Mythbusters: Digital Health Data Protection on Engagement Platforms

  • UPDATED: 01 September 2022
  • 7 min read
article
Reading Time: 7 minutes

Mythbusters by MoEngage is a series that answers the most common questions and misconceptions in the world of Customer Engagement. With this series, we aim to help you guide your teams to the right practices and put your customers above everything else. This edition of the Mythbusters series discusses the privacy regulation and compliance of digital health data across the globe and how healthcare brands are complying with these laws. Also, the processes MoEngage employs for data security and various data regulations.

More than 1400 digital health device interactions per person per day were observed in 2020, while 30% of the world’s total data volume is accounted for digital health data. Around 350,000 health apps worldwide were available, with about 90,000+ launched in the same year. These apps monitor multiple things, from mental health management to disease-related information or medication.

So if any healthcare brand’s customers are entering symptoms in any of the apps or purchasing wearables to better their lifestyle, they’re voluntarily sharing health data with the brand.

But the question remains, how much of this data is being protected?

Is Digital Health Data Privacy Your Best Medicine-1a
Source: IQVIA Institute, Jun 2021

Is Digital Health Data at its Death Door?

$9.3M – that’s the global average cost of a healthcare data breach in 2021.

If the digital health market is expected to cross half a trillion dollars by 2027, how would you react if healthcare is the top industry for data breaches?

Yes, more and more brands have (or will have) access to their customer’s health data. The brands don’t need to spend millions anymore in collecting data from various sources. However, this doesn’t curb the data breach issues, especially with industry and data breaches rising.

A recent report by WebsitePlanet and Jeremy Fowler discusses a data breach of GetHealth, a New York-based unified solution that offers health and wellness data access for many wearables. A platform misconfiguration exposed a non-password protected database with 61 million digital health data records. The database contained wearables and fitness tracker data of Fitbit and Apple’s Healthkit.

Consumer digital health data is unsafe

Another instance is of a London-based digital health brand Babylon Health. The brand announced a data breach where one patient accessed another patient’s health records using the Hand app due to software malfunction.

Confidentiality, privacy, and security have been significant concerns regarding medical health data. Especially with the rising security breaches, health data privacy is becoming crucial.

That’s the reason why brands with personal health data encounters should design a regulatory environment. With privacy stipulated by GDPR, CCPA, and HIPAA, most of your privacy work is already cut out for you. If you are still thinking about designing these privacy regulations and compliance, start by understanding your region-specific healthcare data privacy laws.

Digital Health Data Privacy for Various Regions

There’s a medium to a high probability that your customer’s digital health data is not secure enough. However, as a healthcare brand, if you’re following all the data privacy and security norms then you have safeguarded your customer’s data already. Consumer data protection and privacy laws across various geographies ensure that brands protect their customer’s data. Here’s how they are doing:

Health Data Privacy Law in the US

Law Regulation HIPAA Security Rule: Secures creation, use, receipt, and maintenance of digital personal health information by HIPAA-covered organizations.
HIPAA Privacy Rule: Protect personal digital health data privacy, including medical records, insurance information, and other personal health information. These limitations are information used (and in what manner) and disclosed to third parties without prior patient authorization.
CCPA: Right to know what information the brand is collecting, how it will be used, and whether it will be disclosed to any their-party. Consumers can also request deletion of their data and opt-out on the resale of their data.
Law Authority There’s no specific regulator on a federal level, but together HIPAA and CCPA regulate and safeguard digital health data and enforce the consent of an individual when it comes to data usage and sharing. Various states across the US have specific privacy laws for their residents and can be more strict.
Law Penalty Data and security breach penalties are based on the statute of various state and federal laws. But under HIPAA, penalty fines can range between US$100 to US$50,000 per violation (or record).

Health Data Privacy Law in Europe

Law Regulation GDPR puts healthcare data in a specific category, ‘data concerning health’ instead of generic data. GDPR states that individuals can access their data with the right to transfer and/or erasure of data. Individuals also have the right to object data processing and lodge complaints in case of a breach.
Law Authority There’s a data protection advisory (DPA), a 28-member board with the main purpose of monitoring and enforcing GDPR; and exercising corrective/advisory powers.
Law Penalty Data privacy breach penalty under EU GDPR results in fines of up to €20 million and UK GDPR can result in administrative fines of up to £17.5 million.

Health Data Privacy Law in India

Law Regulation The Ministry of Health and Family Welfare launched a new act called the Digital Information Security in Healthcare Act in 2018 to manage data security in healthcare services. This Act preserves the privacy and confidentiality of digital health information by ensuring its protection and standardization.
Law Authority A legislative body that promotes and implements e-health standards, enforces privacy and security policies for digital health data, and regulates the storage and sharing of digital health records.
Law Penalty According to the Indian Penal Code 1860, any fraudulent activity, infringement, or disclosure of digital health data will bear a prison sentence of three to five years and a fine of at least 500,000 Indian rupees.

Health Data Privacy Law in Southeast Asia

Law Regulation Every country under the Southeast Asia region follows a different health data privacy law and some countries don’t even have a specific protection law. Read more about digital health data privacy law in Southeast Asia here.
Law Authority The legal body regulating laws and security is different for different regions. For instance, Indonesia has Minister of Health Regulation Number 20 of 2019, the Philippines follows the Department of Health (DOH) and the National Privacy Commission (NPC). In contrast, Singapore is waiting on Healthcare Services Act that will regulate the sector by 2022.
Law Penalty Nothing specific as of yet.

Health Data Privacy Law in the Middle East

Law Regulation UAE’s Health Data Law issued in 2019 introduces data accuracy and confidentiality; protects data from third-party disclosure without consent; secures data from unauthorized damage, alterations, and deletion; and limits data usage only for health service provisions.
Law Authority There’s no specific regulator as of yet.
Law Penalty The penalty for any breach is a potential suspension or withdrawal of the license to use the central IT system and fines ranging from AED 1,000 to AED 1,000,000.

So these are the healthcare laws from various countries along with regulating bodies. But what about maintaining compliance? If privacy and health go hand-in-hand, so do privacy and compliance.

Establishing healthcare acts and laws fall under various government and private bodies. However, ensuring that these are adhered to is the job of healthcare brands and other vendors who help them. Most brands store healthcare data either in-house or take assistance from various third-party vendors. This scenario makes it crucial that all the parties involved in digital health data handling are aware of the laws and comply with them.

Wait for a second, though? How are regulation and compliance different from each other, you ask?

Difference between law regulation vs. compliance in healthcare

Digital health data - regulation

Digital health data - compliance

To maintain compliance with the healthcare laws, brands need to build processes and procedures to ensure stringent compliance. It is even more crucial for third-party software brands that store and process healthcare data for healthcare brands.

A customer engagement software brand like ours, MoEngage, would also need to comply with the laws and regulations.

And we are!

Building a New Data Relationship with an Engagement Platform like MoEngage

MoEngage partners with healthcare brands across geographies and recognize the importance of data privacy. Data security and privacy are imbibed in our brand’s culture from the beginning.

  • We have processes to immediately contain and remove personal information from processing and storage systems upon a data subject(s) request.
  • We ensure that the data stored and processed using our platform adheres to all the necessary data and security standards.
  • Our ‘security by design’ structure with product managers, engineers, and compliance experts working at different levels to ensure our customers’ data is always secure.

How do we ensure that our healthcare customers’ data is secure?

  • Consent forms and disclosures to process all personal data.
  • Data servers at specific locations for specific geographies based on local privacy laws.
  • A data protection team that creates impact assessments and trains employees on the new data privacy requirements and processes.
  • Access controls and workflow approvals in the platform dashboard to allow customers to control who has access to the customer database in their organization.
  • Data protection for the platform to include SAML-based (Security Assertion Markup Language) Single Sign-On (SSO) option allowing employees to sign in to their MoEngage product(s) using their organization-issued username and password.

Apart from these, we have some specific data compliance processes and certifications as well

  • Security Firewall: This process limits and controls access to the dashboard to only trusted IP addresses/ranges along with a two-step verification process.
  • AWS certification: MoEngage has gained certification from Amazon across multiple categories as part of our Amazon Web Services (AWS) Partner Competency Program.
  • GDPR compliant: We entirely believe in safeguarding our customer’s data and privacy rights. Our platform is GDPR compliant, and we follow all the regulations stated under GDPR to ensure our customers’ rights are safeguarded.

MoEngage complaince with digital health data privacy

  • CCPA: MoEngage caters to customers across geographies and strictly adheres to all international and regional data privacy rules. We comply with CCPA completely to ensure that the highest level of protection is given to our customers’ database.
  • ISO 27001 certification: MoEngage is ISO 27001 compliant, meaning our organization performed an extensive assessment of security risks and created ISMS (Information Security Management System). ISMS helps us comply with regulations within ISO’s (International Organization of Standardization) global information security management standard.
  • SOC 2 Type 1 compliant: MoEngage follows Service Organization Controls (SOC) 2 that provides confidentiality, security, and availability of customer data. This is one of the highest standards of data security.

With over 1,000+ brands across 39+ countries who use MoEngage to send 80 billion messages to over 1 billion consumers every month, we understand the seriousness of data privacy and security. That’s why we always strive to ensure the highest level of data security and privacy protection. MoEngage constantly safeguards data and refines our privacy framework based on industry requirements.

What to Read Next

  1. Want to understand the concerns when it comes to personalization vs privacy – here are 6 learnings from WhatsApp’s privacy policy update.
  2. What do you need to know about GDPR compliance? Check out the five most critical aspects!
  3. Is customer centricity of utmost importance for your brand? Well, here are 11 steps towards making your organizational culture customer-first!