HIPAA compliance in patient-generated health data (PGHD)

Healthcare providers can ensure HIPAA compliance when handling patient-generated health data (PGHD) by treating it as protected health information (PHI) once it's integrated into their records. That requires implementing strong encryption, securing data transmission, obtaining patient consent, and regularly auditing security measures. Additionally, providers should carefully vet third-party apps and devices for HIPAA compliance and sign business associate agreements (BAAs) with vendors to safeguard patient data throughout its lifecycle. 

Introduction to patient-generated health data (PGHD)

PGHD is health-related data collected, recorded, or observed by patients or their caregivers, often outside clinical settings. The data can include information from wearable devices (e.g., fitness trackers, heart monitors), mobile health apps, and patient-reported outcomes such as symptoms or treatment effects. PGHD can help tailor care to individual needs and improve overall patient outcomes. A Sage Journal article found that “Almost half of the patients or caregivers who collect the PGHD report that the practice changed their approach to maintaining their health.”

HIPAA’s application to PGHD

When PGHD is shared with and used by a healthcare provider for treatment, diagnosis, or healthcare operations, it becomes PHI under HIPAA. The HHS defines PHI as "all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral." That subjects the data to the HIPAA privacy and security rules, which protect sensitive patient information.

For instance, if a patient shares data from a blood glucose monitor with their healthcare provider and the provider uses this data to manage the patient's diabetes, that information is now PHI and must be protected according to HIPAA standards. On the other hand, data that remains solely with the patient and is not shared with a healthcare provider is not subject to HIPAA, though other privacy regulations may apply.

Related: Understanding and implementing HIPAA rules

Challenges in securing PGHD

• Data breaches: The diverse sources of PGHD, including wearable devices, mobile apps, and cloud-based storage, introduce multiple points of vulnerability. Without proper security measures, these points can be exploited, leading to potential data breaches and unauthorized access to sensitive patient information.
• Encryption: Unencrypted data is highly susceptible to unauthorized access. That makes robust encryption practices necessary to protect patient privacy and maintain compliance with HIPAA.
• Authentication: Weak authentication can lead to unauthorized access, compromising the security of sensitive health information. Have authentication processes in place to limit access and use of PGHD to only authorized individuals. 
• Integration with EHRs: Integrating PGHD into electronic health records (EHRs) presents additional challenges. It requires seamless compatibility between various third-party tools and the existing healthcare IT infrastructure while maintaining data integrity and security throughout the integration process.

Read more: Integrating patient generated health data into patient records

Best practices for HIPAA compliance in handling PGHD

• Encryption: Healthcare providers should implement strong encryption methods for PGHD both at rest and in transit to protect against unauthorized access. Encryption ensures that even if data is intercepted, it remains unreadable without the proper decryption keys.
• Regular security audits: Conducting regular security audits helps identify and address potential vulnerabilities in the system. These audits help ensure that all security measures are up-to-date and effective in protecting PGHD from emerging threats.
• Patient consent: Clearly inform patients about how their PGHD will be used, shared, and protected. Obtaining explicit patient consent can build trust and maintain compliance with HIPAA by making patients aware of their rights regarding their data.
• Vetting third-party apps and devices: Healthcare providers must thoroughly vet third-party apps and devices to ensure they meet HIPAA standards. That involves checking for compliance certifications, evaluating their security measures, and ensuring that these tools are regularly updated to address new security threats.
• Monitoring and updating tools: Establish clear procedures for monitoring and updating third-party tools to maintain ongoing HIPAA compliance. 
  
  

The role of business associate agreements (BAAs)

When selecting vendors, consider factors such as the vendor's security track record, their ability to comply with HIPAA requirements, and their willingness to sign a BAA. Without a BAA, healthcare providers risk significant penalties if a data breach occurs or if the vendor fails to protect the data adequately.

Read more: FAQs: Business associate agreements (BAAs)

FAQs

How can healthcare providers ensure that wearable devices used for PGHD are HIPAA compliant?

Providers should verify that the wearable devices have been independently certified for HIPAA compliance, assess the security features, and ensure that any data collected is encrypted and securely transmitted.

Related: HIPAA compliance in wearable devices

Are there specific HIPAA rules for handling PGHD collected through mobile health apps?

HIPAA rules apply to PGHD from mobile health apps if the data is shared with or used by healthcare providers. That includes ensuring the app is secure, obtaining patient consent, and integrating data into HIPAA compliant systems.

How should healthcare providers handle PGHD when integrating it into EHRs?

Providers should ensure that PGHD is encrypted and securely integrated into EHRs, with access limited to authorized personnel and regular security audits conducted to safeguard the data