Health information is a broad and varied spectrum of data, which ranges from data related to biological, psychological and social well-being, and therefore must be fiercely protected. In this context, compliance laws are intended to fully protect the health data of patients and research participants, in order to mitigate fraud, misuse for publications in the hospital sector and in clinical research centers. Health compliance is the implementation of federal health laws and regulations for the security of health data. In the event of failure to comply with federal compliance laws such as HIPAA, violating individuals, employers and companies pose serious risks to their patients and research participants and may result in legal and legal implications.
The most well-known of these compliance standards in the United States is the Health Insurance Portability and Accountability Act (HIPAA). In 1996, HIPAA was enacted as part of the Social Security Act with the aim of helping Americans easily acquire health insurance from each employer, results which have contributed to a remarkable improvement in the security of personal and health data, promoting the use of medical savings accounts, in addition to coverage for employees with pre-existing medical conditions, in addition to simplifying the administration of health insurance [1]. HIPAA was enacted to protect health care coverage for individuals who lose or change their jobs and protects private patient information from being shared without a patient’s knowledge or consent with very few exemptions [1], [2].
There are four rules built into HIPAA – the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Omnibus Rule. The privacy rule went into effect in 2003, however, due to intense debates two years after the original legislation, the security rule went into effect in 2005. This facet of HIPAA, and later the Health Information Technology Act for Economic and Clinical Health (HITECH), specifically deals with electronically stored PHI data (ePHI) and electronic health records (EHR). The Security Rule focused on three security safeguards – administrative, physical and technical – that must be fully complied with to comply with HIPAA. The HIPAA Breach Notification Rule went into effect in 2009 and the Omnibus Final Rule went into effect in 2013. In 2009, HITECH expanded the scope of HIPAA by easing the Breach Notification Rule. It provides healthcare facilities with certain standards for using IT to implement electronic health records (EHR) to promote the adoption and meaningful use of health information technology with minimal risk to the patient and research participant in the hospital setting and centers. of clinical research [3], [4]. The Omnibus Final Decision did not add a substantial amount to HIPAA, but it filled in the gaps regarding the specification of encryption standards that need to be applied to render the ePHI unusable, indecipherable and unreadable in the event of a breach. The Privacy and Security Rules were also amended to allow patient health information to be kept indefinitely, while new procedures were written into the Breach Notification Rule [1].
There are the 18 types of information that are considered protected health information (PHI) under HIPAA:
- Name
- Address (Including any information more localized than state)
- Any dates (except years) related to the individual, including birthdays, date of death, date of admission/discharge, etc.
- Telephone Number
- Fax Number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, license plate numbers
- Device identifiers/serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voiceprints
- Full-face photos
- Any other unique identifying numbers, characteristics or codes
That’s why Gradient upholds security and anonymity as core principles to our business. There is great opportunity to do good through data in healthcare, but it must be done upholding the highest standards for the patients themselves. Gradient strives to promote the highest standards in the HIPAA and SOC2 compliance program. Gradient’s system de-identified data at multiple steps along the journey, making sure data is thoroughly anonymized by the time it’s available for research. All data is de-identified on-premise using Gradient Health’s thorough de-identification software. All Protected Health Information is removed from metadata, and every image is scanned for potential Personally Identifiable Information (PII) and redacted.
