data. Even if you go above and beyond to protect your clients’ data, both your practice and clients may still be vulnerable to accidental or intentional leaks from internal members or outsiders who gain unauthorized access to the system for their own reasons. 

Regrettably, no system is perfect, and there’ll always be a degree of risk that someone may access your data. That said, you can take some consolation from the fact that, regardless of whether you process data in-house or work with a third party, the digital systems used for medical data collection and storage take a number of steps to protect a patient’s personal and medical information.

Join us as we take a more detailed look at how these systems, laws, and regulations work to protect your patients’ private data from prying eyes.

Federal protection with HIPAA

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a federal law that was adopted to protect a patient’s sensitive health information from being disclosed without their consent. It also outlines the rules that need to be followed in specific circumstances in order to disclose such information without their consent. In their article “HIPAA security rule & risk analysis”, the American Medical Association describes how:

“The HIPAA Security Rule requires physicians to protect patients’ electronically stored, protected health information (known as “ePHI”) by using appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of this information. Essentially, the Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that covered entities must implement to secure ePHI.

All covered entities must assess their security risks, even those entities that utilize certified electronic health record (EHR) technology. Those entities must put in place administrative, physical and technical safeguards to maintain compliance with the Security Rule and document every security compliance measure.”

The article then discusses how to implement administrative, physical, and technical safeguards. Ultimately, it’s reassuring to know that there are federal laws in place to regulate the way people interact with your patients’ data.

Do new data privacy laws provide protection at a state level?

In addition to federal laws, many states have taken steps to implement general consumer data privacy and protection laws that are likely to provide additional protection for your information, particularly when it comes to certain aspects of HIPAA that may be out of step with recent developments in the digital domain. 

An article published by The International Association of Privacy Professionals ( IAPP) titled, “Filling the void? The 2023 state privacy laws and consumer health data” notes how the new privacy laws implemented by some states take a less sector-driven approach, instead providing a blanket of protection to all individuals. The various acts they believe could address the weaknesses of HIPAA are:

  • the California Privacy Rights Act,
  • the Virginia Consumer Data Protection Act,
  • the Colorado Privacy Act,
  • the Connecticut Data Privacy Act,
  • and Utah’s Consumer Privacy Act.

However, the reality is that these acts provide exemptions of varying degrees to data covered by HIPAA. While they may fill some of the gaps left by a somewhat dated HIPAA, ultimately, more focused acts such as Washington’s My Health, My Data Act, which only comes into effect on the 31st of March, 2024, may be needed to address any further outstanding weaknesses in health data protection at the state level.

How personal data is protected by medical data service providers

Even though there are areas of the law that need to be addressed at both federal and state level, that doesn’t mean that service providers for healthcare practitioners are leaving gaping holes when it comes to data privacy for medical records. Whether they’re involved with billing, data capture or handling your side of medical data collection, these organizations are taking the necessary steps to ensure that their staff and platforms are capable of protecting data on their platforms. The steps they take may include:

1. Ensuring connections and data are encrypted

Service providers also take steps to guarantee the integrity of medical data collection methods, including protecting data while it’s en route between a healthcare practitioner and their servers by encrypting the data as it’s transmitted online. They also prevent prying eyes from accessing data they don’t have the rights to by ensuring that it’s encrypted when it’s stored at their data centers.

2. Educating staff on HIPAA and cybersecurity

Staff who are educated about HIPAA regulations are aware of the laws that govern health data protection and what they’re legally obliged to do in order to avoid accidentally breaking them. Providing staff with additional education on cybersecurity also provides them with the information they need to avoid accidentally leaking information or providing access to an unauthorized individual. For example, ensuring employees are aware of password strength, fake links, and social engineering attacks can go a long way to enhancing cybersecurity.

3. Limiting the data that staff have access to

Service providers also provide additional security by ensuring staff only have access to data they need. That way, an individual cannot accidentally access data that is outside the scope of their duties, minimizing any risks of leaks or malicious acts.

4. Logging access to data

By logging who accesses data and when, service providers make it easier to identify any individuals involved in leaks or breaches and can then act accordingly. This acts as a deterrent to those who may have ulterior motives for accessing patient data.

5. Providing additional security features for mobile devices and other IoT devices

Many healthcare practitioners make use of mobile devices to access patient information, but doing so opens up another route for data to be compromised. By enabling additional security features such as biometric two-factor authentication, remote locks, or the ability to wipe a missing, stolen, or compromised mobile device, service providers add an extra layer of protection to patient health data. 

Similarly, many IoT devices, such as smart bands and smartwatches, are being used as tools to assist with gathering information about the user’s personal health. Unfortunately, not all of these tools are as secure as they should be, potentially creating new points of access for hackers. Good service providers are aware of the risks these devices pose and are taking steps to ensure that they’re secure, either through data connection encryption, strong passwords, multi-factor authentication, or by issuing regular software security updates.

6. Updating all of their own software for maximum security

A service provider isn’t just staffed by IT gurus who know all the ins and outs of their computer. They also make use of software that’s provided by other companies that they don’t maintain themselves.

To make sure that those who are less IT literate don’t pose a security risk to the data they have access to, service providers ensure that regular updates are done so that all the data in their care is as secure as possible.

7. Taking advantage of AI monitoring tools

Many service providers use AI to perform anomaly detection. What this means is that the AI is trained to understand how a network and different connections operate. Should it spot anything unusual, such as data from a connection it doesn’t recognize or a device that it’s never seen before, it can flag this as a potential security risk, close the connection, or deny the device access to the network. AI can also be used to identify suspicious files and quarantine them to prevent any damage from malicious software such as viruses, malware, and ransomware.

8. Providing offsite data backups

Even when a service provider takes all of the precautions we’ve listed here, there’s still a small chance that an employee error or weakness in their IT systems could result in a data breach or even being locked out of their systems if malware or ransomware is present.  Offsite data backups provide yet another additional layer of protection should something happen to the data at the primary site, allowing the service provider to roll back to the last backup, thereby minimizing any potential data losses.

Partner with an ABA billing provider Missing Piece, for peace of mind

If you’re looking for an ABA billing provider that takes your client’s data and their privacy seriously, be sure to reach out to our team at Missing Piece. Our team has been providing ABA therapy billing services to practices across the United States for more than a decade, allowing healthcare practitioners to focus their time and energy on helping their patients.
Contact us to find out more about the ABA billing and other services we offer.