Getty Images/EyeEm

AHIP Shares Privacy, Cybersecurity Goals To Protect Consumer Data

Consumer data is becoming increasingly vulnerable as healthcare continues to innovate, but payers, providers, and policymakers can take steps to prevent vulnerabilities.

AHIP has shared its goals and priorities for upholding health IT security and privacy around consumer data in two press releases issued by the AHIP board of directors and the organization’s chief medical officers leadership team.

“Health insurance providers have long been committed to instituting privacy and cybersecurity practices to protect every individual’s personal health information – from employer-provided coverage to the individual market, from Medicare Advantage to Medicaid managed care,” Matt Eyles, president and chief executive officer of AHIP. 

“As new technologies emerge and the health care system continues to evolve, these priorities reaffirm AHIP and our members’ commitment to enhancing patients’ access to actionable health information while keeping their personal data secure.”

The board of directors laid out five fundamental principles to direct payers’ efforts around privacy and cybersecurity.

First, consumers should be able to access their own data. They should also be aware of how their data might be shared.

Second, all entities that interact with consumer data should be obligated to comply with the Health Insurance Portability and Accountability Act (HIPAA) requirements. AHIP added that such entities should also have to comply with any subsequent regulations that are related to or have similar goals as HIPPA.

Such regulations and protections are significant as the industry progresses toward interoperability.

Third, the payer organization addressed demographic data, such as race and ethnicity data. Such data should be used to decrease discrimination, not amplify it, AHIP stressed.

Fourth, any digital tools that leverage consumer data should incorporate privacy and security failsafes, and this guideline should be backed by federal regulation and standardization.

Fifth, it should be illegal to sell identifiable consumer healthcare data without consumer consent. While HIPAA protects consumers from such activity, some digital tools do not have to comply with HIPAA standards. These tools should fall under additional regulation to protect consumers’ privacy and security.

AHIP’s chief medical officers offered ten policies that the government should adopt to protect healthcare consumers' privacy and security.

First, HIPAA should encompass relevant entities that are not currently subject to its requirements. These entities should include companies that collect, use, disclose, or store consumer healthcare data. The requirements should enforce transparent consumer notices, the opportunity for consumers to review and agree to terms and conditions of data usage, and more.

Small businesses may require exceptions or accommodations to reduce entry barriers, AHIP added.

Second, the chief medical officers echoed the board of directors’ claim that consumers should have access to their data. This should be reinforced by regulatory action, the chief medical officers stated.

Policymakers should design regulations that create authorization pathways for consumers when an entity is interacting with sensitive data. In particular, they should consider requiring a way for consumers to delete data.

Third, digital care and telehealth solutions should be required to promote privacy and security in data exchange. AHIP asserted that privacy requirements might need to be updated to accommodate and address technological innovations.

Fourth, the government’s actions to protect consumers’ healthcare data should still allow public health authorities to conduct safe data-sharing and automate their solutions. 

Fifth, the chief medical officers supported the board of directors’ call for the government to outlaw the selling of healthcare data without consumer consent.

Sixth, with support from the states, the federal government should institute a national strategy for healthcare data privacy and security. In particular, AHIP supported the concept of a national patient identifier.

Seventh, if the government plans to implement a new policy or control on healthcare data, the chief medical officers called for a review of current policies and the associated costs.

Eighth, the payer organization emphasized payers’ commitment to protecting cybersecurity and healthcare data privacy and asked policymakers to integrate that fact into their policy decisions.

“Government policies should recognize that increased use and evolution of digital solutions, virtual health care, cloud storage, and information systems requires investment in cybersecurity to promote secure environments capable of supporting consumer needs and communication between entities,” AHIP reminded.

Ninth, the chief medical officers supported the board of directors’ position on the use of race, ethnicity, religion, gender identity, and other data. Such information should be used to bolster care, not to create further care disparities, their letter emphasized.

Finally, the Federal Trade Commission should release guidance related to healthcare data privacy and security concerns.

“By following the roadmap laid out by our industry’s leading experts, we believe that legislators and regulators can help give Americans the peace of mind they deserve,” Eyles said.

Next Steps

Dig Deeper on Medicare, Medicaid and CHIP