By Deborah Hsieh, chief policy and strategy officer, Ciox Health.
Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. In the 25 years since, healthcare and technology have advanced beyond what any of the original writers of HIPAA could have imagined, creating innovative new tools and mechanisms to share information and to better engage individuals in their healthcare.
Recognizing the challenges in ensuring HIPAA remains relevant for technology, business practices, and patient needs of today, the U.S. Department of Health and Human Services (HHS) released proposed updates to HIPAA’s regulations. The proposed changes include needed flexibilities to promote information sharing, but fail to ensure patient privacy protections remain relevant for the changed context, and, in fact, encourage actions that could expose patients’ healthcare data. Rather than strengthening healthcare privacy protections, the proposal creates a new pathway for non-HIPAA-covered entities to freely access and exploit patients’ healthcare data.
In the proposed rule, HHS seeks to go beyond the existing statute and regulations that ensure patients have a right to direct a covered entity to transmit an electronic copy of their protected health information (PHI) in an electronic health record (EHR) to a designated person or entity of the patient’s choice (also called “patient directive”). HHS now proposes to create a wholly new, unprotected and unauthorized pathway enabling so-called personal health applications — third parties that meet a minimal set of criteria – to gain free access to electronic and paper-based data.
While HHS creates and encourages use of this new pathway for personal health applications, HHS is not able to regulate what these applications do. Because a personal health application “is not acting on behalf of, or at the direction of a covered entity,” it is not subject to HIPAA rules and obligations. Health data that a patient directs to a personal health application is no longer protected by HIPAA and patients are left to fend for themselves.
HHS states personal health applications are managed and controlled by the individual; however, there is no requirement that patients be informed their data is no longer being covered by HIPAA and what that means. Patients will lose their ability to control their access to and the use of their healthcare data and may be fully unaware that third parties may use personal health applications as a backdoor to gain access to millions of patients’ private health information for their own commercial purposes.
While there are many third parties that provide valuable insights for health and healthcare decision making, there are also commercial third parties that seek to exploit access to health data, with minimal or no understanding from the patient. It seems foolhardy for HHS to encourage patients to use applications that it cannot regulate.
Meanwhile, there already exists an established pathway under HIPAA for patients to direct their information to third parties. HIPAA authorizations allow patients to control what healthcare information is shared, with whom, for what purpose, and for how long. These authorizations provide patients with much greater control and understanding of how their data will be used. Expanding the patient directive only creates more confusion and less protection over healthcare data.
Even without generous expansions of access to medical record data for third parties, patients already experience challenges with third parties and privacy of their health data. For example, a law firm had a patient complete a “patient directive” to access all of the patient’s PHI. This PHI included assault records. In accordance with what was believed to be the patient’s request, the provider sent all PHI to the attorney, who then shared it with opposing counsel.
During the patient’s deposition, opposing counsel questioned her on the assault records; she had no knowledge others had access to this highly sensitive information. Upon discussion with the patient as to the difference between a HIPAA authorization and patient directive, she indicated that if she knew she had an option, she would have chosen a HIPAA authorization to limit what information was released to her attorney. Unfortunately, she was not told she had a choice and her sensitive health information was shared in a public setting.
It is time for a serious conversation about updating our 25-year-old data privacy laws to ensure that health data is sufficiently protected in a digital world. Until patients have sufficient options for health data protection, we should be cautious of hasty changes.