Privacy Matters | Largest healthcare data breaches linked to third-party vendors, Surveys reflect Americans' attitudes towards data sharing, & more

Privacy Matters

Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary

To subscribe to our newsletter, click here.
 
Thank you for reading Privacy Matters.
We wish you a happy and healthy New Year!

The last few weeks in a flash: 

• The largest healthcare data breaches of the year are tied to third-party vendors
• Surveys reflect Americans' current attitudes towards sharing sensitive information
• Government agencies and policymakers move to address the public's questions and concerns about privacy 

Leading Stories

HHS reports third-party vendor incident compromised health data of 254K
SC Media (December 15, 2022)
"The Department of Health and Human Services Centers for Medicare and Medicaid Services is currently notifying 254,000 out of its 64 million Medicare beneficiaries that their data was compromised after a ransomware attack on one of its third-party vendors. The investigation is ongoing, but the initial information suggests that Healthcare Management Solutions, a subcontractor of ASRC Federal Data Solutions, 'acted in violation of its obligations to CMS.' The notice does not provide further details into what those actions may have been." Keep reading

• This is the latest example of a healthcare data breach linked to third-party vendors, the kind that Becker's Hospital Review reports is tied to the largest incidents of 2022.  
  
  

Survey shows consumers are excited, but concerned, about connected healthcare technologies, and want policymakers to take action to keep health data protected
PR Newswire (December 13, 2022)
"Trusted Future today published a comprehensive national survey of 2,414 Americans to better understand how consumers are using connected health technologies to improve health, the barriers they feel must be overcome, and the potential steps policymakers can take to further improve outcomes from digital health technology. The survey found that Americans are adopting a broad range of connected health technologies to improve their daily lives, and believe emerging technologies hold great promise for helping people improve health outcomes, live healthier lifestyles, improve preventative care, and gain access to remote care anytime, anywhere. But to enable these health gains -- and help Americans live longer and healthier lives -- consumers need to be able to trust that their technologies will be effective at protecting their most sensitive health data." Keep reading 

• Trusted Future is a non-profit organization that brings together experts with the goal of advancing new research, highlighting best practices, policies and recommendations, and exploring new ways to foster and enhance the basic trust needed to support and sustain a healthier digital ecosystem.
  
  

‘Apples to apples’: How new health data rules could hold providers accountable
STAT News (December 23, 2022) 
"Last year, medical records opened up to patients. This year, they’re opening up to the nation. Before the ball drops on New Year's Eve, electronic health care record vendors will have to provide tools to easily pull big batches of patient data from their systems. Just as information blocking rules gave individual patients the ability to access their medical records, this next round of federal rules gives a framework for sharing insights—within a health system, or with trusted partners—about groups of patients that reflect different populations. . . Access to population-level patient data is critical for public health monitoring, health system quality measurements, and research and development. Providers and other users have been able to extract that information with proprietary APIs — but with so many different systems and formats, it can be a serious slog to share and analyze data between institutions. But starting in 2023, thanks to the 21st Century Cures Act, all certified EHRs will have to provide API technology that taps into a minimum dataset in the standardized FHIR format." Keep reading 

• The 21st Century Cures Act is a United States law enacted by the 114th United States Congress and signed into law on December 13, 2016, with the key function of ensuring that health information and healthcare data is not only accessible to patients but also easily and securely shared.
  
• The Office of the National Coordinator for Health Information Technology (ONC), a staff division of the Office of the Secretary within the U.S. Department of Health and Human Services, monitors industry progress towards certification to the 2015 Edition Cures Update (Cures Update), which introduces new standards and functionalities to benefit the U.S. health care system in a variety of ways. 
• Under ONC’s final rules, health IT developers of certified health IT (certified health IT developers) whose products are certified to the applicable criteria are required to provide these new functionalities to their customers by December 31, 2022.
  
  

Senators want agencies to encrypt data before sharing with new NSF database
CyberScoop (December 20, 2022)
"Sens. Ron Wyden, D-Ore., and Rob Portman, R-Ohio, are urging the National Science Foundation to require encryption to protect sensitive data shared via a powerful new platform being stood up by the U.S. government for cross-agency collaboration. The pair argue in a letter sent Tuesday to NSF Director Sethuraman Panchanathan that encryption is the best technology to ensure that data shared through the new National Secure Data Service stays out of reach of foreign adversaries and malicious hackers. Wyden and Portman want the encryption protections applied to any data that could be used to infer the identity of an individual." Keep reading 

• Data Encryption is a method of preserving data confidentiality by transforming it into ciphertext, which can only be decoded using a unique decryption key produced at the time of the encryption or prior to it.
  
  

Hands off our data, Americans say
Politico (December 13, 2022) 
"The Covid-19 pandemic has not shaken Americans’ longstanding preference for keeping their health records private. A new Harris poll on behalf of consulting firm ZS found that most Americans wouldn’t share their personal health data, even anonymously — and even if it would help avert another public health emergency. The polling underscores the hurdles facing digital health companies whose success depends partly on Americans’ willingness to share data and the challenges facing public health authorities trying to forecast outbreaks and improve care through data analysis." Keep reading 

• The Harris Poll is a global consulting and market research firm. 

Experts Expound

In our first edition of the New Year, Dr. Patrick Baier, HIPAA Privacy Expert at Privacy Hub by Datavant, will continue his previous comment regarding current attitudes towards privacy and the most significant compliance blind spots amongst entities that use health data.

Government Watcher

Administrative Simplification: Adoption of Standards for Health Care Attachments Transactions and Electronic Signatures, and Modification to Referral Certification and Authorization Transaction Standard

• Background: On December 21, 2022, the Health and Human Services Department's Office of Secretary published this proposed rule, which would implement requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act of 2010, enacted on March 30, 2010—collectively, the Affordable Care Act. Specifically, this proposed rule would adopt standards for “health care attachments” transactions, which would support both health care claims and prior authorization transactions, and a standard for electronic signatures to be used in conjunction with health care attachments transactions. 
• Latest Developments: 
  New HIPAA rule from CMS would streamline transactions with attachments, e-signatures
  Healthcare IT News (December 19, 2022)
  "The proposal provides a 'valuable tool to support the electronic submission of healthcare information,' said CMS Administrator Chiquita Brooks-LaSure. It would reduce provider burden and could save more than $450 million a year." Keep reading
  
  

Disclosure Avoidance Protections for the American Community Survey

• Background: On December 14, 2022, in response to numerous data users' questions about the status of the Census Bureau's plans to strengthen confidentiality safeguards for their data products, including the American Community Survey (ACS), the Census Bureau published an update. Their current assessment is that "the science does not yet exist to comprehensively implement a formally private solution for the ACS. [They] expect a multiyear development period, including data user review and feedback, that will extend beyond 2025."
• Latest Developments:
  Census Bureau tables controversial privacy tool for survey
  Independent (December 14, 2022)
  "The U.S. Census Bureau is putting on hold plans to apply by 2025 a controversial method for protecting the privacy of participants in its most comprehensive survey of Americans after facing pushback from prominent researchers and demographers." Keep reading 
  
  
  

Food for Thought

A look back at privacy and data protection in 2022
IAPP (December 20, 2022)
 Article by the IAPP Editorial Team 
"Data privacy made more news than ever in 2022. The usual peaks and valleys the IAPP Editorial Team observed in years prior were replaced by an unprecedentedly busy news cycle that never seemed to let up, which begs the question: What developments were most noteworthy for the privacy profession?" Keep reading 

• The International Association of Privacy Professionals (IAPP) is a nonprofit, non-advocacy membership association founded in 2000. It provides a forum for privacy professionals to share best practices, track trends, advance privacy management issues, standardize the designations for privacy professionals, provide education and guidance on career opportunities in the field of information privacy.
  
  

Healthcare data fragmentation derails the consumer experience
Insider Intelligence (December 13, 2022) 
 "More than 2,500 US consumers were surveyed on their interest in using a digital platform to manage their healthcare services and benefits, [and it was concluded that] consumers would be less frustrated with the healthcare system if they had access to a one-stop-shop platform for all of their health-related needs, according to a new survey from PYMNTS and Lynx." Keep reading 

• PYMNTS is a website that features latest information related to e-commerce and online payment methods, and Lynx is a software technology company.
• In Healthcare in The Digital Age: Consumers See Unified Platforms as Key to Better Health, a PYMNTS and Lynx collaboration, they conducted a census-balanced survey of 2,515 U.S. consumers from Sept. 7 to Sept. 13 to learn about their interest in using digital platforms to manage their medical treatment, benefits and healthcare finances. 

Best of the Rest

ANNOUNCEMENT: 
Syntegra and Datavant Partner to Enable the Exchange of Synthetic Data Across the Healthcare System
Datavant (December 15, 2022)
"Syntegra, the leader in generating synthetic healthcare data, and Datavant, the leader in helping organizations securely connect health data, today announced a partnership integrating Syntegra’s synthetic data capabilities into the Datavant Switchboard, a neutral, trusted and ubiquitous infrastructure for the exchange of privacy-preserved health data. This partnership will enable members of the Datavant ecosystem to seamlessly and compliantly generate and exchange privacy-preserved synthetic healthcare data." Keep reading 

• Syntegra was founded in 2019 with the mission of dramatically accelerating research and innovation through increased access to patient-level data at scale to improve care and outcomes for patients.
  
  

REPORT: 
FPF Releases "The Playbook: Data Sharing for Research" Report and Infographic
Future of Privacy Forum (December 20, 2022)
"Today, the Future of Privacy Forum (FPF) published 'The Playbook: Data Sharing for Research,' a report on best practices for instituting research data-sharing programs between corporations and research institutions. FPF also developed a summary of recommendations from the full report." Keep reading 

• The Future of Privacy Forum is a Washington, DC-based think tank and advocacy group focused on issues of data privacy.