For the global healthcare industry, change is the norm. Digital health and patient data are forcing dramatic and fundamental changes to healthcare’s clinical, operating, and business models, as well as to the general economy.
The continued smooth operation of healthcare organizations depends on the security of Personally Identifiable Information (PII) and Personal Health Information (PHI). For companies operating globally this goal can typically be achieved with an active multi-regional data residency strategy.
Why is data residency in healthcare important?
While it may seem obvious to say that data residency in healthcare is important, what does the term refer to?
Businesses and organizations often require that their data be stored in a certain region or location. Typically, this request is due to regulatory or compliance reasons. Some organizations and companies set data residency parameters based on the local jurisdiction’s level of data residency requirements.
There have been dozens of countries that have enacted data localization and residency rules. Some of the countries include Russia, China, Israel, Switzerland, Turkey, South Korea, South Africa, Mexico, India, Malaysia, Singapore, and many others.
Some countries have strict rules on data residency, such as Canada. Health data must be stored locally, while the U.S. requires that federal government data be kept locally. Many countries require companies to store sensitive PHI data inside the country of origin, or at least cross-border data transfers based on the data security of the receiving end or pre-negotiated transfer requirements.
If your business operates in several countries and needs to store regulated data in multiple locations, you should adopt a multi-regional data residency strategy. By storing and processing data in a particular country or location, these data residency regulations safeguard the privacy of data and workloads.
Personal health information regulations – overview
Healthcare is a highly regulated industry, so data security and privacy are critical concerns. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) governs the security and privacy of medical information, or protected health information (PHI).
PHI must be protected by “covered entities,” i.e. hospitals and insurers, and those who process it on their behalf. Any organization that is HIPAA-covered must follow its rules for creating, collecting, transmitting, maintaining, and storing personal health information.
The European Union’s General Data Protection Regulation (GDPR) is another regulation that applies to PHI. Data on health, including genetics, are covered by the law. Healthcare organizations treating EU patients must comply with GDPR regulations regarding patient consent.
In 2018, the U.S. federal government launched the MyHealthEData program, which encourages patients to control their PHI and to freely transfer data among doctors. A primary goal of MyHealthEData is to promote interoperability of health data so that patients can view their records more easily.
When it comes to data management, concerns about risk and compliance can make it daunting to consider more advanced approaches. Any organization must ensure that patient data is protected, while the organization itself also has to remain compliant.
Protection of health information – what is it?
Patients’ birthdates, medical conditions, and health insurance claims are all sensitive information in the healthcare sector. Protected health information describes the medical history, including ailments, treatments, and outcomes, whether it is recorded on paper or electronically.
Is there a difference between PII, PHI, and IIHI?
We must distinguish personally identifiable information (PII) from protected health information (PHI), as well as a third type of information, individually identifiable health information (IIHI).
- The term “PII” refers to any data that could be used to identify an individual. The information may be nonsensitive and can be made public without endangering individuals. Alternatively, it could be sensitive information that might harm the individual if disclosed. PII extends beyond health records. Tax information, credit card numbers, and Social Security numbers used in a context unrelated to healthcare operations and services are included.
- On the other hand, PHI must be used in a medical context. HIPAA rules require compliance by organizations that handle PHI. However, protecting PII is not mandatory in all cases.
- The term “IIHI” refers to any health information that identifies a person. Think of it as PII applied to health information. HIPAA does not protect all IIHI. A non-HIPAA covered entity that does not transmit or maintain IIHI in some form does not qualify as PHI. A patient, for example, takes daily blood pressure readings on a form that includes their name, address, and phone number but has not yet sent the data to their doctor. This data qualifies as IIHI instead of PHI. Although it might contain sensitive information, it is not protected because it has not been transmitted.
IIHI becomes PHI if it meets the following conditions:
- Transmitted electronically, such as via email;
- Located in electronic media, such as a server;
- transmitted or maintained in any other form or medium, such as on a paper document stored on a physical shelf.
Data residency for healthcare and life sciences from InCountry
Data residency was proving to be a huge headache to managing different regulations on PHI in multiple countries, but thankfully, InCountry has simplified the process.
As part of our commitment to the security and compliance of your data, we offer certifications and technology that enables your business to operate anywhere without worrying about local regulations and standards.
Life sciences and healthcare – what the InCountry platform offers
Every location we operate in meets government and industry regulations, including those regarding data residency.