Need stitches? Have a broken finger? Or a cough you can’t shake? Time to go to the doctor. Now, would your first instinct be to run to your local Walmart or grocery store to get checked out? If they had their way, retailers would be your provider-of-choice.
With a massive push by traditional retail chains (Walmart), national pharmacies (CVS) and grocers (Kroger) trying to play doctor by getting into healthcare delivery with minute clinics and urgent care centers, what that translates to is more convenience for suburban families with various locations and service hours; more access for rural communities and underserved inner-city populations; and greater access for homebound patients who may have non-critical needs but can’t travel without significant effort. Additionally, these alternate sites of care can be appealing during the COVID-19 pandemic who want to avoid going to the hospital or even a doctor’s office.
As retailers dip their toe into healthcare, this experiment was initially focused on virtual visits and telehealth. However, it’s morphed into much more: Walmart is piloting health clinics in Georgia and Arkansas which offer primary care and mental health services, and both CVS and Walgreens are redesigning their stores to allow for in-store clinics.
Enter the National Retailers
Fundamental to the goal of making healthcare localized is the assumption that care provided near a patient’s home will improve quality through greater access and reduce cost through fewer unnecessary hospitalizations and visits to emergency departments. However, providing easy access is just one part of the equation.
Healthcare represents an opportunity for retailers to “go where the money is”, offering new revenue streams to shore up their businesses from behemoths like Amazon, while also attracting customers to drive in-store sales.
We all recognize the expected players like Rite Aid, CVS and Walgreens put their hat into the ring but players as diverse Kroger and Best Buy – who have limited healthcare experience - are entering a highly complex regulated space which is ripe with sensitive information and bogged down by HIPAA compliance requirements that even the smartest folks in the room have trouble getting their head around.
This shift in business strategy can get players with limited healthcare experience in over their heads, especially when it comes to security. In June, one of the nation’s largest grocers, Kroger, reported a breach to the U.S. Department of Health and Human Services. Operating more than 215 clinics and 2,000 pharmacies, the report filed disclosed a hacking incident to a network server that impacted nearly 11,000 patients.
With retailers trying to increase their footprint in the business of healthcare delivery, Kroger’s latest breach indicated that this could be just the tip of the iceberg and that there is a pressing need for retailers to be better equipped at navigating and adhering to tighter security requirements to protect patient data. This data isn’t the usual run-of-the-mill they’re used to (i.e. supply chain, pricing) and enforcement by regulators is always looming with missteps.
And Then There is HIPAA
While a retailer may think of themselves as a grocer or an electronics store, this all changes when they start seeing patients, taking insurance payments and prescribing or treating patients. This now makes them what the Health Insurance Portability and Accountability Act of 1966 (HIPAA) calls a covered entity that handles protected health information (PHI). Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. Covered entities like doctor's offices, dental offices, clinics, psychologists, nursing homes, pharmacies, hospitals or home healthcare agencies represent many of the areas that retailers want to become involved in.
How does HIPAA regulate? While the Privacy Rule sets the standard for who may access Patient Health Information (PHI), the Security Rule sets the standards for ensuring that only those who should have access to PHI will actually have access.
The HIPAA Privacy Rule clearly delineates how covered entities and business associates can use or disclose PHI. It also defines a patient’s rights with respect to issues including notices of privacy rights, access to health information and requests for restrictions on uses and disclosures and communications of their PHI.
The Security Rule established national standards for how electronic PHI must be stored or maintained by covered entities and business associates. It mandates the use of policies and procedures, as well as the implementation of appropriate administrative, physical and technical safeguards, to ensure the security of PHI.
Retail health clinics are likely to store and maintain PHI and may also transmit PHI to patients’ primary care physicians or specialists. However, for these very reasons, retail health clinics should be sure that they maintain and distribute to patients a Notice of Privacy Practices, and that they utilize patient authorizations when necessary. Retail health clinics should also be aware of and knowledgeable about state laws on patient privacy and confidentiality, as state laws may take precedence over HIPAA if they are more stringent or offer more privacy protection than HIPAA does.
If a breach occurs or compliance lacks, be ready for tough questions and potentially steep fines. Historically, the Department of Health and Human Services and the Office of Civil Rights have always talked about “making examples” of leaders in the sector. That has not changed, and I believe if there is a major breach that could have been prevented, there will be an opportunity for regulators to make a point that just because you’re a big retailer who may not be as privy to all the privacy or security issues that come along with the healthcare business doesn’t mean you’ll be able to get away with a slap on the wrist.
You’re in the Healthcare Business Now. What’s Next for IT and Security Teams?
If HIPAA is unfamiliar to IT and security teams of traditional retailers, they will have a steep learning curve. Healthcare data is among the most regulated data there is. I’d suggest anyone who is now responsible for ePHI, and PHI gets a crash course in HIPAA (both the Privacy and Security Rule).
After a crash course on all things HIPAA, bring in experts with healthcare experience to assess your people, processes and technology around privacy, security and compliance. There are a lot of nuances and if you are new to the space, there will be well-intended but less than optimum decisions made.
Additionally, network segmentation is critical as the existing business data stream should be completely separate from the healthcare side. It’s crucial to find a way to segregate access to the protected data and build the firewalls (legal and network), technical controls, training and sanctions for employees on both sides to adequately manage access according to the protocols needed in healthcare.
Training employees on security and privacy is an investment that should be prioritized. Healthcare is a particularly attractive industry for hackers because of how valuable the data is on the black market. There is basic security training (passwords, phishing, social engineering) but attacks are constantly pivoting or being personalized and targeted. It must start with onboarding - particularly if you are entering a new, highly regulated sector - but training has to be ongoing as the threats change and attack surface shifts.
Finally, there are myriad state privacy laws that also come into play for both “customers” and “patients”. Many of these retailers work across state lines, and as many providers have learned, this can be very difficult to develop a single approach (often the most stringent state) that can work everywhere. I recommend working closely with your legal team to determine how to manage compliance with the diverse regulations each state requires.
Security becomes tricky in healthcare around workflows as well as the use and classification of data. Retailers who are embarking on healthcare delivery will need to understand how their customers become patients, how the patient (and their data) flows through that clinical practice, and then, ultimately, how the patient will become a customer. They will also need to understand what data is protected, who should have access to it and how it can be used.
Like CISOs in healthcare, the place to start is taking a deep dive into the business of healthcare to learn more about how security and privacy risks are created and where; only then can you start to figure out the best way to mitigate or eliminate them.
While healthcare offers retailers the promise of new revenue streams, new customers and competitive advantage, it is not for the faint-hearted and not something retailers can simply dabble in. For serious retailers, it will be important for their respective CISOs and CIOs and respective IT and compliance teams to do the extra work to ensure sensitive patient data is protected and secure or risk losing the trust of customers turned patients.
About the author: David Finn is Executive Vice President, Strategic Innovation of CynergisTek, a leading healthcare security and privacy company, and a former hospital CIO.
