What does high quality, trustworthy V1C look like? Explore the IMPACT Core Competencies framework to discover what good V1C looks like and how to get there.
Core Competency: Trustworthy Digital Experience
Delivers an ethical, equitable, and safe digital experience
New flows of data are enhancing our ability to care for people. As ‘digital natives,’ V1C providers rely heavily on digitized health data and digital health technologies to power the responsive, personalized, and ‘always on’ care that is a hallmark of the V1C delivery model. A trustworthy digital experience is a non-negotiable core competency of high quality virtual first care.
Although this sector is evolving rapidly and requires constant vigilance, we know what good looks like: V1C adheres to all laws applicable to healthcare delivery, companies take responsibility to protect patients and users from harms associated with theft or misuse of their sensitive health data, providers address the barriers preventing the use of platforms and select technology that is fit-for-purpose. Exceptional V1C providers embed safe, ethical, and equitable practices by design into everything they do, from cybersecurity infrastructure and platform design to technology selection and deployment.
Choose a stakeholder to explore their perspective on a Trustworthy Digital Experience.
The digitization of healthcare and the rise of V1C promises enormous benefits, including benefits to the most under-served patients for which our industry exists to care. But, it also introduces new risks. For example, V1C providers are feeling the scrutiny now being applied to all digital health and software interconnections due to several high-profile instances of online tracking and advertising re-targeting which regulators say have violated applicable privacy laws.
An ethical approach to V1C
Current legal protections for health data with healthcare providers covered by HIPAA are sufficient. Yet not all digital health solutions are covered by HIPAA, and some that claim to be HIPAA compliant in public have acted contrary to their public claims. Yet, from the consumer perspective, they do not know the difference between the privacy rules that apply to the app from their doctor’s office and the privacy rules that apply to a health app they download for free and that is not part of their doctor’s office. So, there are data showing trust in digital health privacy is falling generally. High quality V1C providers may operate as HIPAA covered entities, comply with those standards, and commit to a culture of ethics that ensures they not only meet industry standards and comply with regulations, but take accountability for being excellent stewards of the trust that patients and partners put in them.
Taking an ethical approach to digitally-enabled virtual first care comes down to:
- Weighing the benefits and risks of developing and deploying digital solutions
- Understanding how disclosative of a person’s private information digital data can be, and engineering to avoid any uses or disclosures not necessary to provide just the sought-after healthcare (and reimbursement for it)
- Ensuring that the benefits outweigh the risks for all people
Protects against data breaches and other misuse of private health information, including unauthorized access of sensitive, confidential, or private information via cyber attacks
Security systems and networks that are designed appropriately have:
- Implemented a security umbrella protocol
- A software bill of materials (SBOM) and coordinated vulnerability disclosure (CVD) policy
Security systems and networks that are appropriately maintained:
- Follow standard procedures for routine security audits, testing, and access review
- Install secure, agile, and prompt security updates
- Provide continual security education and training for all users, clinical and non-clinical
- Adopt and implement industry standards such as NIST or ISO
Data on all digital tools and technologies are encrypted in storage and transit
- Data is automatically encrypted
Regularly audit compliance to applicable regulatory requirements and industry standards
Emerging Gold Standard Practices
Invest in independent verification and validation of security controls, e.g, cybersecurity certifications, such as SOC type 2 audits and/or HITRUST.
Engage third-party security firm to audit, test security, prove system resiliency, and remove avoidable bias from the process of penetration and vulnerability testing
Proactively plans for breaches: documented and tested steps in preparation for events improve risk management and limit the impact of exposure to a security incident
- Data Security: Extra resources for ethical practice
- Your Health Data is for Sale: Podcast where health privacy expert Lucia Savage outlines best data practices in the digital era of healthcare
Protects against data misuse, including:
- Selling of legitimately collected data beyond its intended purpose without appropriate transparency and consent from patients.
- Targeted marketing and advertisements, research and development outside of IRB oversight, access for data brokers without transparency and consent, outside of internal quality and performance improvement
Adheres to applicable regulatory requirements and industry standards; uses appropriate mechanisms (e.g., Business Associate Agreements (BAA)) when sharing data with partner organizations outside of treatment, payment, and health care operations (TPO).
Provides user-centric contracts including: terms of service (ToS), end-user license agreements (EULAs), and privacy policies (PPs) that govern the rights to generate, collect, monitor, analyze, and/or share user data.
- Clear and comprehensible to broad populations
- Presented proactively as part of the terms of obtaining services through the V1C
- Users can opt in or out of third-party transfer/use of their data at any time
Digital health technologies used to monitor, diagnosis, and treat patients have been developed with appropriate regulatory oversight and used according to label claims if they apply due to FDA oversight of the technology
Internally developed AI/ML tools perform without unintended algorithmic bias, and are free of drift
Data from digital sensor technology (DHT) meets ART criteria (accessible, relevant, trustworthy) and contextualized for clinical decision-making.
- The Playbook: Digital Healthcare Edition (See AI/ML)
- Sensor Data Integrations Implementation Toolkit (See Considerations and Best Practices)
Leverages user-centered design, engaging diverse end-users in the development and testing of solutions
The technology required for using the platform doesn’t unintentionally exclude or raise barriers for individuals with limited access to safe broadband, data plans, and technology literacy; it has mechanisms to respond to ongoing needs for technical support
Content and support are tailored to the intended users, with consideration for language, literacy levels, physical limitations (e.g. vision and dexterity), and cultural appropriateness.
Platform requirements don’t assume the latest connectivity network (e.g. 5G) and work for all smartphone operating systems
Provides offline capabilities – important features are available in the absence of internet connectivity or with limited internet connectivity.