HIPAA, GDPR and Best Practice Guidelines for preserving data security and privacy – What Radiologists should know.
At the end of this exhibit, the reader is expected to learn the following things:
- To understand the key aspects of HIPAA and GDPR Compliance from radiology perspective.
- To understand the key differences between these regulations
- To know the best practice principles to be followed while handling and using medical data from radiology images BACKGROUND:
With the recent advances in deep learning and the boom of AI applications focusing on radiology, the medical imaging data has become a key resource for scientific progress. The large hospitals and imaging clinics have a plethora of such data, albeit unstructured but with accompanying clinical and other healthcare information. As much as it is crucial to use these data to build robust algorithms, it is also important to be careful of the critical privacy risks associated with sharing such data. In this back ground, it is important to understand the key features of the regulations governing these data.
FINDINGS AND PROCEDURE DETAILS:
1. HIPAA Compliance
Health Insurance Portability and Accountability Act (HIPAA) sets the basic standards towards the protection of sensitive patient data. This rule applies to individuals or organizations that get health information in the course of normal health practices. The covered entities include Hospitals, Health Plans, and other Healthcare Providers like radiology centers, etc. Health Plans are organizations that provide medical care or at least pay for them such as insurers etc. This rule protects all personally identifiable information of a patient. This information includes the patient's demographic information, past health records, etc. This rule does not apply if the information is deidentified according to the rule. This privacy rule allows revealing of patient data without his/her authorization only when some conditions are met: 1. To agencies for health oversight activities like audits, etc. 2. To law enforcement agencies. 3. For any court proceedings, if requested. 4. To business associates, if a proper agreement is signed stating he/she will not reveal this data. 2. GDPR Compliance
General Data Protection Regulation (GDPR) is enforced by the European Union after 2016, and after May 25, 2018, all organizations must be compliant. It is a new framework for data protection laws that started in 1995. It changes the way companies should store and transfer personal data of EU citizens and residents. It includes personal data that can be used as an identifier as name, identification number, location data, etc. This rule applies to all organizations (other than healthcare entities also) doing any type of processing or holding data of EU citizens, regardless of location. Individuals are given the right that they can restrict their data to be further processed and also can request data deletion(right to be forgotten). Also, this rule allows individuals to have easy access to their data which companies hold about them. The companies covered by this rule are responsible for processing and handling people's data. In recent years, there have been massive data breaches including social media accounts, healthcare data storages (PACS), etc. Any type of data breach, loss, destruction has to be reported to the country's data regulator within 72 hours of the incident under this rule. If an organization doesn't handle data correctly, it will be fined. These fines normally go up to 10 million euros or 2 percent of the organization's turnover. Sometimes, they go up to 20 million euros or 4 percent of turnover too.
3. HIPAA vs GDPR
The major differences between HIPAA and GDPR are:
a) Under HIPAA, organizations can disclose patient data to another provider in some circumstances without consent. In GDPR, no patient data can go out of the organization's premises without the consent of the EU citizen or resident.
b) GDPR gives EU citizens or residents right stating that under any specific circumstances, they can tell a healthcare provider to erase their data, where HIPAA does not give this right.
c) Under a data breach, healthcare providers are required to notify affected subjects if following HIPAA, and if more than 500 subjects are affected, the Department of health and human services needs to be informed. In GDPR, there is a 72-hour window to report this data breach to a superior authority.
d) Both the rules permit disclosure or processing of PHI (Personal Health Information) whenever necessary of an individual who is unable to give consent due to incapability.
e) GDPR permits the processing of data to any not-for-profit organization only if this processing relates to the individual's personal family and not to any third party. HIPAA does not have this type of provision.
f) Both rules permit disclosure of data when needed in any court acting in their judicial capacity.
4. Tags need to be Anonymized before using for research purposes
To use imaging data outside the healthcare provider's premises for any use such as research & deep learning, patient data needs to be removed or anonymized from images. Some tags that need to be anonymized which contains the patient and location data are as shown in figure.
It is recommended that before using these images, consent should be taken that those images (Unidentified) can be used for research.
Almost all major PACS companies and some open-source and proprietary tools offer anonymization tools with customizable tags. Also, some programming languages like Python can be used.
Major regulations which set the rules to secure Patient Data has been discussed here. Also how to use imaging data for research and AI has also been discussed.
The poster can be viewed here: http://dx.doi.org/10.26044/ecr2020/C-13220