By Deborah Hsieh, chief policy and strategy officer, Ciox Health.
Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. In the 25 years since, healthcare and technology have advanced beyond what any of the original writers of HIPAA could have imagined, creating innovative new tools and mechanisms to share information and to better engage individuals in their healthcare.
Recognizing the challenges in ensuring HIPAA remains relevant for technology, business practices, and patient needs of today, the U.S. Department of Health and Human Services (HHS) released proposed updates to HIPAA’s regulations. The proposed changes include needed flexibilities to promote information sharing, but fail to ensure patient privacy protections remain relevant for the changed context, and, in fact, encourage actions that could expose patients’ healthcare data. Rather than strengthening healthcare privacy protections, the proposal creates a new pathway for non-HIPAA-covered entities to freely access and exploit patients’ healthcare data.
In the proposed rule, HHS seeks to go beyond the existing statute and regulations that ensure patients have a right to direct a covered entity to transmit an electronic copy of their protected health information (PHI) in an electronic health record (EHR) to a designated person or entity of the patient’s choice (also called “patient directive”). HHS now proposes to create a wholly new, unprotected and unauthorized pathway enabling so-called personal health applications — third parties that meet a minimal set of criteria – to gain free access to electronic and paper-based data.
While HHS creates and encourages use of this new pathway for personal health applications, HHS is not able to regulate what these applications do. Because a personal health application “is not acting on behalf of, or at the direction of a covered entity,” it is not subject to HIPAA rules and obligations. Health data that a patient directs to a personal health application is no longer protected by HIPAA and patients are left to fend for themselves.
HHS states personal health applications are managed and controlled by the individual; however, there is no requirement that patients be informed their data is no longer being covered by HIPAA and what that means. Patients will lose their ability to control their access to and the use of their healthcare data and may be fully unaware that third parties may use personal health applications as a backdoor to gain access to millions of patients’ private health information for their own commercial purposes.