Subscribe to get the latest

#59 Evolution of Data Privacy

on Wed Jul 28 2021 17:00:00 GMT-0700 (Pacific Daylight Time)

with Darren W Pulsipher, Jeremy Harris,

Keywords: #cybersecurity #data #dataprivacy #privacy #process #people #healthcare #sutterhealth

Darren Pulsipher, Chief Solution Architect, Intel, discusses what data privacy really means and its future direction with Jeremy Harris, Assistant General Counsel – Privacy/Information Security, at Sutter Health.

After graduating from law school, Jeremy went directly in to the JAG Corps for the US Air Force and served as an active duty officer for nine years. One of his responsibilities was as a records manager for two different offices. He switched his focus to healthcare with his last military assignment as counsel for hospitals in the Northeast. After leaving active duty (he is still in the reserves), he went to work as counsel at a hospital and is now at Sutter Health.

Although the legal framework is the same for data privacy, there are some differences in government and the private sector: the approach, the goals, and which regulations apply. In government, data privacy means keeping the data protected via the Privacy Act; keep the secret stuff secret. Although there are exceptions as well as the Freedom of Information Act, systems are designed to protect the information, not release it, by default.

In healthcare, since HIPAA in 1996, HITECH a few years later, and now with the ONC, data is being pushed into homes, into the devices of the patients, and patients can allow access to third parties. “Appropriate access” is probably a better descriptor than “data privacy.”

The movement in privacy rights is more access and more control from individuals. As a patient, not only do you have a right to your information, you can direct your healthcare provider to give it to a third party: a lawyer, a friend, another medical professional, etc. A patient can also specify a paper or electronic release medium, so there are many rights given to patients.

These rights for individuals to control their own data are not limited to healthcare. We see this in the current movement with GDPR and recent laws passed in Brazil, Canada, and China, and some US states such as California, Washington, and Virginia.

As the future of data privacy becomes more about individual rights to access, it will change how organizations can track things. Big companies like Google and Facebook have options now where people can clear out their data or prevent the companies from selling it in various ways. Tracking devices such as traditional cookies, won’t be as relevant, so there will have to be something else that helps targeted advertisers.

A lot of data, of course, such as employment data is already regulated. Individual control of data is not an absolute right; companies need data to function, so they will be able to keep some, but it will become more regulated. In the US, we will have more complexity and more problems before we have standardization. We have 50 states, each with their own regulations.

There are as many laws as there are definitions of personal information, which can create a conflict. Sutter, for example, has many hospitals in Northern California, and a few auxiliaries in Hawaii, Oregon, and Utah. Sutter must routinely stay on top of those states’ regulations, but if there is a breach, then the state where the affected individuals reside come into play. Sometimes the laws are written so that Sutter has to follow the law in the location of the residence of the patients rather than the business, so that becomes complex.

Sometimes it makes sense to outsource these types of problems, and a there is a whole legal industry popping up that helps companies navigate privacy and information security regulations.

From the IT side, data security means limiting who has access to things. With data privacy, its opening doors to access. Of course, there is a validation process to who has access, but there is a balancing act to security and privacy, which can create a lot of work for both the legal and the operational sides.

Organizations that develop any kind of apps that deal with people’s data need to understand that privacy laws that are different in every country and every state and the ramifications of using and storing that data.

Jeremy, along with privacy and security teams are engaged with the technical teams, sometimes even from the design phase, to make sure everything meets regulations. For example, he will talk to the team that builds the patient portals to see whether the things they want to do meet regulations. Additionally, he helps answer questions about what kind of database would be best or whether there is a cloud provider that can be set up in compliance. Jeremy finds the more he educates himself and gets training on technical aspects, the more helpful he can be in the process.

Podcast Transcript