Medical Data Privacy in a Connected World

As consumers in today’s increasingly connected world, we are used to revealing much about ourselves to utilize a variety of services, whether they are search engines, navigation apps, or purchasing sites. This information has become the currency by which we access these services.

Personally Identifiable Information (PII) is any information that can be directly or indirectly linked to an individual’s identity. However, in the medical world, protection of Protected Health Information (PHI), a subset of PII, is mandated by the Health Insurance Portability and Accountability Act (HIPAA) and includes at least eighteen specific elements, including names, social security numbers, addresses, and demographics. Identification and management of this information is a challenge for medical device developers as well as the healthcare providers. These issues will be discussed later in this article, but first a couple of recent items of note related to potential channels of information release that provide additional perspective on the challenges.

Potential violations of medical privacy

At the end of August, a complaint was filed in California against Medtronic alleging that the company had illegally distributed its customers’ PHI and PII to Google and other third parties. The affected data was apparently collected by apps connected to Medtronic’s InPen insulin pens and MiniMed insulin pumps. The plaintiff alleges Medtronic may have shared patients’ sensitive information with Google and other companies for marketing and analytics purposes. If such data were shared as alleged by the lawsuit, the sharing may violate Medtronic’s own privacy policy, as well as the HIPAA regulations which require users’ consent before private information is shared with a third party. 

In a potentially related matter, in July the U.S. Department of Health and Human Services (HHS) as well as the Federal Trade Commission (FTC) sent a letter cautioning hospitals and telehealth providers about certain privacy and security risks. These risks were associated with third-party analytics software such as Meta/Facebook’s Pixel and Google Analytics. These tools are integrated into websites and mobile apps and can gather information about the users, including what may be identifiable information about the users, and potentially, the patients. While these tools may provide the hospitals with information that is useful to them, they may also provide that information to others, often without the patient’s knowledge.

Despite the warning, however, a recent analysis by security firm Lokker indicated that hospitals were still at risk. Tracking tools from Google, for example, were found in 17 of 22 hospitals that were facing potential legal action. In another 20 hospitals not included in the legal action, 80% of those hospitals used Google’s DoubleClick tracker while 60% used Google Analytics, with lower levels of additional tracking tools used as well.

These situations are not uncommon. While the Medtronic case alleges that the company may be deliberately sharing personal information, the hospitals are likely not intentionally violating privacy laws. However, many software applications, including websites, have a variety of third-party software, such as those of the previously mentioned companies. So, what does this mean for medical device companies developing products in an increasingly connected world?

Data privacy requirements for medical device companies

Most of us are familiar with the Health Insurance Portability and Accountability Act (HIPAA) as well as the HIPAA rules associated with the handling of the data. HIPAA applies to medical providers and governs how they protect PHI. 

Medical device companies must also adhere to HIPAA rules or risk substantial penalties. Medical devices that transmit, receive, or record health information must protect that patient information even if the healthcare practitioner is the only intended user of the information. If a company is developing a medical device under these conditions, it must ensure that these constraints are addressed.

However, in addition to the HIPAA rules, the FTC also weighs in on the topic of data use. The FTC Act prohibits companies from engaging in deceptive or unfair acts or practices affecting commerce. That means a company can’t deceive customers about what is happening with their health information. In addition, if there is a breach or a disclosure of consumers’ identifying health information without consent for companies that aren’t covered by HIPAA, the FTC’s Breach Identification Rule requires notification to the affected parties, the FTC, and in some cases, the media.

Setting aside the question of deliberate releases of information via trackers or a cybersecurity breach, how does a medical device company address the challenges posed by protection of the data generated by the device?

While cybersecurity is a critical part of every design and must be considered at every juncture, the focus of the rest of this discussion is on architectural considerations associated with the generation and use of PHI data. The information that is embodied in PHI, however, can be important to the diagnosis and treatment of patients, so it is often recorded for use.

Practical applications of the guidelines in design

To enable use of protected health information that has been collected yet not violate the HIPAA regulations, PHI can be de-identified by removing those elements that identify an individual and when there is a reasonable basis to believe that the information cannot be used to identify an individual. The standard for de-identification of protected health information is spelled out in Section 164.514(a) of the HIPAA Privacy Rule. The health provider may determine that the health information is not individually identifiable under two defined conditions: 1) that a person with appropriate knowledge of and experience with generally accepted principles and methods for rendering information not individually identifiable attests to it, or 2) that the eighteen specific identifiers mentioned earlier are removed for the individual, relatives, or employer.

Once the data is de-identified, it can now be used for medical research to develop new devices and treatments. It can also be shared with others to enable collaboration such as efforts to track the Covid pandemic without worrying about the HIPAA rules.

Large healthcare providers or insurers can use their large databases to enable smaller organizations to develop new treatments. The benefits and promise of data analytics, including artificial intelligence and machine learning techniques, need the availability of large amounts of accurate and curated data to train their systems. These applications all require the use of de-identified data.

However, there are circumstances that require the patient information, particularly those necessary for specific diagnostic or treatment methods where the test or data must be related to a specific patient. The rules do permit re-identification in those circumstances by allowing the healthcare practitioner to assign a code or other form of record identification if the method is not derived from information about the individual and can’t be translated in any fashion to identify the individual and the code is not used for any other purpose.

So, data can be de-identified and utilized as noted.  However, HIPAA regulations allow researchers to access and use PHI when necessary for research that uses, creates, or discloses PHI that enters the medical record or is used for healthcare services, such as treatment, payment, or operations. To use that information, however, a healthcare provider or business associated with healthcare must obtain an individual’s valid HIPAA authorization to use or disclose the individual’s PHI. The requirements for an authorization include the following:

The covered entity must give you permission through a HIPAA business associate agreement for any use or disclosure of PHI so it is not a simple process to obtain access to the information generated by a medical device, particularly when coupled with the PHI that may make it most relevant.

The increasing interconnectivity of our world has led to the more disclosures of personal information, whether intentional or not. Medical device companies, operating in this connected landscape, must navigate stringent data privacy requirements, including adherence to HIPAA rules and compliance with the FTC Act. The potential release of information via trackers or cybersecurity breaches poses significant challenges that must be addressed by the design and architecture considerations for the generation and use of PHI data if we are truly to realize the value associated with a connected infrastructure.