Navigating Privacy Laws for Patient Data Sharing

Under the Health Insurance Portability and Accountability Act’s Privacy Laws for patient data sharing, the sharing of Protected Health Information with a third party is highly restricted and the failure to adhere to privacy laws for patient data sharing can prove costly.

In order for data be shared, a number of data security criteria must first be satisfied to ensure that patient privacy is not violated. Navigating privacy laws for patient data sharing can be a complex task.

Privacy Laws for Patient Data Sharing Explored by Blue Cross Blue Shield of North Dakota

The sharing of healthcare data can be highly beneficial to patients; a good example of this comes from Blue Cross Blue Shield of North Dakota (BCBSND) and Mid Dakota Clinic of Bismarck (MDCB), two HIPAA covered entities currently tackling the sometimes difficult issues thrown up by the Privacy Rule.

BCBSND has been developing a new chronic disease initiative since 2009, and the company uses rate incentives and fees to encourage participation in the program. The program requires a healthcare provider to submit patient health data relating to chronic diseases such as asthma, diabetes, coronary artery disease and ADHD. The aim of the study is to gather data that will assist with the treatment and prevention of long term diseases, specifically breast and cervical cancers, as well immunizations.

BCBSND needs MDCB’s participation. MDCB represents the vast majority of North Dakota state residents that have health insurance. Without North Dakotan’s health information, the data used in the study would be skewed, and not particularly representative.

The sharing of data would not be a problem if all patients agreed to share their data with BCBSND. Such a scenario would be ideal; however, what if some patients, say 40%, did not agree? In that case, valuable data would not be contributed to the study and insufficient data may be received to make the study valid.

For BCBSND, the situation is better, but not perfect. To date, BCBSND has convinced physicians representing 75% of patients to participate and send healthcare data, but negotiations continue.

MDCB has a problem. Should it wish to participate, as a holder and supplier of Protected Health Information, it must be assured that the data it shares will be protected to the standards required by HIPAA. The company must be assured that technical, physical and administrative safeguards are used to keep the data secure. Any failure to secure data could see MDCB fined for non-compliance with the Privacy Rule. Those fines, and the other costs associated with a “HIPAA breach”, could be far in excess of any incentive payments received.

BCBSND wants physicians to collect patient information, and also run a search via a third party database to identify whether the patient has any overdue screenings or immunizations. For that to happen, procedures must naturally take place during the appointment. All data is secured, and access to the system for entering data is via a secure login. BCBSND must therefore convince MDCB that these, and other protections put in place, meet the minimum standards set by HIPAA, and that at no time with the privacy of patients be violated.

Current HIPAA regulations do allow the sharing of patient data, but it must be secured at all times. If MDCB believes privacy laws for data sharing are not being followed, it is the responsibility of BCBSND to beef up its data security and ensure HIPAA compliance.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of