HIPAA RFI Comments: Patient Privacy Rights

Deborah C. Peel
Adrian Gropper


Among other rich nations, US healthcare stands out as both exceptionally privatized and exceptionally expensive. And taken overall, we have the worst health outcomes among the Western Democracies.

On one hand, regulators are reluctant to limit private corporate action lest we reduce innovation and patient choice and promote moral hazards. On the other hand, a privatized marketplace for services requires transparency of costs and quality and a minimum of economic externalities that privatize profit and socialize costs.

For over two decades, the HIPAA law and regulations have dominated the way personal health data is used and abused to manipulate physician practice and increase costs. During these decades, digital technology has brought marvels of innovation and competition to markets as diverse as travel and publishing while healthcare technology is burning out physicians and driving patients to bankruptcy.

No regulation drives this balance between private choice and collective benefits more than HIPAA and related regulations for how personal health data is used by the institutions that make up the US healthcare system. Increased consolidation by corporate “providers” and private “payers” has pushed the citizens voice further and further away from the regulators through regulatory capture.

According to Wikipedia, “Regulatory capture is a form of government failure which occurs when a regulatory agency, created to act in the public interest, instead advances the commercial or political concerns of special interest groups that dominate the industry or sector it is charged with regulating.”

The special interest groups, typically categorized as “stakeholders”, in privacy regulations are now doubling down on manipulating HIPAA and related statutes that control the flow of personal data to further reduce transparency of how personal data is used and its relationship to costs and socialized externalities. A detailed analysis of the patient perspective on the proposed RFI can be found here. However, it’s also possible to respond to the RFI in terms of socialized externalities.

In his remarks to the AcademyHealth Conference on Feb 4, 2019, Secretary Azar said, “Channeling transparency through consumer-facing technology is an important theme of our work to empower patients through health IT.” Azar pointed to numerous other aspects of transparency that the administration is promoting. Many of the questions in the HIPAA RFI suggest the opposite of transparency and patient-facing technology.

Our specific suggestions below are aligned with the Secretary’s vision. We believe it’s time to enforce HIPAA’s key protections for patients: the right to copies of all personal health data sets, and the right to Accounting for Disclosures.

Each of the five categories in the current HIPAA RFI can be explained as an attack on transparency

Here is how most of the changes to HIPAA being considered would reduce transparency and what government could do to improve the patient’s chances of navigating a system increasingly designed to manipulate them and extract maximum profit.

Sharing information between doctors 

The most important way to ensure care coordination without strategic manipulation is to empower the patient to share her data, all of her data, instantly and without cost. This simple strategy, would enable more competition among services, enable a new class of patient-centered services, allow patients to delegate access to surrogates and service providers that will help them navigate a complex healthcare system. Possibly most important, making patient-directed sharing between doctors the baseline will give doctors consented access to sensitive data such as behavioral health and to social determinants of health without endangering the privacy of the individual by bringing these non-HIPAA sources under the unconsented TPO HIPAA domain.

By empowering patients to direct sharing between doctors, current laws and practices around sensitive data, clearing houses and other business associates, research and public health uses  could be retained. We do not need to weaken current privacy protections before we empower patients with maximum transparency and control. We should revisit some of the calls to bypass patient consent only after patient control has been established as a baseline.

Patients should be given a private right of action if patient-directed access by anyone is denied. In an increasingly information-driven system, information blocking should be malpractice and actionable as such.

Every patient’s clinician should know that if they want any kind of information, just ask.

Sharing substance use and mental health information with friends and family

Any changes to the sharing of substance use and mental health information should be driven by carefully scrutinized evidence and deference to individual clinicians who are already subject to professional and malpractice oversight. Turning a public health emergency into an excuse to share information without consent or involvement of a treating clinician is likely to do more harm harm than good in a situation where trust is a major therapeutic factor. As of 2016, 89 percent of patients withheld information from providers due to lack of trust in health IT and those using it.

From a patient’s perspective, unconsented sharing is just another thing to worry about. From a systemic perspective, unconsented sharing just furthers lack of transparency. Clinicians already have the power and the training to release patient information. Let’s improve clinician training around current regulations while allowing them to lead in the gathering of evidence in how to improve.

Accounting of Disclosures

Accounting of Disclosures is the most blatant example of regulatory capture and an assault by institutional interests on transparency. More than four decades since the introduction of computerized patient records, hospitals and vendors still claim to be unable to do what banks have done since day one.

As we introduce artificial intelligence, machine-assisted decision support, electronic prior authorization, complex billing practices, and other potential sources of bias in clinical services, patients don’t stand much of a chance if the use of their data is hidden.

As we seek to continue a privatized and profit-driven system, Accounting for Disclosures must be strengthened and strictly enforced. Patients should be empowered to select and hire auditors of their disclosures that can bring confusing billing practices and bias to light. Here too, a private right of action would give patients a fair chance.

Notice of Privacy Practices

To promote transparency, the NPP must be standardized and then used to inform the patient of the password or other credentials to be used for directed information sharing among their clinicians. Requiring use of a model NPP is a good start but can still be too confusing. There is little or any evidence that enabling covered entities to wordsmith or innovate around the NPP serves any patient choice, service improvement, or privacy purpose. NPPs should be treated the way we treat nutrition labels on food to consistently inform the patient of the information ‘ingredients’ and services they are about to engage. A standardized NPP would enhance competition in our privatized marketplace just like a standardized nutrition label does.

The NPP is the ideal vehicle and process to inform patients of their information access and directed information sharing credentials. Like the current NPP, these credentials can be issued administratively at the time of registration and can be standardized to facilitate patient-directed information sharing as we advocated in our comment to section A.

Furthermore, the signature “burden” issues would be moot if NPP includes issuance of digital access credentials.

HIPAA “burdens” that prevent policy goals around Value-Based Care

Value-Based Care must be patient-centered, lest it become simply a vehicle for rationing. The current design and state of enforcement of HIPAA rules is overwhelmingly centered on relieving burdens and costs for institutions, rather than enforcement of patients’ rights to copies personal health data and understand how their data are used and disclosed. The hospitals and their vendors interpret and apply HIPAA strategically to reduce patient choice as a means to achieve value-based care. This is a false compromise and counterproductive to actually achieving the goal of value-based care.

Value is a combination of outcomes and cost. Unless we strengthen and aggressively enforce the transparency provisions of HIPAA to enable patients to enlist market forces through portability, substitutability, and cost-effective ways to hire auditors and navigators of their healthcare journey, value-based care will seem coercive and discrepancies in access will worsen. Value-based care in a privatized system must be centered on the patient by restoring patient access to health data and agency, otherwise patients and our economy would be better served by moving to a single-payer design that negotiates value through bureaucracy and brings US administrative costs in line with other rich economies.

Regulators can start by considering how HIPAA and patient-directed sharing can be used to create a patient-centered longitudinal health record.

In summary, Patient Privacy Rights points out the systemic tendency toward regulatory capture and recommends strengthening enforcement of all patient-centered aspects of the current HIPAA law including: (a) patient-directed information sharing between doctors, (b) education of clinicians around their power to share with family members, (c) strict enforcement and patient-directed auditing of accounting of disclosures, (d) standardized notice of privacy practices linked to the issuance of patient access and control credentials, and (e) promoting patient-centered value-based care by using HIPAA to enable a patient-centered longitudinal health record.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. 

Deborah C. Peel, MD, is the Founder and President of Patient Privacy Rights.

This post originally appeared here on Bill of Health at Harvard Law School.

3 replies »

  1. Medcurity has been really impressive for the annual security risk analysis. Good final reports and dashboards that show progress through the year.

  2. “taken overall, we have the worst health outcomes among the Western Democracies.”

    What does that statement even mean? This becomes particularly questionable when the term outcomes is used in this context. As one example demonstrates, the CONCORD study, the US does pretty well. (I don’t want this to seem as if I am disagreeing with your subject matter, HIPPA or what you say about regulatory capture.)

  3. In the last 200 years, we have lost an awareness of the essential drivers for maintaining the RESILIENCE of a person’s health. Beginning with the scientific knowledge of anesthesia and contagion, a person’s healthcare steadily moved out of their home into an institution offering transient encounters with persons who, increasingly, have little connection with the Family Traditions of the person. Furthermore, the maintenance of these Family Traditions has steadily been lost since it is no longer originating consistently from within the person’s Extended Family and Community. Three recent studies say it all, if we are able to listen.

    Family Mealtimes prevent childhood obesity https://doi:10.1001/jamanetworkopen.2018.5217

    Perinatally formed maternal social relationships predict cognitive development at 2 years of age

    Youth-Nominated Support Team reduces subsequent mortality after a suicide gesture by 6.6:1 during an 11-14 year follow-up

    The institutional codependency that characterizes the paradigm paralysis of our nation’s healthcare needs careful attention, as noted by Dr. Peel and Dr. Gropper. But, the upstream changes in population health are largely beyond the arenas of resources, knowledge and human dignity that operate as the basis for healthcare. Meanwhile, worsening maternal mortality, childhood obesity, adolescent suicide/homicide, substance abuse mortality, homelessness, mid-life depression/disability, and declining longevity at birth are crying out for our attention. Our nation’s health spending and its Federal obligation represents more than 50% of our nation’s annual deficit.

    Are we really ready to LISTEN? How would anybody really know? As a basis to listen, I offer a definition for SOCIAL CAPITAL.

    a community’s norms of Trust, Cooperation and Reciprocity that
    its citizens are more likely to apply for resolving the social dilemmas
    they encounter daily within their community’s Municipal Life
    WHEN Caring Relationships increasingly permeate
    the social networks of the community’s citizens,
    especially the generational Caring Relationships occurring within the
    Extended Family and Micro-neighborhood Networks of each person’s Family.

    That’s right, “generational.”