The security-privacy balancing act

Health care providers will have to learn from other industries as they try to satisfy patients who want more access

Guest column by Dave Vreeland, a partner at Cumberland Consulting Group in Cool Springs

A digital revolution is underway in health care. Since the passage of the HITECH Act in 2009, the U.S. health care industry has dramatically expanded the use of technology, including the adoption of electronic medical record solutions. In addition, the Affordable Care Act introduced a shift in the way providers are paid from fee-for-service toward value-based payment models. These financial incentives have helped spur much of the digitization and automation occurring in the industry today and will likely drive further automation and the increased use of interactive tools.

With the implementation of new technology solutions in health care, the amount of patient data available in digital form is increasing quickly and protecting patient information is more important than ever. Among the federal policies and regulations in place to help protect patient privacy are HIPAA’s Privacy and Security Rules, which provide guidelines to ensure appropriate protection of electronic health information, including access control, audit controls and transmission security. The importance of confidentiality and data security in health care cannot be overstated.

It’s been hard to miss the many headlines related to data security and privacy in the last year or so. It seems like every week we hear another horror story about a security breach in which hackers accessed the personal information of millions of customers. Over the 2013 holiday season, the Target credit card data breach affected a staggering 70 million customers. Security breaches like these coupled with NSA global surveillance disclosures leaked by Edward Snowden can make us feel like we are living in Orwell’s Nineteen Eighty Four.

Still, we continue to generate and share an unprecedented amount of digital information. At a tech conference in 2010, Google Executive Chairman Eric Schmidt said we now create as much information every two days — about five exabytes of data — as we did from the dawn of civilization up until 2003. Interestingly, the real driver of that volume today is user-generated data such as tweets and texts sent, posts liked, videos watched, websites created, apps downloaded, photos uploaded and Google searches performed.

So why do we keep creating and sharing content online when we are aware of the security and privacy risks? The reality of the modern age is that, unless we want to live an inconvenient daily existence, we accept the risk of sharing our personal information digitally on thousands of websites, social media channels and databases around the world.

But what does that mean for health information and medical records? Now that we are generating a high volume of electronic data like never before, what do we do with it and how do we protect it?

As the health care industry inevitably begins to figure out how to use this new influx of digital data to treat patients more effectively and efficiently, expect the industry to act more like a traditional business to meet customer expectations for convenient and interactive communication. Patients want to access information and communicate with their doctors the same way they do in every other facet of their lives through email, text and social media.

However, the industry has been slow to adopt the use of modern communications tools for a few key reasons. The first is a matter of payment. Under the current fee-for-service structure, which is the norm across most of the country, providers don’t get reimbursed for email consults, so the business driver is toward making an appointment, regardless of the necessity or convenience. Another challenge is determining how to incorporate data from an e-exchange into an individual’s electronic medical record. These are big issues that the industry will have to address over the next few years.

One thing’s for sure: Patients won’t tolerate the current arrangement for long if they don’t have to. Concierge medicine and other forms of delivering primary care are popping up across the country, in part, because patients are demanding the same conveniences in their interactions with health care providers that they’ve come to expect with businesses. We know that patients’ desires to communicate through these channels will only increase over time. Yet, due to the sensitive nature of the information at issue, the health care industry will need to be even more vigilant than other industries in ensuring data security and maintaining patient privacy.

The key to successfully managing digitized health information will be finding the right balance between accessibility and security. Use of traditional tools and technologies such as encryption and hacker defenses will need to be put in place across the industry because both patients and providers will want more, rather than less, access to this sensitive data. Expect health care companies to learn from their predecessors in retail and banking — but also expect that there will be some bumps in the road as they figure this out.

Nevertheless, the promise of new models of care delivery that reduce costs and improve patient outcomes will no doubt require more use of digitized health care information by both patients and providers. We must ensure that the changes ahead are balanced with vigilance to protect this critically sensitive information. The promise of enhanced care, lower costs and better patient outcomes that come with digitized data is worth the risk.