Why Data Security for Virtual Care is Our Top Priority
The way healthcare is delivered has gone through dramatic changes over the past few years, and these changes have been accelerated and cemented during the pandemic. With the increasing integration of technology and healthcare, data security is a growing concern for patients and providers alike.
When it comes to medical records and health information, we expect providers to have safeguards in place. What most consumers are not aware of though, is that health data is not afforded the same legal protections as medical records. One of the largest areas of concern is the data collected from wearable technology, such as smartwatches, headphones, virtual reality headsets, and even heart monitors. Currently, this data does not have any legal protections.
“We are on a collision course with how to regulate health data as all the different types of wearables and health tech explode,” said Carmel Shachar, executive director of the Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard, in a recent article.
As technology becomes a part of our everyday life, we as consumers rarely consider the amount of data we are sharing with companies, or what in turn we are allowing those companies to do with that data. Recently, a fertility-tracking app company was accused by the Federal Trade Commission (FTC) of misleading consumers about the privacy of their data. The FTC alleged that the company sold user data to Facebook after promising that information would be kept private.
“The global pandemic has effectively opened the floodgates to a wave of new telehealth solutions. Against this background of unprecedented deregulation, it’s more critical than ever that we cast a spotlight on compliance and data security in this new era of virtual care,” commented Dr. Patrick Quinlan, CEO of Hippo Technologies, Inc. “Hippo is excited to see the exponential growth of virtual care that has occurred over the past 18 months, and we recognize the need to protect the data captured during these healthcare interactions.”
One of the key differentiators for Hippo is our compliance and data security, built on Zyter’s industry leading technology backbone. We go above and beyond the legal requirements to keep patient data secure.
Health Insurance Portability and Accountability Act
Perhaps one of the most widely known laws protecting patient medical data is the Health Insurance Portability and Accountability Act, also known as HIPAA. Passed by Congress in 1996, it provides many of the protections patients expect. Every healthcare provider (and anyone who works with a provider) must follow the industry-wide standards to ensure patients’ medical information is protected and remains confidential.
Under the Protection and Confidential Handling of Health Information title of HIPAA, health provider organizations and their business associates must create and follow specific procedures to ensure patient confidentiality and data security. This includes both paper and electronic information. Under HIPAA, only the information absolutely needed to treat a patient can be shared.
HIPAA also ensures that patients are given timely access to their medical records while restricting who can view specific information without a patient’s explicit consent. Any organization that handles medical information must put in place physical, administrative, and electronic safeguards to protect health information.
The growing amount of information stored in these records and the increasing use of electronic storage makes medical records a prime target for hackers. As the use of technology increases in medical practices, so do the risks. In 2020, over 642 data breaches, each affecting over 500 patients, were reported to the Department of Health and Human Services’ Office. In total, over 29 million healthcare records were breached. On average, there is a 25% increase every year in the number of healthcare data breaches.
At Hippo, we take data security seriously. The Hippo Virtual Care platform is fully HIPAA compliant; regular audits are conducted to identify possible risks for data breaches and Hippo certifies each client’s installation post customization. The platform has been deployed on the AWS GovCloud for the US Department of Defense and Department of Veteran Affairs and is on-premises for the US Navy. Hippo Virtual Care has also gone through a larger certification process for Authority to Operate (ATO) involving the implementation of 1,500-3,000 security controls.
General Data Protection Regulation
Europe has a similar law to HIPAA called the General Data Protection Regulation (GDPR), which was adopted by the European Union (EU) in 2016. Under GDPR, businesses are required to meet universal standards to protect privacy and personal data. This protection extends to any EU residents’ personal data that is collected outside of the EU.
Under GDPR, information about a person’s identity such as their name, address, or ID numbers are protected, along with IP addresses, location, cookies, and RFID tags. GDPR also ensures highly sensitive health data, biometrics, genetic, racial and ethnic data, political opinions, and sexual orientation all remain private and secure.
Similar to HIPAA, GDPR places equal liability on companies (or providers) who are collecting the data (referred to as the “controller” of the data) as well as any external organization that helps process personal data collected by the controller (referred to as the “processor”) – making it essential to ensure that vendors understand the protections and standards that must be in place to safeguard privacy and confidentiality.
Failure to comply with GDPR protections can result in some hefty fines, up to €20 million or 4% of global annual turnover.
Hippo Virtual Care is fully GDPR compliant. Regular audits are conducted to identify possible risks for data breaches or privacy violations. The certification is associated with each installation post customization.
Building patient trust by going above and beyond
Both EU and US residents are very concerned about their privacy. In a 2019 survey on data privacy and security, 64% of US responders stated they would blame the institution for any lost data or breach rather than the hacker. As consumers become increasingly more educated, they want more transparency and responsiveness from the companies in control of their data.
The survey also found that 60% of consumers find wearables to be intrusive. In response to growing concerns, the Smartwatch Data Act was recently reintroduced to Congress. It would make all health-related data collected through apps, wearables, and trackers protected health information. With these added protections, companies would be prohibited from transferring, selling, sharing, or accessing any identifiable health information derived from consumer devices.
Hippo Virtual Care has the capacity to bring care beyond the physical and geographic divide, enabling providers to overcome the barriers of time, distance, and training. We value patient privacy, which is why we ensure security at all levels, following a “Zero Trust” policy for our server configurations. Security controls are implemented both at the application layer as well as at the network layer. All network access to the server is protected by a multi-layered firewall operating in a deny-all mode. Internet access is only permitted on explicitly opened ports for a subset of specified virtual hosts.
Hippo’s ATO certification means that our security levels reach maximum standards. In addition to HIPAA and GDPR standards, our messaging system also follows Advanced Encryption Standard 256 (AES 256), which is the first and only publicly accessible cipher approved by the US National Security Agency (NSA) to protect top-secret information.
Rapid technology innovations have allowed medical care to pivot and continue providing care even under pandemic situations. Along with these innovations come new threats to patient data and privacy; that’s why having the right partner to accompany you in your virtual care journey is critical. Hippo goes above and beyond to ensure that when it comes to compliance, data security, and safeguarding patient privacy, you are in the safest of hands.
To learn more about Hippo’s approach to compliance and data security, read our white paper: