Insight into the United States Healthcare Information Privacy, Protection, and Security Landscape:

IBM’s newly released “Cost of a Data Breach” report for 2022 reveals a harrowing statistic: that in the United States, total healthcare data breach costs have hit a new record high, jumping from $9.23 million in 2021 to $10.10 million in 2022.

Healthcare is classified as a “critical infrastructure industry” by the US Cybersecurity and Infrastructure Security Agency (CISA), alongside financial services, industrial, technology, energy, transportation, communication, education, and public sector. In addition to its 9.4% increase in data breach costs year over year, healthcare also claims the top spot among critical infrastructure industries for the average cost of a data breach - for the twelfth year in a row.  

Now more than ever, it is crucial that healthcare leaders, providers, patients, and vendors appreciate the complex web of legislation that governs healthcare information privacy - commonly referred to as protected health information (PHI) or electronic protected health information (ePHI). Of all data breaches that affected critical infrastructure industries to date, a combined 28% come from ransomware and destructive attacks; the more organizations take meaningful steps to protect themselves from these attacks, the better.

Thrive Health’s digital platform provides safeguards to protect health data across North America, with our secure, innovative technology. Within the US, there are varying rules and regulations governing healthcare and protected health information, but there are some essential laws that every stakeholder in this industry needs to know. The most important is the Health Insurance Portability and Accountability Act (HIPAA), a federal healthcare law that covers the lawful use and disclosure of personal health information. Within HIPAA, there are three key rules:

1. The HIPAA Privacy Rule, which protects the privacy of protected health information and sets limitations on how that information can be used.
2. The HIPAA Security Rule, which specifically focuses on ePHI and its administrative, physical and technical safeguards.
3. The HIPAA Breach Notification Rule, which outlines the requirements for reporting breaches of ePHI as well as physical copies of PHI.

While HIPAA governs the whole of the United States, each individual state has its own regulations and definitions around protected health information, and what constitutes a data breach. For example, Colorado’s definition of a breach is summarized as the “unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity”; several other states including Arkansas, Florida, and Georgia hold similar straightforward definitions. Whereas select states, namely California, break down definitions into further categories: for every regulation concerning PHI, ePHI, breaches, risk analyses, notifications, and enforcements of actions, Californian law includes “Medical Information-Specific Statutes” that stipulate subtle differences and enhancements in action that must be taken to protect health information, separate from other personal information.

Due to these statutes, California holds multiple state laws around PHI and ePHI that are more restrictive than federal laws. For example, the California Confidentiality of Medical Information Act (CMIA) protects the confidentiality of PHI obtained by health care providers, health insurers, and their contractors, and further breaks down into how that information may be disclosed by each party, as well as the civil penalties for unauthorized disclosure, access, and use. Californian law also covers the rights that patients have to accessing and modifying their data: the Patient Access to Health Records (PAHRA) gives patients the rights to see, copy, and submit amendments to their health records if they note any inaccuracies. Additional laws cover a wide variety of subtopics, including patient rights for accessing lab records, third party access to mental health information, and the collection of medical information for marketing purposes.

All of the above is to say that there is a vast, complex web of legislature that protects how health information is managed, accessed, and distributed. What’s crucial, then, is that all individuals involved in the care process are equipped with tools and systems that responsibly manage PHI and ePHI. Thrive Health’s digital platform provides administrative, physical and technical safeguards to protect this information, with an accessible interface that empowers patients, providers, and families to both understand and interpret health data effectively. Here’s a few examples of how we offer this:

- We enable 24/7 security monitoring and incident response to track both internal and external threats concerning health data and information.

- We enable intuitive digital experiences that enhance the dynamics of the care process, guiding patients through resources and workflows tailored to their unique care circumstances.

- We have completed company-wide audits for SOC 2 and ISO [27001: 2013, 27017: 2015, 27018: 2019].

- We unify data sources for a secure, streamlined user experience, enabling smarter reporting for care providers.

- We embed security and privacy by design practices into all development and operational activities.

Governments, health authorities, and enterprise organizations across North America use the Thrive Health platform to keep their communities and their health data safe. To learn more about how Thrive technology can be used to enhance your organization’s data privacy and security, as you elevate patient engagement, contact us today.