Thrive blog main image

Insight into the United States Healthcare Information Privacy, Protection, and Security Landscape:

August 10, 2022

- 4 Minute Read

IBM’s newly released “Cost of a Data Breach” report for 2022 reveals a harrowing statistic: that in the United States, total healthcare data breach costs have hit a new record high, jumping from $9.23 million in 2021 to $10.10 million in 2022.

Healthcare is classified as a “critical infrastructure industry” by the US Cybersecurity and Infrastructure Security Agency (CISA), alongside financial services, industrial, technology, energy, transportation, communication, education, and public sector. In addition to its 9.4% increase in data breach costs year over year, healthcare also claims the top spot among critical infrastructure industries for the average cost of a data breach - for the twelfth year in a row.  

Now more than ever, it is crucial that healthcare leaders, providers, patients, and vendors appreciate the complex web of legislation that governs healthcare information privacy - commonly referred to as protected health information (PHI) or electronic protected health information (ePHI). Of all data breaches that affected critical infrastructure industries to date, a combined 28% come from ransomware and destructive attacks; the more organizations take meaningful steps to protect themselves from these attacks, the better.

Thrive Health’s digital platform provides safeguards to protect health data across North America, with our secure, innovative technology. Within the US, there are varying rules and regulations governing healthcare and protected health information, but there are some essential laws that every stakeholder in this industry needs to know. The most important is the Health Insurance Portability and Accountability Act (HIPAA), a federal healthcare law that covers the lawful use and disclosure of personal health information. Within HIPAA, there are three key rules:

  1. The HIPAA Privacy Rule, which protects the privacy of protected health information and sets limitations on how that information can be used.
  2. The HIPAA Security Rule, which specifically focuses on ePHI and its administrative, physical and technical safeguards.
  3. The HIPAA Breach Notification Rule, which outlines the requirements for reporting breaches of ePHI as well as physical copies of PHI.

While HIPAA governs the whole of the United States, each individual state has its own regulations and definitions around protected health information, and what constitutes a data breach. For example, Colorado’s definition of a breach is summarized as the “unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity”; several other states including Arkansas, Florida, and Georgia hold similar straightforward definitions. Whereas select states, namely California, break down definitions into further categories: for every regulation concerning PHI, ePHI, breaches, risk analyses, notifications, and enforcements of actions, Californian law includes “Medical Information-Specific Statutes” that stipulate subtle differences and enhancements in action that must be taken to protect health information, separate from other personal information.

Due to these statutes, California holds multiple state laws around PHI and ePHI that are more restrictive than federal laws. For example, the California Confidentiality of Medical Information Act (CMIA) protects the confidentiality of PHI obtained by health care providers, health insurers, and their contractors, and further breaks down into how that information may be disclosed by each party, as well as the civil penalties for unauthorized disclosure, access, and use. Californian law also covers the rights that patients have to accessing and modifying their data: the Patient Access to Health Records (PAHRA) gives patients the rights to see, copy, and submit amendments to their health records if they note any inaccuracies. Additional laws cover a wide variety of subtopics, including patient rights for accessing lab records, third party access to mental health information, and the collection of medical information for marketing purposes.

All of the above is to say that there is a vast, complex web of legislature that protects how health information is managed, accessed, and distributed. What’s crucial, then, is that all individuals involved in the care process are equipped with tools and systems that responsibly manage PHI and ePHI. Thrive Health’s digital platform provides administrative, physical and technical safeguards to protect this information, with an accessible interface that empowers patients, providers, and families to both understand and interpret health data effectively. Here’s a few examples of how we offer this:

- We enable 24/7 security monitoring and incident response to track both internal and external threats concerning health data and information.

- We enable intuitive digital experiences that enhance the dynamics of the care process, guiding patients through resources and workflows tailored to their unique care circumstances.

- We have completed company-wide audits for SOC 2 and ISO [27001: 2013, 27017: 2015, 27018: 2019].

- We unify data sources for a secure, streamlined user experience, enabling smarter reporting for care providers.

- We embed security and privacy by design practices into all development and operational activities.

Governments, health authorities, and enterprise organizations across North America use the Thrive Health platform to keep their communities and their health data safe. To learn more about how Thrive technology can be used to enhance your organization’s data privacy and security, as you elevate patient engagement, contact discover@thrive.health today.

In addition to links provided, statistics and quotations above are taken from the following:

Cost of a Data Breach Report 2022 - IBM Security

State Data Breach Notification Laws - Foley & Lardner LLP

Calgary (June 6th-10th):

  • A fun and informative tour of the University of Calgary's Simulation Health Center, featuring innovative, simulative technology for health professionals to improve patient outcomes
  • Cesar, a member of our Customer Solutions team, preparing everyone a special Colombian breakfast with arepas, sausages, eggs and hot chocolate
  • Friends, families and colleagues gathering for an outdoor summer BBQ

Toronto (June 13th-18th):

  • Gathering together to work in the Four Points by Sheraton Toronto Airport
  • Enjoying dinner at Amsterdam Brewhouse with a beautiful ocean view
  • Joining the Integra Health team for a tour of their clinic and wellness services, such as massages and skin treatments
  • Gathering with our customers and partners for an event filled with fun, socializing, and delicious food and cocktails by the pool

Vancouver (June 27th-30th):

  • Working together at our office space downtown with different teams coming together, all while enjoying delicious breakfast, fresh coffee and lots of snacks!
  • Company town hall: discussing our progress so far this year, the road ahead, and our goals, giving us time to reflect and look to the future
  • Wrapping up the week with a picnic in Flora's Field, Kitsilano while enjoying the sun, food, drinks, and friendly competitions

Monday, March 28

Hosted by our Development team

- Our inaugural Thrive Health ping-pong tournament

- Welcome dinner for our team members who flew in for the week

Tuesday, March 29

Hosted by our Product and Marketing teams

-Volunteering at a local women’s shelter, and preparing care packages for people experiencing homelessness

-Sushi-making workshop! M Sushi stopped by our Thrive office and prepared an amazing assortment of sushi for our team, while giving us the opportunity to design our own rolls - and even use the blow-torch.

Wednesday, March 30

Hosted by our Customer Success, Support, and Solutions teams

-Parfait Breakfast Bar to fuel us up for the day ahead

-Coaching workshop for our leadership and management teams, to provide us with new and exciting ways to think about growing our individual teams and continuously offering new leadership opportunities

-Commercial-themed cocktail hour and pizza night, followed by a stroll at beautiful Stanley Park

Thursday, March 31

Hosted by our Admin & Strategic Initiatives teams

-Coming together as a team for a mindfulness session hosted by Peak Wellness that gave us time to destress, check in with ourselves, and be reminded of the importance of getting in touch with our emotions

Friday, April 1

Hosted by our Executive team

-Company fireside chat, where we discussed our vision, goals, and key initiatives for the remainder of 2022, giving us time to celebrate in all of our exciting work ahead

-Ending off the week with a pub social at Colony Granville, featuring a (mildly) competitive bocce tournament!

Our Q1 2022 Onsite Week not only brought a lot of joy and laughter, but gave us the opportunity to come together as a team and connect after a long period of working remotely during the pandemic. We are already looking forward to our next onsite week, and continuing to grow the connections and friendships we have formed.

Monday, March 28

Hosted by our Development team

- Our inaugural Thrive Health ping-pong tournament

- Welcome dinner for our team members who flew in for the week