Our Approach to Data: Security and Trust
It’s no secret that data security and privacy are hot topics of conversation right now. Particularly in the aftermath of the Facebook Cambridge Analytica revelation, many people are realizing they don’t understand where their personal data is stored or how it’s used.
But these sentiments have been on people’s minds for quite some time. A survey conducted by McAfee in 2017 indicated one-third of respondents think they can’t control how companies collect personal information, and 43% feel they lack control over their personal information.
This highlights the need for a trusted and clear framework to be in place for collecting, securing, and sharing data. There must be strict regulations for using individuals’ data—for purposes that are in the person’s best interest or at least transparently disclosed to the person. In the financial services industry, the Gramm-Leach-Bliley Act (GLBA) of 1999 is one example of such a framework. More recently, the General Data Protection Regulation going into effect in Europe, and the California Consumer Privacy Act are impactful responses to this for all companies collecting consumer data.
At Evive, we provide guidance to individuals based on data we receive about their current use of healthcare providers and programs. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 provide that needed framework for health-related information.
Decades ago, the authors of HIPAA were forward-thinking in creating such regulations for data protection to enable better coordination of care—all the while ensuring confidentiality of patient information. We’ve embodied that spirit of secure data-use for meaningful results, which is why we use data to connect people with something their employers have already “paid” to them: benefits.
Transparency with data security…
There are endless websites, platforms, and apps that use consumer data. The common factors that enable this? Privacy policies, terms of service agreements, and a baseline of sensitive data safeguarding controls.
Consumers are constantly “accepting” these terms, but often aren’t aware what they’re actually approving. However, many of them seem okay with that—perhaps the mental trade-off that often occurs is that they’re willing to give their data if they see quick value in what they’re getting in return, such as a free service.
That said, transparency is a crucial piece of what we do at Evive. We communicate up front to employers why the data will be securely used: to connect employees with their benefits and help employers maximize their benefits investment. When permission is granted to use employer and employee data, that approval goes toward helping people easily access and utilize benefits. But, of course, users have the ability to opt out at any time.
The data we receive is managed in a stringent manner. This includes undergoing consistent external audits to confirm security controls are up to date, and of course, compliance with HIPAA, HITRUST CSF, and SOC2 requirements.
The very existence of HIPAA is why we knew we could use data in a transparent and impactful way. HIPAA has allowed data sharing for the purpose of quality improvements in care for more than 20 years. This has been strictly regulated in healthcare for some time, leaving the framework and safeguards for our data usage very clear. This regulation is something our customers and their members can understand and feel secure with.
…is essential to building trust
An extension of our commitment to data security, our closed-loop system pinpoints where and how we’re making a difference in employees’ lives because of what our system learns with relevant data. For example, a user’s medical claims data might tell us she’s diabetic, which would inform our system to nudge her about a diabetes management program her employer sponsors—and we’d later see she enrolled as a result.
Or, if a user’s encounter data indicates he’s been attending physical therapy but not that he’s had an MRI, our system would remind him to compare his options if prescribed an MRI to assess both cost and quality—which we could later see he did. As those results and occurrences change, and as our system updates that information, the secure nature of that data remains the same.
Most importantly to note: personal employee information is never shared with their employer. This is something critical that we make clear with our customers, and it’s a pillar of our data-security and privacy protection promise. With our data continually working in a closed loop, it informs the right nudges at the right times for each person, as that person moves through different stages of life and makes different benefits choices—all the while maintaining employee confidentiality and privacy.
As we see it, privacy protection and sensitive data safeguarding to this degree are essential. By approaching data protection with transparency and trust, we feel we’re leaving a positive stamp on the data security conversation—and improving lives in measurable and meaningful ways.