|Mythbusters by MoEngage is a series that answers the most common questions and misconceptions in the world of Customer Engagement. With this series, we aim to help you guide your teams to the right practices and put your customers above everything else. This edition of the Mythbusters series discusses the privacy regulation and compliance of digital health data across the globe and how healthcare brands are complying with these laws. Also, the processes MoEngage employs for data security and various data regulations.|
More than 1400 digital health device interactions per person per day were observed in 2020, while 30% of the world’s total data volume is accounted for digital health data. Around 350,000 health apps worldwide were available, with about 90,000+ launched in the same year. These apps monitor multiple things, from mental health management to disease-related information or medication.
So if any healthcare brand’s customers are entering symptoms in any of the apps or purchasing wearables to better their lifestyle, they’re voluntarily sharing health data with the brand.
But the question remains, how much of this data is being protected?
$9.3M – that’s the global average cost of a healthcare data breach in 2021.
If the digital health market is expected to cross half a trillion dollars by 2027, how would you react if healthcare is the top industry for data breaches?
Yes, more and more brands have (or will have) access to their customer’s health data. The brands don’t need to spend millions anymore in collecting data from various sources. However, this doesn’t curb the data breach issues, especially with industry and data breaches rising.
A recent report by WebsitePlanet and Jeremy Fowler discusses a data breach of GetHealth, a New York-based unified solution that offers health and wellness data access for many wearables. A platform misconfiguration exposed a non-password protected database with 61 million digital health data records. The database contained wearables and fitness tracker data of Fitbit and Apple’s Healthkit.
Another instance is of a London-based digital health brand Babylon Health. The brand announced a data breach where one patient accessed another patient’s health records using the Hand app due to software malfunction.
Confidentiality, privacy, and security have been significant concerns regarding medical health data. Especially with the rising security breaches, health data privacy is becoming crucial.
That’s the reason why brands with personal health data encounters should design a regulatory environment. With privacy stipulated by GDPR, CCPA, and HIPAA, most of your privacy work is already cut out for you. If you are still thinking about designing these privacy regulations and compliance, start by understanding your region-specific healthcare data privacy laws.
There’s a medium to a high probability that your customer’s digital health data is not secure enough. However, as a healthcare brand, if you’re following all the data privacy and security norms then you have safeguarded your customer’s data already. Consumer data protection and privacy laws across various geographies ensure that brands protect their customer’s data. Here’s how they are doing:
Health Data Privacy Law in the US
|Law Regulation||HIPAA Security Rule: Secures creation, use, receipt, and maintenance of digital personal health information by HIPAA-covered organizations.|
|HIPAA Privacy Rule: Protect personal digital health data privacy, including medical records, insurance information, and other personal health information. These limitations are information used (and in what manner) and disclosed to third parties without prior patient authorization.|
|CCPA: Right to know what information the brand is collecting, how it will be used, and whether it will be disclosed to any their-party. Consumers can also request deletion of their data and opt-out on the resale of their data.|
|Law Authority||There’s no specific regulator on a federal level, but together HIPAA and CCPA regulate and safeguard digital health data and enforce the consent of an individual when it comes to data usage and sharing. Various states across the US have specific privacy laws for their residents and can be more strict.|
|Law Penalty||Data and security breach penalties are based on the statute of various state and federal laws. But under HIPAA, penalty fines can range between US$100 to US$50,000 per violation (or record).|
Health Data Privacy Law in Europe
|Law Regulation||GDPR puts healthcare data in a specific category, ‘data concerning health’ instead of generic data. GDPR states that individuals can access their data with the right to transfer and/or erasure of data. Individuals also have the right to object data processing and lodge complaints in case of a breach.|
|Law Authority||There’s a data protection advisory (DPA), a 28-member board with the main purpose of monitoring and enforcing GDPR; and exercising corrective/advisory powers.|
|Law Penalty||Data privacy breach penalty under EU GDPR results in fines of up to €20 million and UK GDPR can result in administrative fines of up to £17.5 million.|
Health Data Privacy Law in India
|Law Regulation||The Ministry of Health and Family Welfare launched a new act called the Digital Information Security in Healthcare Act in 2018 to manage data security in healthcare services. This Act preserves the privacy and confidentiality of digital health information by ensuring its protection and standardization.|
|Law Authority||A legislative body that promotes and implements e-health standards, enforces privacy and security policies for digital health data, and regulates the storage and sharing of digital health records.|
|Law Penalty||According to the Indian Penal Code 1860, any fraudulent activity, infringement, or disclosure of digital health data will bear a prison sentence of three to five years and a fine of at least 500,000 Indian rupees.|
Health Data Privacy Law in Southeast Asia
|Law Regulation||Every country under the Southeast Asia region follows a different health data privacy law and some countries don’t even have a specific protection law. Read more about digital health data privacy law in Southeast Asia here.|
|Law Authority||The legal body regulating laws and security is different for different regions. For instance, Indonesia has Minister of Health Regulation Number 20 of 2019, the Philippines follows the Department of Health (DOH) and the National Privacy Commission (NPC). In contrast, Singapore is waiting on Healthcare Services Act that will regulate the sector by 2022.|
|Law Penalty||Nothing specific as of yet.|
Health Data Privacy Law in the Middle East
|Law Regulation||UAE’s Health Data Law issued in 2019 introduces data accuracy and confidentiality; protects data from third-party disclosure without consent; secures data from unauthorized damage, alterations, and deletion; and limits data usage only for health service provisions.|
|Law Authority||There’s no specific regulator as of yet.|
|Law Penalty||The penalty for any breach is a potential suspension or withdrawal of the license to use the central IT system and fines ranging from AED 1,000 to AED 1,000,000.|
So these are the healthcare laws from various countries along with regulating bodies. But what about maintaining compliance? If privacy and health go hand-in-hand, so do privacy and compliance.
Establishing healthcare acts and laws fall under various government and private bodies. However, ensuring that these are adhered to is the job of healthcare brands and other vendors who help them. Most brands store healthcare data either in-house or take assistance from various third-party vendors. This scenario makes it crucial that all the parties involved in digital health data handling are aware of the laws and comply with them.
Wait for a second, though? How are regulation and compliance different from each other, you ask?
To maintain compliance with the healthcare laws, brands need to build processes and procedures to ensure stringent compliance. It is even more crucial for third-party software brands that store and process healthcare data for healthcare brands.
A customer engagement software brand like ours, MoEngage, would also need to comply with the laws and regulations.
And we are!
MoEngage partners with healthcare brands across geographies and recognize the importance of data privacy. Data security and privacy are imbibed in our brand’s culture from the beginning.
With over 1,000+ brands across 39+ countries who use MoEngage to send 80 billion messages to over 1 billion consumers every month, we understand the seriousness of data privacy and security. That’s why we always strive to ensure the highest level of data security and privacy protection. MoEngage constantly safeguards data and refines our privacy framework based on industry requirements.