Health Care Privacy Landscape

Medical information is some of the most sensitive information about a person.

Unlike a credit card number or a phone number, the wrongful disclosure of a medical record cannot be remedied by getting a new number or a refund — an X-ray, a pregnancy test or a psychiatrist's note is forever attached to a human being, it reveals a part of their deepest self. Doctors, hospitals, patients and governments are rightfully insistent that any new applications must be privacy-first.

Anyone building healthcare software should understand both the regulatory and the ethical obligation to protect privacy. Developers and entrepreneurs coming from other fields to innovate in healthcare have to be especially careful to unlearn industry practices and discard technologies that are not appropriate for handling health data. It is essential to go beyond merely meeting regulations, for two reasons. First, both government regulations and user expectations are becoming more stringent, so it is wise to build for tomorrow. And second, it is the right thing to do.

Complying with privacy regulations of HIPAA is a difficult technical and organizational undertaking. This US federal regulation includes several different sections, including a Privacy Rule, Security Rule and Enforcement Rule, which govern how protected health information (PHI) can be collected, stored and shared. Considerable expertise is needed to understand the regulations and translate them into practical product and process requirements.

The privacy requirements do not stop at HIPAA, however. Depending on the circumstances, other regulations at the state and federal level may apply, and the are often contractual obligations derived from agreements with health systems or developers. For example, HITRUST is becoming a requirement in many situations.

Building on top of a compliance-oriented hosting platform greatly eases this burden, but does not absolve developers from responsibility. Ensuring that employees are trained in handling PHI, promoting a privacy-positive company culture and adopting privacy-by-design methodology are some of the important steps companies can take.

The Commure Developer Platform has two separate roles when it comes privacy: to enable that Commure's own policies and practices exceed requirements whenever possible, and to help developers build and deploy applications that do the same. Protecting privacy is both a legal and an ethical obligation, and is an essential component of responsible innovation in healthcare.