By: 

Beyond the exam room: How data privacy builds patient trust

02:19 PM
Share
HIPAA is inextricably linked to patient privacy, but building a trusted, long-term patient relationship goes beyond HIPAA compliance and requires a deeper commitment to keep patient PHI safe and private.

The provider-patient trust relationship is the cornerstone of any healthcare practice. But it doesn’t stop there.

Patients entrust their lives and their intensely personal information not only to their physician, but also to an entire healthcare ecosystem: insurance providers, healthcare organizations, hospitals, specialists, labs and other third parties largely undetected to the patient but integral to the patient care process.  

There is a growing awareness of just how important patient trust is and what can happen when it erodes.

“Trust matters in healthcare. It makes patients feel less vulnerable, clinicians feel more effective and reduces the imbalances of information by improving the flow of information,” according to a recent Journal of American Medical Association article. “Trust is so fundamental to the patient-physician relationship that it is easy to assume it exists. However, because of changes in healthcare and society at large, trust is increasingly understood to be at risk and in need of attention.”

Patients also have concerns about what happens beyond the exam room. A study by ECRI Institute shows that patients are concerned about “improper management of test results and diagnostic tools within EHRs.”

When you add this to the proliferation of high-profile data breaches, you have a potentially catastrophic deterioration of a central tenet of our healthcare system.

Data breaches chip away at patient trust

Statistics from the Department of Health and Human Services’ Office for Civil Rights released in December 2018 are cause for concern around the state of data privacy. The department received notifications of 351 data breaches of 500 or more healthcare records, resulting in the exposure of more than 13 million healthcare records.

And according to the 2018 Verizon Data Breach Report, 24% of all data breach victims are healthcare organizations. It’s clear that PHI is vulnerable, whether it’s at rest or in motion.

It’s also important to recognize, however, that not all breaches are the result of nefarious bad actors. In fact, it’s estimated that 35% of all healthcare breaches are accidental, caused by the mishandling of data.

Beyond HIPAA “box-checking”

HIPAA is inextricably linked to patient privacy, but building a trusted, long-term patient relationship goes beyond HIPAA compliance and requires a deeper commitment to keep patient PHI safe and private.

The more information that’s being shared, the higher the risk. A data breach can violate trust, put patient safety at risk, and irreparably damage the provider-patient relationship.

When healthcare respondents of a Forrester report of more than 200 IT security leaders were asked what concerned them most about a data privacy failure, “Damage to patient trust” was the number one response, outranking regulatory fines and damage to the healthcare organization’s reputation.

When a primary provider shares patient PHI with another provider, and that secondary provider later fails to adequately protect PHI, HIPAA liability technically falls on the secondary provider. But that doesn’t change the fact that it was the primary provider’s patient whose privacy was violated.

Even though the primary provider isn’t likely to face HIPAA noncompliance fines, the circumstances can irreparably damage the delicate relationship between the patient and the primary caregiver. This reinforces the notion that healthcare organizations need to treat patient privacy as a corporate social responsibility. In other words, they need to go above and beyond the bare minimum HIPAA safeguards.

Sharing information, saving lives

An enormous amount of data is exchanged in the process of delivering care, even within a single organization. That is only amplified when sharing data between different organizations with disparate networks and systems, which may not be compatible with one another.

Providers must be able to move data quickly and easily to support their primary mission while protecting privacy and meeting HIPAA standards.

Additionally, healthcare organizations are shifting their strategies to make more investments in patient retention. In the past, practices were more focused on acquiring new patients, but today, they realize that it’s far more efficient to make sure current patients remain.

Bolstering patient trust is a key component of that strategy. Investing in technology tools is another.

A recent Medical Group Management Association study revealed that 90 percent of practices have implemented some type of online patient portal.

But these portals can be difficult for the end user to navigate, and by their very nature, present significant security risk. In their attempts to leverage technology to build loyalty with their patients, organizations may be putting these relationships on shaky ground.

To enable safe and secure data sharing without losing control or placing a burden on users, healthcare organizations should embrace a data-centric security approach.

Data-centric security encompasses data control, or the ability to apply persistent security policies, regardless of location, device type or hosting model; and intelligence, which refers to the real-time visibility of contextual information that enables threat monitoring and incident response workflows.

This approach wraps PHI in an extra layer of security that protects it at the file level, ensuring that only sanctioned users will be able to access it, regardless of how it’s shared.

To retain patients and maintain the vital trust relationship, technology that protects data must be seamless, easy to deploy and use, and not negatively affect productivity. It must also not interfere with the provider’s relationship with patients.

Protecting PHI, regardless of how it is shared, will improve the patient-provider relationship and maintain a positive image for organizations to keep patients coming back and building that trust.

Interested in more? Learn how Virtru data protection helps privileged sharing.

Story by Rob McDonald, VP of Product Management, Virtru.