In (Digital) Defense of HIPAA

Seven years since the first whole slide imaging (WSI) system was approved by the U.S. Food and Drug Administration,¹ the digitization of diagnostics has continued to grow—yet its adoption in the US has lagged behind that of other countries.² Legal and regulatory hurdles abound, including questions of patient consent, pathologist licensing for remote consultations, and data privacy and security. High on the list of concerns is how digital pathology, artificial intelligence (AI), and telepathology intersect with the requirements of the Health Insurance Portability and Accountability Act (HIPAA).

Understanding HIPAA and e-PHI

“Labs and pathology groups often rely on the HIPAA policies and procedures of the hospital or health system they serve rather than separately implementing their own,” says lawyer Emily Johnson, member at McDonald Hopkins LLC. However, as covered entities, these groups are obligated to be fully HIPAA-compliant—which includes having their own policies, procedures, and safeguards to protect the protected health information (PHI) they maintain. “Clients typically take the position that, because they are hospital-based, they have no separate obligation to protect PHI. That is not accurate.”

HIPAA’s Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) sets standards for the use and disclosure of PHI.³ It extends to any product or service provider who may have contact with PHI—such as cloud storage providers, data analysis tools, and even many AI technologies. The rule protects all individually identifiable health information in electronic and other forms, but does not cover deidentified health information.

The Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) sets standards for the storage and transmission of PHI in electronic form.⁴ It applies to all covered entities and their business associates, which may include providers of laboratory information systems, electronic health records, or communications software. It requires those parties to maintain the confidentiality, integrity, and availability of electronic PHI; protect it against anticipated threats; prevent inappropriate or unauthorized use or disclosure; and ensure that their workforces comply with HIPAA requirements.

Protecting patients’ digital data

In 2014, the American Telemedicine Association (ATA) established the first guidelines for telepathology in clinical practice.⁵ These guidelines set out expectations for the technologies used in digital and computational pathology, potential applications for telepathology, and the responsibilities that fall on each party involved in the telepathology process. Broken down, these responsibilities with respect to privacy and security include:

• Compliance with local, state, federal, and (if appropriate) international laws and regulations regarding PHI
• Training and familiarity in general principles of digital privacy and security
• Secure display, storage, and transmission of PHI
• Use of privacy features during remote consultations and other discussions
• Use of data security best practices for mobile devices

“Each covered entity, including laboratories and pathology groups, is responsible for their own HIPAA compliance,” Johnson says. “Labs and pathology groups often contract with vendors to obtain the software solutions necessary to operate digitally. Such vendors are considered business associates if they receive PHI in connection with the services they provide to the labs and pathology groups.”

A final rule issued in 2013 made business associates directly liable for HIPAA compliance.⁶ Therefore, Johnson explains, any party using or disclosing PHI should have policies and procedures in place to comply with HIPAA and should perform regular and periodic risk analyses to identify and mitigate any threats to PHI they maintain, use, or disclose digitally.

HIPAA-compliant digital pathology

“Anytime PHI is used or disclosed digitally, the risk of unauthorized disclosure increases,” says Johnson. “The most common HIPAA issues that arise for digital pathology involve the use of unsecure software solutions that expose PHI to an unauthorized individual.”

Labs can mitigate the risk of unintended disclosures by ensuring that all devices, platforms, and portals used for digital pathology are secure. Devices should be password-protected (using best practices for secure password generation and ensuring that login details are not left where unauthorized people can obtain them); access to devices and software that use PHI should be restricted; and mobile devices should have the capacity for remote locking or wiping. When labs acquire new devices or software, IT professionals should be involved to identify potential security risks and ensure HIPAA compliance.

“Another issue that pops up relatively frequently is whether and how PHI can be used and disclosed by a software or technology vendor for purposes unrelated to the original disclosure to such vendor—and whether the vendor can profit from any sale of such information,” Johnson continues. “Labs and pathology groups often don’t realize that they have given other parties—for instance, vendors—the right to deidentify, aggregate, use, and further disclose the lab’s PHI. It is important to thoroughly read the service agreements you are entering into prior to execution.”

She recommends that labs and pathology groups thoroughly vet any new vendor and ask themselves four key questions before signing a contract:

1. How is my data being used and disclosed?
2. What is the recipient entity’s role with respect to such data?
3. Does the recipient entity intend to use my data or aggregate it with other data for a purpose unrelated to the purpose for which I disclosed it?
4. Is the recipient entity selling or otherwise monetizing my data?

“As a covered entity, the lab is ultimately responsible for the protection of PHI in its possession,” Johnson says. “Don’t be afraid to ask vendors for copies of their privacy and security policies and for proof that the vendor performs adequate information system activity reviews and regular risk analyses. If a service agreement contains questionable language regarding deidentification and aggregation that is not favorable to the lab, strike the language or ask for clarification. Additionally, labs should ensure they abide by the minimum necessary rule where applicable—only disclose the minimum amount of PHI necessary to satisfy the purpose of the disclosure.”

Preparing for the future

Johnson recommends that, as the adoption of digital pathology increases, labs and pathology groups periodically assess their network and security and analyze their contracts to determine who has access and rights to their data. “The advancement of new technologies creates additional factors for consideration when assessing compliance and security,” she adds. “AI will certainly change the approach to cybersecurity and data privacy in the future.”

Digitally enabled workflows such as remote consultations, automation, and AI-assisted diagnosis are on the rise—and all carry implications for HIPAA. To best serve their patients, labs will need to stay informed of best practices and ensure that not only they, but also their business associates, are in compliance.

References:

1. U.S. Food and Drug Administration. FDA allows marketing of first whole slide imaging system for digital pathology. April 12, 2017. https://www.fda.gov/news-events/press-announcements/fda-allows-marketing-first-whole-slide-imaging-system-digital-pathology.
2. Evans AJ et al. US Food and Drug Administration approval of whole slide imaging for primary diagnosis: a key milestone is reached and new questions are raised. Arch Pathol Lab Med. 2018;142(11):1383–1387. doi:10.5858/arpa.2017-0496-CP.
3. U.S. Department of Health and Human Services. The HIPAA Privacy Rule. July 22, 2024. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.
4. U.S. Department of Health and Human Services. The Security Rule. October 20, 2022. https://www.hhs.gov/hipaa/for-professionals/security/index.html.
5. Pantanowitz L et al. American Telemedicine Association clinical guidelines for telepathology. J Pathol Inform. 2014;5(1):39. doi:10.4103/2153-3539.143329.
6. 45 CFR Parts 160 and 164. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules. Federal Register. January 25, 2013. https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf.