Categories

Tag: HIPAA

Getting Ahead of Privacy and the CCPA – Healthcare Needs to Move Beyond HIPAA

By DAN LINTON

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

Privacy concerns are on the rise. Over the last couple of years, survey after survey have clearly shown a dramatic rise in overall consumer privacy awareness and concern – driven primarily by the never-ending litany of ongoing data breaches that make the news.

The healthcare industry has been somewhat shielded from this, seemingly due to the trust that patients extend to their doctors and, by proxy, the organizations they work with. HITECH and HIPAA legislation have acted as a perceived layer of safety and protection.

But healthcare is not immune from privacy issues.

Most people aren’t even aware of the hundreds of data breaches of unsecured health information in the last 24 months which are being investigated by the U.S. Department of Health & Human Services Office for Civil Rights. In fact, research indicates that consumers still trust healthcare organizations with their data more so than many other industries.

But for how much longer?

Continue reading…

Healthcare in the National Privacy Law Debate

This article originally appeared in the American Bar Association’s Health eSource here.

By KIRK NAHRA

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

Congress is debating whether to enact a national privacy law.  Such a law would upend the approach that has been taken so far in connection with privacy law in the United States, which has either been sector specific (healthcare, financial services, education) or has addressed specific practices (telemarketing, email marketing, data gathering from children).  The United States does not, today, have a national privacy law.  Pressure from the European Union’s General Data Protection Regulation (GDPR)1 and from California, through the California Consumer Privacy Act (CCPA),2 are driving some of this national debate.  

The conventional wisdom is that, while the United States is moving towards this legislation, there is still a long way to go.  Part of this debate is a significant disagreement about many of the core provisions of what would go into this law, including (but clearly not limited to) how to treat healthcare — either as a category of data or as an industry.

So far, healthcare data may not be getting enough attention in the debate, driven (in part) by the sense of many that healthcare privacy already has been addressed.  Due to the odd legislative history of the Health Insurance Portability and Accountability Act of 1996 (HIPAA),3 however, we are seeing the implications of a law that (1) was driven by considerations not involving privacy and security, and (2) reflected a concept of an industry that no longer reflects how the healthcare system works today.  Accordingly, there is  a growing volume of  “non-HIPAA health data,” across enormous segments of the economy, and the challenge of figuring out how to address concerns about this data in a system where there is no specific regulation of this data today.

Continue reading…

Health Data Outside HIPAA: Simply Extending HIPAA Would Be a #FAIL

Vince Kuraitis
Deven McGraw

By DEVEN McGRAW and VINCE KURAITIS

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

Early in 2019 the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) proposed rules intended to achieve “interoperability” of health information.

Among other things, these proposed rules would put more data in the hands of patients – in most cases, acting through apps or other online platforms or services the patients hire to collect and manage data on their behalf. Apps engaged by patients are not likely covered by federal privacy and security protections under the Health Insurance Portability and Accountability Act (HIPAA) — consequently, some have called on policymakers to extend HIPAA to cover these apps, a step that would require action from Congress.

In this post we point out why extending HIPAA is not a viable solution and would potentially undermine the purpose of enhancing patients’ ability to access their data more seamlessly:  to give them agency over health information, thereby empowering them to use it and share it to meet their needs.

Continue reading…

The Intrusion of Big Tech into Healthcare Threatens Patients’ Rights

By ANDREW DORSCH, MD

The question of how much time I spend in front of the screen has pestered me professionally and personally. 

A recent topic of conversation among parents at my children’s preschool has been how much screen time my toddlers’ brain can handle. It was spurred on by a study in JAMA Pediatrics that evaluated the association between screen time and brain structure in toddlers. The study reported that those children who spent more time with electronic devices had lower measures of organization in brain pathways involved in language and reading. 

As a neurologist, these findings worry me, for my children and for myself. I wonder if I’m changing the structure of my brain for the worse as a result of prolonged time spent in front of a computer completing medical documentation. I think that, without the move to electronic medical records, I might be in better stead — in more ways than one. Not only is using them potentially affecting my brain, they pose a danger to my patients, too, in that they threaten their privacy. 

As any practicing physician can tell you, electronic medical records represent a Pyrrhic victory of sorts. They present a tangible benefit in that medical documentation is now legible and information from different institutions can be obtained with the click of a button — compared to the method of decades past, in which a doctor hand-wrote notes in a paper chart — but there’s also a downside. 

Continue reading…

Patient-Directed Uses vs. The Platform

By ADRIAN GROPPER, MD

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

It’s 2023. Alice, a patient at Ascension Seton Medical Center Austin, decides to get a second opinion at Mayo Clinic. She’s heard great things about Mayo’s collaboration with Google that everyone calls “The Platform”. Alice is worried, and hoping Mayo’s version of Dr. Google says something more than Ascension’s version of Dr. Google. Is her Ascension doctor also using The Platform?

Alice makes an appointment in the breast cancer practice using the Mayo patient portal. Mayo asks permission to access her health records. Alice is offered two choices, one uses HIPAA without her consent and the other is under her control. Her choice is:

  • Enter her demographics and insurance info and have The Platform use HIPAA surveillance to gather her records wherever Mayo can find them, or
  • Alice copies her Mayo Clinic ID and enters it into the patient portal of any hospital, lab, or payer to request her records be sent directly to Mayo.

Alice feels vulnerable. What other information will The Platform gather using their HIPAA surveillance power? She recalls a 2020 law that expanded HIPAA to allow access to her behavioral health records at Austin Rehab.

Alice prefers to avoid HIPAA surprises and picks the patient-directed choice. She enters her Mayo Clinic ID into Ascension’s patient portal. Unfortunately, Ascension is using the CARIN Alliance code of conduct and best practices. Ascension tells Alice that they will not honor her request to send records directly to Mayo. Ascension tells Alice that she must use the Apple Health platform or some other intermediary app to get her records if she wants control.  

Continue reading…

ACCESS Act Points the Way to a Post-HIPAA World

By ADRIAN GROPPER, MD

The Oct. 22 announcement starts with: “U.S. Sens. Mark R. Warner (D-VA), Josh Hawley (R-MO) and Richard Blumenthal (D-CT) will introduce the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, bipartisan legislation that will encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.”

Although the scope of this bill is limited to the largest of the data brokers (messaging, multimedia sharing, and social networking) that currently mediate between us as individuals, it contains groundbreaking provisions for delegation by users that is a road map to privacy regulations in general for the 21st Century.

The bill’s Section 5: Delegation describes a new right for us as data subjects at the mercy of the institutions we are effectively forced to use. This is the right to choose and delegate authority to a third-party agent that can manage interactions with the institutions on our behalf. The third-party agent can be anyone we choose subject to their registration with the Federal Trade Commission. This right to digital representation by an entity of our choice with access to the full range of our direct control capabilities is unprecedented, as far as I know.

Continue reading…

Patient Controlled Health Data: Balancing Regulated Protections with Patient Autonomy

By KENNETH D. MANDL, MD, MPH, DAN GOTTLIEB, MPA, and JOSHUA MANDEL, MD

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

A patient can, under the Health Insurance Portability and Accountability Act (HIPAA), request a copy of her medical records in a “form and format” of her choice “if it is readily producible.” However, patient advocates have long complained about a process which is onerous, inefficient, at times expensive, and almost always on paper. The patient-driven healthcare movement advocates for turnkey electronic provisioning of medical record data to improve care and accelerate cures.

There is recent progress. The 21st Century Cures Act requires that certified health information technology provide access to all data elements of a patient’s record, via published digital connection points, known as application programming interfaces (APIs), that enable healthcare information “to be accessed, exchanged, and used without special effort.”  The Office of the National Coordinator of Health Information Technology (ONC) has proposed a rule that will facilitate a standard way for any patient to connect an app of her choice to her provider’s electronic health record (EHR).  With these easily added or deleted (“substitutable”) apps, she should be able to obtain a copy of her data, share it with health care providers and apps that help her make decisions and navigate her care journeys, or contribute data to research. Because the rule mandates the ”SMART on FHIR” API (an open standard for launching apps now part of the Fast Healthcare Interoperability Resources ANSI Standard), these apps will run anywhere in the health system.

Apple recently advanced an apps-based information economy, by connecting its native “Health app” via SMART on FHIR, to hundreds of health systems, so patients can download copies of their data to their iPhones. The impending rule will no doubt spark the development of a substantial number of additional apps.

Policymakers are grappling with concerns that data crossing the API and leaving a HIPAA covered entity are no longer governed by HIPAA. Instead, consumer apps and the data therein fall under oversight of the Federal Trade Commission (FTC). When a patient obtains her data via an app, she will likely have agreed to the terms and the privacy policy for that app, or at least clicked through an agreement no matter how lengthy or opaque the language.  For commercial apps in particular, these are often poorly protective. As with consumer behavior in the non-healthcare apps and services marketplace, we expect that many patients will broadly share their data with apps, unwittingly giving up control over the uses of those data by third parties.

Continue reading…

Protecting Health Data Outside of HIPAA: Will the Protecting Personal Health Data Act Tame the Wild West ?

Vince Kuraitis
Deven McGraw

By DEVEN McGRAW and VINCE KURAITIS

This post is part of the series “The Health Data Goldilocks Dilemma: Privacy? Sharing? Both?”

Introduction

In our previous post, we described the “Wild West of Unprotected Health Data.” Will the cavalry arrive to protect the vast quantities of your personal health data that are broadly unprotected from sharing and use by third parties?

Congress is seriously considering legislation to better protect the privacy of consumers’ personal data, given the patchwork of existing privacy protections. For the most part, the bills, while they may cover some health data, are not focused just on health data – with one exception: the “Protecting Personal Health Data Act” (S.1842), introduced by Senators Klobuchar and Murkowski. 

In this series, we committed to looking across all of the various privacy bills pending in Congress and identifying trends, commonalities, and differences in their approaches. But we think this bill, because of its exclusive health focus, deserves its own post. Concerns about health privacy outside of HIPAA are receiving increased attention in light of the push for interoperability, which makes this bill both timely and potentially worth of your attention.

HHS and ONC recently issued a Notice of Proposed Rulemaking (NPRM) to Improve the Interoperability of Health Information. This proposed rule has received over 2,000 comments, many of which raised significant issues about how the rule potentially conflicts with patient and provider needs for data privacy and security.

For example, greater interoperability with patients means that even more medical and claims data will flow outside of HIPAA to the “Wild West.” The American Medical Association noted:

“If patients access their health data—some of which could contain family history and could be sensitive—through a smartphone, they must have a clear understanding of the potential uses of that data by app developers. Most patients will not be aware of who has access to their medical information, how and why they received it, and how it is being used (for example, an app may collect or use information for its own purposes, such as an insurer using health information to limit/exclude coverage for certain services, or may sell information to clients such as to an employer or a landlord). The downstream consequences of data being used in this way may ultimately erode a patient’s privacy and willingness to disclose information to his or her physician.”

Continue reading…

Health Data Outside HIPAA: The Wild West of Unprotected Personal Data

Deven McGraw
Vince Kuraitis

By VINCE KURAITIS and DEVEN McGRAW

This post is part of the series “The Health Data Goldilocks Dilemma: Privacy? Sharing? Both?”

“…the average patient will, in his or her lifetime, generate about 2,750 times more data related to social and environmental influences than to clinical factors”

McKinsey analysis

The McKinsey “2,750 times” statistic is a pretty good proxy for the amount of your personal health data that is NOT protected by HIPAA and currently is broadly unprotected from sharing and use by third parties.

However, there is bipartisan legislation in front of Congress that offers expanded privacy protection for your personal health data. Senators Klobuchar & Murkowski have introduced the “Protecting Personal Health Data Act” (S.1842). The Act would extend protection to much personal health data that is currently not already protected by HIPAA (the Health Insurance Portability and Accountability Act of 1996). 

In this essay, we will look in the rear-view mirror to see how HIPAA has provided substantial protections for personal clinical data — but with boundaries. We’ll also take a look out the windshield — the Wild West of unprotected health data.

Then in a separate post, we’ll describe and comment on the pending “Protect Personal Health Data Act”.

Continue reading…

A National Patient Identifier: Should You Care?

By ADRIAN GROPPER, MD

The rather esoteric issue of a national patient identifier has come to light as a difference between two major heath care bills making their way through the House and the Senate.

The bills are linked to outrage over surprise medical bills but they have major implications over how the underlying health care costs will be controlled through competitive insurance and regulatory price-setting schemes. This Brookings comment to the Senate HELP Committee bill summarizes some of the issues.

Who Cares?

Those in favor of a national patient identifier are mostly hospitals and data brokers, along with their suppliers. More support is discussed here. The opposition is mostly on the basis of privacyand libertarian perspective. A more general opposition discussion of the Senate bill is here.

Although obscure, national patient identifier standards can help clarify the role of government in the debate over how to reduce the unusual health care costs and disparities in the U.S. system. What follows is a brief analysis of the complexities of patient identifiers and their role relative to health records and health policy.

Continue reading…

Registration

Forgotten Password?