Data Privacy Concerns Meet Digital Progress

Data privacy and security will always be top of mind for health plans in an environment where access to data is crucial to growth. Here are some safeguards for payers.

How do payers balance their need for broader access to data with their need to improve trust with members and providers? Data privacy is a careful balance that leaves healthcare payers as the keyholders in an ecosystem that requires data be protected but also shared. Luckily, advancements in integrative technologies promise to make data more accessible to payers, providers and — most importantly — consumers. But just because a technology can offer API doesn’t mean they will, and health plans will have to proactively face perception problems when it comes to data privacy. 

In this article, we’ll look at API capabilities and how they promise to make data sharing easier and secure. We will also look at why health plans may get pushback on data sharing initiatives, both from technology vendors who are hesitant to “plug and play” as well as stakeholders that may have (well founded) trust issues when it comes to PHI.

API and Your Digital Strategy

Transformation in the healthcare industry is reliant on the ability to seamlessly share data between vested entities. The ability to quickly and easily utilize data has been a huge issue, however, in an environment that relies on legacy systems and manual processes. And as payment models move more to value-based care, patients are more responsible than ever for their PHI, and they expect payers as well as providers to readily provide them with information. This is where APIs hold the most promise, allowing technology to make discrete data exchanges in a secure manner.

Regulatory agencies have welcomed the promise of API with open arms, and last year’s proposed 1[Information Blocking and Interoperability Rules] showed health plans just how serious the government was about making rapid change. Health plans want this, too; in fact, it’s hard to imagine any stakeholders along the healthcare continuum that wouldn’t appreciate the ability to access secure, specific data. 

“Health plans require discrete data exchanges, “calls” that respond back with the minimum data needed for the task at hand. API integration makes streamlined data access possible, a more elegant solution than outdated, clunky HL7 2.0 interfaces. When a user requests data, API allows that data to be delivered in real-time (as opposed to batch FTP). With quick, secure access to information, health plans are able to break down silos and seamlessly interface between departments, suppliers and providers.” Using API Integration To Create A “Central Hub” Of Data

API is a communication protocol that delivers information securely, either bi-directionally or one way, by only answering calls with the required information (and nothing else). Many healthcare technology vendors (and non-industry technology providers) will allow API for open integration to promote greater data sharing and opportunities for achieving greater user value. Consumers may be utilizing APIs without even knowing it, at work or on their personal electronic devices.  

Data Sharing Detractors

Unfortunately, personal health data is particularly valuable to hackers — and historically, healthcare organizations have not proved particularly trustworthy with it. In fact, according to a recent study conducted on behalf of AHIP, “a majority (62%) of patients and consumers said they would be willing to forego easy access to their health data if it meant greater privacy protections were in place to protect their health information.”

Health organizations are concerned, too, about how healthcare data may be used. In particular, when it comes to PHI that is collected on personal devices (like wearables), stakeholders have expressed fears that this PHI  may be utilized by third-parties without the consumer even knowing their information is being shared. These specific concerns were brought up in some of the criticism that circulated during the review period for the proposed Information Blocking Rule. 

Too often, health privacy violators don’t know where all of their electronic protected health information (ePHI) is, how the data flows through the environment and the risks of each step.” (source)

Concerns about data privacy and security may be holding payers and other healthcare stakeholders back from adopting modern digital strategies. Does HIPAA, even though designed to be flexible, go far enough in protecting sensitive healthcare data generated by new consumer devices and apps? Experts have called on Congress for stronger oversight of healthcare data issues that they believe fall outside of HIPAA protection, issues that stem from the fact that currently third-party apps are not required to comply with data blocking policies.

Moving Digital Strategies Forward

Data security and privacy remain a prevalent concern of payers when they consider adopting digital strategies. A recent survey indicates that 94% of health plan executives have concerns. On the other hand, current methods for accessing and exchanging PHI — mail, fax, storage on local devices/dongles — are inherently vulnerable and add to the administrative burden. Modern technology, in fact, may give you even more control because it allows you to be more granular with granting access to PHI, and that access leaves digital fingerprints.

Understand that your security posture doesn’t weaken when you make the necessary transition to digital-first; rather, its focus shifts. To successfully embark on your health plan’s digital transformation, we offer two recommendations:

Greater data sharing is a big mindset change. Practice radical transparency in your communications to overcome this barrier, along with emphasizing the greater good achieved by freeing information from its silos. Members, for instance, are far more likely to be on board if they understand what data is being collected and why and the expected benefits (e.g., more relevant communications specific to their needs).

Rely on your technology partners to share the data privacy and security burden. They should be the ones managing end-to-end encryption of data exchanged through APIs, as an example. Make sure you deeply question their security posture to put your mind at ease. 

You’re Secure with Pareo

Ensuring the security and confidentiality of our customers’ and their members’ data is the number one priority at ClarisHealth. The ClarisHealth security program encompasses and represents the security, privacy and compliance controls that are in place to protect our customers’ most sensitive data.

ClarisHealth maintains an active security program that involves physical, network, data access and application security controls. Policies and procedures have been developed and implemented to ensure appropriate controls are in place and actively monitored. ClarisHealth is HITRUST CSF and SOC 2 Type 2 Certified, certifications that demonstrate the organization’s payment integrity solution Pareo has met key regulatory and industry-defined requirements and is appropriately managing risk.