Our company, McKesson, is a large healthcare services company. We provide services to various business partners in the healthcare industry, including pharmacies, hospitals, physician groups and insurance plans. Though we think the lessons we’ve learned apply to many scenarios, the privacy impact assessment (PIA) process we describe here, which one division of our company has established to evaluate inter-company transfers of protected-health information (PHI), specifically relates to services we provide as a business associate to our independent pharmacy customers, which are covered entities under the Health Insurance Portability and Accountability Act (HIPAA).
Some pharmacies separately engage McKesson affiliates to perform distinct services. In the course of providing services, one affiliate may obtain data from that pharmacy. If another affiliate needs that same data to perform other services to the pharmacy, as a convenience to the pharmacy, we facilitate a transfer of the data from the affiliate that has the data to the affiliate that needs it. This obviates the need for the pharmacy to send us data that one of our affiliates already has.
To establish our oversight of these affiliate data feeds and mitigate privacy risk, we implemented a PIA process.
We designed a form that the business group receiving the data would initially complete. At a high level, the form was designed to indicate exactly what data was being transferred, what the use of the data was, any contractual restrictions governing the use, whether the data was de-identified and how it was secured. The completed form would be then reviewed by legal and compliance from both the transferring business entity and the recipient business entity for review and approval.
Our general standard has been that the requesting business group needs to submit a new PIA form each time it is requesting the establishment of a new data feed, for example, to support a new program, or where it is making a new use of data under an existing data feed. The latter of these is important since altering the use of the data can impact the legal assessment.
One challenge was figuring out the right amount of information to request in the PIA. We did not want the PIA to be an onerous exercise, but we needed to get all pertinent information; we also wanted to avoid duplication of information we had available elsewhere.
With assistance from our business partners, we were able to limit it to two pages. One important item we asked businesses to include was the actual data feed content—the fields, character limits, example content—that was being transferred and the contractual agreements related to the proposed usage.
Benefits of Process
The PIA process has promoted discussion between legal, business and compliance from both the receiving and sending business units. These discussions may not have occurred, and certainly would not have been as rich and informed, without the process.
We think there are three key benefits from establishing this PIA process:
It has allowed legal and compliance to provide more education to the business on the requirements of HIPAA, including the de-identification standards. Education in the context of an actual project is more effective because it’s less abstract and helps businesses see how the rules apply to their particular projects. It has also provided the business a fuller picture of all data flows that occur between the business units. This bird’s-eye perspective has helped inform the businesses’ data planning and strategy.
Ongoing Risk Assessment
The review process has enabled us to conduct an ongoing risk assessment each time there is a material change to either the data or its use. Rather than a one-time assessment conducted in isolation, the assessment is ongoing and is part of a comprehensive review framework. Although this was a side effect of the process, this has proven to be one of its most valuable elements.
Privacy by Design
Finally, the PIA process promotes the concept of Privacy by Design. When businesses have new projects that require new data or new use of data, they engage legal and compliance through this PIA process. Effectively, we have engineered privacy and security questions into the product development cycle. In at least one case, our early involvement has allowed us to influence the development of system architecture to better protect data. We anticipate continued dividends in the years to come as we continue to refine the process.
Of note: The process described here relates to an inter-company data feed. However, we think the process would be useful even where the feed occurred between unaffiliated entities, although the review may be conducted separately by each of the entities rather than as one joint review as contemplated above. Also, the data described here was PHI, which is governed by HIPAA, one of the strictest U.S. privacy laws. Even if the data at issue in your company is not PHI, there may be other laws, such as the Children’s Online Privacy Protection Act, or contractual requirements restricting your use of the data.
Increasingly, there may also be business or consumer expectations regarding how your company manages your data, and this PIA process can ensure compliance with these expectations and thereby promote the strength of your brand.
If you want to comment on this post, you need to login.