Five Keys to Managing Data Privacy, Security, and Compliance

In the current environment, phrases like “data security” and “privacy” come up in conversation—both electronic and interpersonal—with as much frequency, if not more, than names of sports fans’ favorite players, or tv fans’ favorite episodes of “The Pitt.” These issues have been hot topics since before the advent of strict regulations like the European Union’s GDPR and EU AI Act and existing data protection laws. Management and control of privacy and cyber security has become increasingly critical and costly in the context of recordkeeping, with particular attention to healthcare information, laws and regulations governing the protection of private information related specifically to medical diagnoses, treatments, medications, insurance coverage and anything else related to individual’s health—and specifically including mental health and substance abuse is sacrosanct.

''...one of the most pressing compliance challenges organizations face...''

Protecting personal data in healthcare, government and financial sectors has become one of the most pressing compliance challenges organizations face, requiring not only adherence to a complex network of frequently-changing laws, licensing requirements, and governance standards, but the careful selection of technologies and vendors capable of enforcing best practices—because without them, even well-intentioned compliance efforts can fail.  

''...(requires) the careful selection of technologies and vendors capable of enforcing best practices...''

Both laws and regulations, as well as actual practices, are continuing to evolve to meet compliance obligations and simply what qualifies as good practice.

In most contexts, it’s important to note that some types of sensitive information qualify for special attention from a data security point of view. For example, under the U.S.’s HIPAA, information on some patient diagnoses, particularly those related to mental health and addiction, can be subject to additional levels of confidentiality, privacy and security, not to mention scrutiny to ensure compliance.  Although obvious, it’s also important to note that such topics can be political “hot potatoes,” thus subjecting the security of such information to a moving target as political winds change.  The bottom line in understanding what’s required to be protected and secured, is that it’s subject to change based on ideology.  While the type of information to be protected may change, the need to secure that information does not.

Compliance comes in as many varieties as a favorite brew pub has taps.  Information regarding a person’s medical status, history and current conditions, providers and insurers, among others, is subject to various levels of scrutiny. Also, as has been mentioned previously, certain conditions, including those related to reproductive health and mental health issues, including substance abuse, may be subject to additional regulation and privacy concerns.  In any case, the use, storage and auditability of any kind of electronic documentation regarding medical or personal information carries with it an absolute legal obligation for those who are relying on the technology to be aware, not only of the current regulatory requirements, but also to remain on top of such requirements so that when rules change, the provider is sufficiently nimble to accommodate those changes. One important caveat:  simply because a provider indicates that its “solution” is capable of compliance, does not necessarily mean that the system is being operated in a compliant way.  Consider this parallel:  your car may be equipped with a working radio, but that does not necessarily mean that the radio is turned on.  It’s precisely the same thing, so it’s important to not only understand the system’s capabilities, but its deployment as well.

''...simply because a provider indicates that its “solution” is capable of compliance, does not necessarily mean that the system is being operated in a compliant way.''

To put this in perspective, consider cloud-based fax products (not any one brand, but the technology itself). They enable entities that view and store medical records to enhance their practices in order to comply with federal and state/provincial laws. As with most things though, the devil can be in the details—both practically and contractually.  Knowing where the vulnerabilities exist, even with a system that is compliant TODAY, is just the first step in managing the risk of use and storage of such information in the first place. 

But it’s not the only step.  Technologies that underlie such systems must be vetted and tested repeatedly and consistently to minimize exposure to unauthorized access and other vulnerabilities.  It’s important to note that not only should testing and upgrades be systematically and randomly conducted, deployed, operated and updated, but funding for such work must also become routine as systems become both increasingly sophisticated and increasingly vulnerable. Federal laws and regulations have been designed to address some of these issues, as have state and provincial rules.  

''...funding for such work must also become routine as systems become both increasingly sophisticated and increasingly vulnerable.''

The most pressing issue with regulating technology and managing compliance is that technologies evolve far quicker than the laws designed to regulate them.  Then there’s the contract with the providing vendor(s).  Where does liability fall when systems are breached?  How about when there are multiple players in the space—that is, different vendors owning different parts of the overall system?  How negotiable are these agreements?  And, as entities become increasingly reliant on AI tools (for better or worse), who’s responsible when access to restricted data is breached, revealing information that is, by law, intended to be secure.

''...technologies evolve far quicker than the laws designed to regulate them.''

Recommendations

1. Make sure that the people who are managing the technical side of the operation have a strong knowledge of how the systems in place work and interact with other systems.  The more links that there are between and among systems, the more opportunity there is for unauthorized access.
2. Make sure that the legal and risk teams review any agreements acquiring these services with great attention to detail. Particularly because the technologies evolve more quickly than legal obligations, this level of diligence is absolutely demanded. With this in mind, it is critical to know exactly who is responsible for what—both practically and legally. Where does the risk lie, and who will be responsible, not only for ongoing maintenance, but legal fees and court costs when bad things happen?
3. Make sure that testing, both routine and random, is carried out frequently so that if and when vulnerabilities are identified, they can be addressed quickly.
4. Great care must be taken so that any AI tools that are used anywhere in the process are also routinely vetted and tested by humans.  As sophisticated as AI tools have become, they still have no common sense.
5. As contracts are reviewed before signing, pay attention to what’s not there.  What topics which could be of concern, are not addressed in policies and legally binding agreements? Consideration should be given to how risk is allocated, if even mentioned.  Who will be responsible when things go wrong? Who decides who’s responsible when a breach or other issue occurs?  Who will pay, not only for damages, but for legal fees to resolve such matters?  As an example, how do indemnity provisions, which are tedious to read on a good day, protect clients and their customers if systems that are supposedly secure are breached? 

Evolving technologies have brought great economies and power to most sectors of the economy. But with particular respect to health care information, the risks are significant and as such, great care is required to minimize exposure.

As technologies evolve and regulations struggle to keep pace, protecting sensitive information requires more than compliance alone—it demands constant vigilance, informed oversight, and a willingness to adapt systems, practices and contracts as risks change. Organizations that treat data security as an ongoing responsibility rather than a one-time obligation will be best positioned to safeguard the trust placed in them.