Pamela S. Hrubey (pam.hrubey@crowe.com) is a principal in the Washington, DC, office, Candice M. Moschell (candice.moschell@crowe.com) is a senior manager in the Indianapolis, IN, office, and Shameka N. Smith (shameka.smith@crowehrc.com) is a principal in the St. Louis, MO, office of Crowe.
Anthony has been with his employer for 15 years, always covered by his employer’s insurance plan. Recently, Anthony was involved in a weekend accident that resulted in a brief hospitalization for a surgical procedure followed by physical therapy. Anthony spoke highly to friends and colleagues about the medical team that supported him through his accident. Once back at work full time, however, Anthony was bombarded by ads to both his work and personal email addresses that highlighted the hospital’s new heart-related CT scanning capabilities. Initially Anthony didn’t think much about the ads, but his annoyance grew, especially after he got the bill for his share of his hospitalization and surgical procedures. The ads made Anthony feel as though the hospital cared only about making money on the backs of working people, especially because he didn’t give his consent to receive marketing-related information from the hospital. He vented his frustration about the hospital to anyone who would listen, and he typically found a sympathetic ear whenever he brought up the topic of hospital services–related marketing and the rising out-of-pocket medical costs for working people. After learning from an internet search that his physician and physical therapist both worked for practices owned by the hospital organization sending the ads, he and his partner switched healthcare professionals.
Anthony is like the 29% of individuals who, according to a 2020 data privacy survey by Cisco,[1] have stopped buying products or services from a specific organization because of that organization’s data-related practices. While the US healthcare marketplace has grown accustomed to reliably safeguarding protected health information (PHI) under the HIPAA Privacy Rule, which became effective in April 2003,[2] many healthcare organizations have not contemplated the impact of changing consumer expectations, especially in the area of direct-to-consumer marketing.
Evolving perspectives
Patient care trends continue to evolve toward a focus on consumer needs and wants. We have entered a digital health era, in which patients’ perspectives as consumers are advancing. Patients as consumers are increasingly willing to assert their autonomy by choosing healthcare-related services based on available data such as patient ratings of physicians and posted prices of services. Data allows patients to choose the organizations and services that they believe best meet their expectations. In order to compete in this digital era, healthcare organizations have focused their marketing initiatives on becoming more visible to targeted consumers.
At the same time, patients increasingly understand that their data, both about them as individuals and about their health, is personal and private. In the near future, the use of personal data for marketing purposes might be affected as healthcare organizations will be required to comply with new state-specific privacy regulations being adopted across the United States.
More and more, consumers are being inundated with advertisements via email, text, and print for services they don’t need or did not inquire about, including services related to their health. For healthcare organizations, the positive intent behind the advertisements often is lost as patients question whether their healthcare provider and affiliated hospitals can keep personal information private. Consider this scenario: Susan is newly diagnosed with breast cancer, and she elects to not share the diagnosis with her children until she can describe her selected treatment plan. She starts receiving advertisements in the mail and on her mobile device about advanced breast cancer and the related treatment options. Unfortunately, one of Susan’s children sees the advertisements, imagines the worst, and becomes upset because of both the diagnosis and Susan’s withholding of it. Susan wonders why she started receiving ads that she does not recall requesting at such a sensitive time. She blames the healthcare organization that gave her the diagnosis, and she is extremely concerned about trusting the organization with her personal information going forward.
Emerging regulations
With the expansion of healthcare operations’ use of personally identifiable information and PHI, operations will be required to comply with new privacy protection regulations being adopted by many states. The California Consumer Privacy Act of 2018[3] is the first comprehensive state regulation focused on giving consumers more choices about how their personal data is used. It addresses the permitted and prohibited uses of personal information, individuals’ rights of access and control, and organizations’ obligations to respond to those limits and rights. In November 2020, California voters passed a ballot measure (Proposition 24), the California Privacy Rights Act (CPRA),[4] which strengthens the protections afforded to California residents regarding their personal information. As of January 1, 2023, the CPRA will require organizations to conduct an annual assessment of their privacy- and security-related programs. The CPRA, seen as a template by other states, will be overseen by a new state regulator with audit rights.
Healthcare organization leaders frequently believe they are exempt from consumer-focused privacy protection laws because they are nonprofit organizations. Or they might assume that appropriate controls are in place because the organization is compliant with HIPAA Privacy and Security rules. While there are varying levels of truth to these rationales, healthcare organizations should recognize that consumer expectations related to privacy are changing rapidly, requiring that privacy programs mature. Starting with a firm foundation in the HIPAA rules and then planning for transparency and flexibility can afford healthcare organizations the ability to maintain business operations and patient trust.
Organizations should consider patient expectations (e.g., expecting healthcare entities to follow emerging privacy laws regardless of exemptions or applicability) when reviewing emerging privacy laws. Areas of consideration include:
-
Exceptions: The extent of any exception afforded by HIPAA varies with each privacy law. The scope of what is covered by a privacy law can be as wide as the entire covered entity or as narrow as the data categories outlined in HIPAA. It might be necessary to label data elements to clearly identify what is defined as patient data to support medical care versus everything else.
-
Nonprofit exemptions: Many healthcare organizations are defined as 501(c) and thus claim the nonprofit exemptions from several privacy laws. However, some privacy laws in draft, or passed but not yet enacted, do not exclude nonprofit organizations. Examples include the Virginia Consumer Data Protection Act (HB 2307) and the Colorado Privacy Act (SB 190), both effective July 1, 2023. Healthcare organizations, regardless of designation, will be required to comply with the provisions of these regulations.
-
Deidentification: Deidentification is another area in which exemptions are in play; however, the specifics and implications will vary based on the provisions of the relevant law. Many organizations fail to fully and accurately deidentify personal information to the extent that the data cannot be reidentified, subjecting the organization to the potential for noncompliance with HIPAA and emerging privacy regulations as well as to reputational damage, which affects patient trust.
Data use policies and procedures
As the healthcare landscape changes and technology and economic incentives drive care to outpatient settings, hospitals are experiencing significant new pressures. Healthcare organizations need to understand how they and their partners are using consumer information in order to ensure compliance with these new consumer-driven privacy and protection laws. While some of the fines and penalties for noncompliance with these regulations can be significant, the biggest impact to healthcare is the potential to erode patient trust in the healthcare organization. Consumers’ perspectives will drive how they choose their healthcare service providers, potentially affecting the financial viability of specific healthcare organizations. Individuals in compliance, privacy, information security, and marketing roles employed by healthcare systems of all sizes need to understand the regulations specific to their states and develop policies and procedures regarding information being collected from patients and employees. Questions to be answered include:
-
What data are we collecting?
-
How are we using patient data?
-
Where is data stored?
-
What processes do we have in place to monitor access to and use of this data?
-
With whom do we share this data, how is the shared data used, and how is the shared data protected?
-
Do policies and procedures address the use of data for nonhealth-related purposes?
-
Are relevant employees educated about restrictions or requirements regarding the use of data outside of HIPAA?
-
What consent-related limitations are placed on the use of patient data?
-
What is the process for staying abreast of new consumer-driven state regulations?
Depending on the answers to these questions, many healthcare organizations will need to adjust policies and procedures to address the requirements of new privacy regulations, especially for how data is used outside of patient care. Additional changes in the regulatory landscape are anticipated, as comprehensive legislation has been proposed in more than 20 states.[5]
Understanding the data
Healthcare organizations are familiar with PHI and the associated regulatory obligations. However, many new consumer-driven privacy regulations describe governance requirements for a new personally identifiable information classification, sensitive personal information. Personal information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[6] This definition goes beyond data that is obviously associated with traditional PHI. The definition of sensitive data is broad, including government identifiers, financial account information, log-in information, precise geolocation, contents of certain types of messages, genetic data, race, ethnicity, religious or philosophical beliefs, data concerning sex life or sexual orientation, and union memberships. How healthcare organizations use and share this sensitive personal information is regulated, and using the information requires consumer authorization, making it imperative for healthcare organizations to understand their data landscape and how the data is being used.
Knowing what data an organization has and where that data is stored can help the organization identify gaps in compliance with new privacy provisions. Unless an organization has a mature data governance program and fully understands the data flow, classification, long- and short-term storage, and third parties involved in the data life cycle, a data discovery assessment is recommended. While the discovery process might seem tedious, the derived knowledge regarding the following four areas will support compliance efforts going forward:
-
Data channels. Data is created or absorbed into the organization in multiple ways outside of the patient intake process. Some of those channels include patient surveys, biomedical (wearable) devices, third parties and health exchange networks, transactional data, and associated donor and philanthropic foundation data. Data flow diagrams and other visuals can help organizations understand those channels.
-
Data classification. Each element within a data set should be labeled appropriately so that organizations can easily identify and subsequentially protect personally identifiable information; electronic PHI; and transactional, internally sensitive, and other categories of data. Annually reevaluating data classification and associated standards can support compliance with evolving privacy laws and consumer expectations.
-
Storage and retention. While many organizations have a documented data retention policy, in practice, many do not delete anything. Lack of implemented standards for storage and retention introduces significant risk into the organization. Storing data beyond its useful life can expand the scope of a breach if one were to occur and might violate privacy regulations.
-
Third parties. A robust third-party risk management program is integral to a privacy program, and it increases in importance with new and changing privacy laws. Organizations should provide notice to patients regarding with whom and for what reason their data might be shared. In addition, they should note when the definition of selling personal information includes sharing such information.
Developing a trustworthy approach to data use
Beyond the requirements associated with data creation channels; data classification, storage, and retention; and the implications of working with third parties, organizations are well advised to consider the governance-related implications associated with privacy and data protection. Data governance—how the availability, usability, accuracy, security, and appropriateness of data are managed—becomes especially important in the digital healthcare era in which patients as consumers have multiple choices available to meet their health-related needs—and healthcare organization trustworthiness is paramount.
On a strategic level, consideration of data governance can help organizations establish a foundation that supports compliance today—and into the distant future—with existing, proposed, and not-yet-conceptualized privacy and data protection–related requirements. Healthcare organizations equipped with well-trained, seasoned legal resources partnering with compliance and privacy officers can and should carve out a path that ensures compliance with current and emerging regulations and supports business development. Increasingly, however, healthcare organizations need to answer the question, “How do we best demonstrate that all of our business practices are trustworthy?”
Regardless of the specific approach taken, because of the effective dates of new regulations, healthcare organizations have a limited amount of time to establish their strategy regarding the use of nonhealth-related patient data for marketing purposes. Yes, competition is fierce, and healthcare entities must find a way to win in the market. But because competition is fierce, organizations have no choice but to establish a position that considers the patient’s perspective and is reliable, trustworthy, and consumer-centered.
Remember Anthony, the patient who became disillusioned with his healthcare team and the affiliated hospital after receiving multiple ads about new testing capabilities? Anthony and his partner chose to change healthcare providers even though it is likely that the marketing Anthony received was not related to his accident and subsequent treatment. The reality is that many people like Anthony have multiple options in their community for getting their healthcare needs met. Such individuals are increasingly concerned about how their personal information is used for marketing-related activities. Keeping the best interests of patients and their privacy in mind enables organizations to make smart decisions about using such data for marketing purposes. Being transparent about where consumers’ personal information comes from and how the healthcare organization uses it is a minimum expectation.
Providing clear communications and demonstrating transparency are potential opportunities for differentiation in a competitive market for the healthcare organizations that choose to meet rather than avoid the challenges of privacy regulations. Anthony and his partner, after selecting new healthcare providers, were delighted to receive an explanation of how their new providers handle healthcare-related marketing. In addition to the standard HIPAA Notice of Privacy Practices (often not actually reviewed or understood by patients), Anthony’s new healthcare organization provided him with information about how it obtains personal information it uses for marketing purposes—and how patients can opt out of receiving marketing materials. Anthony also received a welcome letter from the healthcare system’s chief privacy officer and information about how to contact the privacy officer and the compliance leader with any concerns or questions.
Beginning the compliance journey with cybersecurity
Even in the changing healthcare environment, organizations can take steps to start on the compliance journey. Most consumer privacy laws include information security requirements for healthcare organizations to implement controls and conduct assessments of consumer data security. However, unlike other frameworks with security implementation specifications, many new privacy laws do not dictate the design or expectations of security controls. Therefore, the responsibility of defining and assessing reasonable security procedures and practices will be left to each organization, and organizations should begin doing so as soon as possible.
Organizations can deduce cybersecurity expectations based on the requirements for payers, providers, and business associates to adhere to the HIPAA Security Rule. From a cybersecurity governance stance, organizations should align their programs around frameworks that support implementation of precise controls to mitigate risk. To that end, the U.S. Department of Health & Human Services has released a publication[7] that points to the adoption of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)[8] and addresses current top cybersecurity threats. Each organization will need to determine whether its business objectives align with the NIST CSF and whether those objectives are achievable given the organization’s size and complexity. But whatever security procedures and practices are used, a strong governance program based on a framework will likely fulfill privacy laws’ vague requirements for reasonable cybersecurity practices.
Using consumer data ethically
Consumer expectations about privacy are changing rapidly, and patients as consumers are paying attention to the evolving regulatory environment. As individual perspectives change, patients are increasingly willing to seek out new healthcare providers for privacy-related reasons. Additional pressures coming from new privacy regulations have increased concerns regarding the marketing of healthcare-related services. All organizations might expect to see an increase in audit activity (both internal and external) and in fines and penalties associated with noncompliance with privacy protection regulations. But fines and penalties can pale in comparison to the reputational damage that might come from a privacy-related compliance failure. Exemptions in some privacy regulations might cause healthcare organizations to decide to avoid compliance; however, this strategy has the potential to drive patients elsewhere in the long term.
Healthcare organizations can benefit from taking an ethical approach to the use of consumer data. The perception of how organizations are using patient data along with the ability of consumers to shop for care will affect healthcare organizations’ reputation, financial stability, and, ultimately, operational viability.
Takeaways
-
Consumer expectations about privacy are rapidly changing, especially as new regulations are passed in various US states.
-
Patients as consumers are applying changing expectations to their interactions with their healthcare providers, including individual physicians as well as hospitals, clinics, and laboratories.
-
New regulations including the California Privacy Rights Act and new laws in Colorado and Virginia address secondary uses of personal data, such as marketing.
-
While healthcare practitioners and hospital systems might find it possible to avoid complying with some new regulations based on regulatory exception or status as a nonprofit organization, changing patient expectations make avoidance a risky strategy.
-
Healthcare-related organizations should consider how patients’ evolving expectations about the use of their protected health information can create opportunities for differentiation in a competitive market.