Now it’s clear. On Thursday, the Office for Civil Rights, responsible for HIPAA enforcement and protecting the public, published a new guidance to interpret HIPAA with respect to data blocking. The limits of the current law are now evident. In the interest of affordable health care, the Precision Medicine Initiative, and common sense, it’s time for Congress update HIPAA. Believe it or not, HIPAA still allows hospitals and other electronic health record (EHR) systems to require paper forms before they release data under patient direction. Along with an allowed 30-day delay in access to electronic health records, this data blocking makes second opinions and price comparisons practically inaccessible. Over $30B in stimulus funds have been spent on EHRs and now it is still up to Congress to give to patients full digital access to digital data.
Data blocking is the result of deliberate barriers designed into current EHRs that prevent patients being able to use their own data in efficient and innovative ways. It is practiced by both EHR vendors and healthcare institutions to avoid competition by favoring the services they control. As hospitals consolidate into massive “integrated delivery networks”, the business logic for data blocking becomes clear and irrefutable. Data blocking ensures the largest health delivery networks will get larger and control pricing. The bigger they are, the more data they have about each patient and the more money each patient’s data is worth to outside interests like pharmaceutical companies and data brokers. The results are ruinous healthcare costs and hidden discrimination in insurance, credit, employment, and other key life opportunities.
HIPAA ensures that our personal health data leaves EHRs and the health care system in hidden ways, because changes to HIPAA in 2002 eliminated the right to give consent before our health data could be used for routine medical transactions: treatment, payment and healthcare operations. Pretty much all of the data leaves, digitally, out of sight, because of the huge loopholes in HIPAA and the pretense that de-identification works (it doesn’t, data can easily be re-identified by data brokers as allowed under the law). “theDataMap”, a project of the Harvard School of Government, shows just some of the thousands of hidden places our data flows without consent or notice. Businesses we never heard of, like Superscripts and IMS Health Holdings, claim to have longitudinal profiles on 230 and 500 Million people that they add to every day, and then sell this data to thousands of customers.
Data can also leave hospital, pharmacy, or lab with an EHR through the front door. These are the cases where the patient is actually asked for consent or at least allowed to know who will receive their data. Our patient rights with respect to patient-directed data access is what the recent OCR guidance made clear and, under current law, they are still tied to paper and subject to 30-day delays.
Under current HIPAA regulations, data blocking will continue and worsen as more and more personal data moves to millions of hidden databases that are unknown and inaccessible to us. The reason is that our HIPAA right to control electronic data movement through the front door can be blocked by paper requests and 30 day delays. Meanwhile, back door, hidden data access and disclosures occur thousands of times every day in EHR systems. Modern technology that our taxes paid for can make the front door, our right of direct access to our own data, cheaper than the ‘back door’.
There are three ways HIPAA enables EHRs to block data from being shared: (1) The healthcare “providers” EHR are not required to process a patient’s digitally signed electronic requests for access directly by other EHRs; (2) “Providers” are allowed to block direct digital access even when technology clearly limits the risk to the single patient that is providing the direct access authorization; and (3) “Providers” can impose a 30-day delay that makes the information almost useless for second opinions and price comparison.
As Congress contemplates funding of the Precision Medicine Initiative and updates to various aspects of the Affordable Care Act, data blocking under HIPAA should be at the top of the list for accomplishing the purposes those acts were designed to accomplish. Patient Privacy Rights calls for making all patient data easily digitally accessible 24/7 to all patients, and to whoever they designate under paperless personal digital “signatures”.
Adrian Gropper, MD is the CTO of Patient Privacy Rights.