Outlook on Data Privacy and Security in 2013
Guest post by: Drew Gantt, Partner, Cooley LLP.
As 2013 gets underway, we are in the midst of a health information revolution. As many healthcare providers continue to struggle to implement electronic health record systems and meet meaningful use requirements, the promises of this revolution may seem distant, even non-existent. Indeed, many providers rightly complain that implementing EHR systems has only brought increased expense and declining productivity as they adjust to the new systems. The promises of interoperability, better outcomes, reduced medical errors and lower costs in many cases have not yet been realized.
For others, the promised benefits of electronic health information may be closer at hand. For example, The Wall Street Journal recently reported that two big names in healthcare – UnitedHealth Group, Inc. and Mayo Clinic – will form a new research company to mine de-identified health data from millions of health claims and medical records to identify best practices. This seemingly reflects a realization of one of the touted benefits of electronic health information – to change the way healthcare is provided and to reduce costs by analyzing health outcomes information.
Notwithstanding the electronic growing pains within certain quarters of the provider community, digital health is flourishing and driving the health information revolution. While the provider and payor communities were formerly the sole source of health information, consumer demand for digital health and control over health information is moving the center of the health information universe more toward individuals (the new paradigm) and away from providers and payors (the old paradigm). Both patients and providers report increased use of the Internet to diagnose medical conditions. Digital health services provided via the Internet, smart phones, cable, Bluetooth-enabled devices and other wireless technologies are putting health information at consumers’ fingertips and unlocking it from the confines of providers and payors.
Consumers want their devices to do more, and make health information and services available to them as easily as they may use their phones to search for a restaurant. Smart phone chip manufacturer Qualcomm has established a $10 million prize to develop a mobile medical computing device, inspired by the tricorder device from “Star Trek.” Smart phones and many medical devices now include multiple sensors that can be employed for a variety of health-related purposes and health-related sensors are increasingly being incorporated into clothing and home monitoring equipment. These activities are generating massive amounts of digital health information, facilitated by declining costs of data storage available through the cloud and other low-cost digital storage media.
While providers may no longer be relied upon as the sole source of medical information, they will continue to be relied upon for their medical judgment. Because of the exponentially increasing availability of health information, including genomics information, which is relevant to clinical decision-making, providers will have a significantly higher burden to digest and analyze this available information and manipulate it in the clinical setting. Look for increased use of and demand for data analytics tools in the clinical setting.
In the meantime, our regulatory regime for data privacy and security, including HIPAA and HITECH, is based on the old paradigm and severely inhibits the health information revolution. Ironically, HIPAA, which was intended to address privacy and security in a digital age, stands as a major impediment to digital health. It does so, in part, because it assumes that health information rightly resides with providers and payors (HIPAA-covered entities), rather than with their business associates (including many digital health companies) or consumers. Indeed, with limited exceptions, HIPAA requires that any business associate of a HIPAA-covered entity either return to the covered entity or destroy patient information where feasible when the relationship between the business associate and the covered entity ends.
That requirement effectively constrains information from easily following the consumer, a major objective and promise of the health information revolution. For example, HIPAA makes it difficult for a wellness company to continue to serve an individual if that individual changes health plans or the wellness company stops doing business with the individual’s health plan. In 2013, look for increased pressure to reform HIPAA to allow information to be more readily accessed by consumers and digital health companies. The more than 500 pages of new HIPAA Omnibus regulations that were issued on January 17, 2013, do not change this underlying assumption or effectively address the new paradigm of a patient-centered health information universe.
At the same time, increased use of mobile media by healthcare providers continues to challenge those who are responsible for protecting that health information. Theft or loss of mobile media, including smart phones, laptops, tablets and flash drives, continue to be among the largest source of data breaches, prompting the federal government recently to issue specific guidance on how to use such devices in compliance with HIPAA. (See,
This guidance recommends limiting offsite use of mobile media that may contain health information. While this position is understandable, it reflects the old paradigm view that information remains within the control of the providers and payors and ideally not leave the controlled environment of their facilities. Healthcare facilities and other companies that use mobile media containing patient information will continue to face challenges with implementing use of such devices, given the current regulatory regime.
Drew Gantt leads Cooley LLP’s Health Care and Life Sciences Regulatory Practice. Gantt is a partner in Cooley LLP’s Business Department and a member of Cooley’s Life Sciences Practice Group. His practice focuses on healthcare and life sciences regulatory counseling, complex transactions and strategic business advice.