As we await proposed HHS regulations on interoperability and patient access to data, and as more companies than ever before are collecting and using data to power advanced data analytics, artificial intelligence, and machine learning to improve health care quality and delivery, it is important to understand the scope and limitation of protections and the applicability of the HIPAA Privacy Rule.
Patients, providers and caregivers now have access to a wide array of devices and applications to manage and track patient health, improve treatment adherence, and better coordinate care. Large technology companies, athletic gear manufacturers, and others are entering a rapidly growing consumer health technology market. They are developing new technologies including tracking apps, wearables, and social networks that are increasingly integrated into patients’ daily lives. With an estimated 86.7 million U.S. consumers owning wearable devices by 2019, patients are generating billions of data points that provide insight into their health. Yet many of these companies are not subject to existing privacy protections under HIPAA, creating a significant gap in consumer protections.
At the same time, HHS is pushing for greater interoperability and patient access to data to address a challenge that remains widespread even after the investment of billions of federal dollars into the adoption of electronic health records. Agencies are encouraging and mandating easier availability of electronic health data, through current and anticipated CMS and ONC regulations and through a variety of government initiatives such as: 1) Blue Button and MyHealtheData; 2) incentivizing the adoption of open APIs; 3) developing new fee-for-service payment policies regarding remote monitoring and virtual care reimbursement; and 4) launching Sync for Science, a technical standard for facilitating patient-mediated data exchange for research. Consumers and companies alike seek guidance on the implications of collecting, storing, maintaining, and commercializing personal health data.
Current Regulatory Landscape
Eighteen years ago, the HIPAA Privacy and Security Rules aimed to address many concerns around “protected health information” (PHI) in health care settings that were just starting to embrace electronic data. The Privacy Rule required covered entities and their business associates to limit the use and disclosure of PHI, and to provide patients with a notice of their privacy practices, as well as access to their own information. The Security Rule required these entities to implement physical, technical, and administrative safeguards to protect electronic PHI.
These Rules, enforced by the HHS Office of Civil Rights since the law’s passage, were originally designed for traditional health care entities engaged in electronic financial and administrative health care transactions. The Privacy Rule addresses uses and disclosures of PHI by covered entities (health care organizations such as plans, clearinghouses, and care providers) and their business associates. It does not address the handling of PHI by other entities, typically referred to as “non-covered entities,” including many new consumer health technology companies (and even some healthcare providers who don’t accept insurance).
As the health care industry changes rapidly and the Federal government pushes toward increased interoperability and open APIs to facilitate patient access, it is important to balance data portability and consumer protections.
Recent public discussions about use of data by popular websites and apps have shed light on just how little most of us know about how companies are using our data. As a result, some of the top tech companies have called on Congress to implement privacy protections that would include the use and disclosure of PHI.
While many non-covered entities are transparent about their data uses, this information is contained in their privacy policies, which the vast majority of consumers simply click through without reading; or these documents are so complex or unclear that they may obfuscate how an individual’s data may be used. The lack of governance in this area poses several challenges. In 2016, HHS released a report concluding that significant gaps in regulatory oversight exist between covered and non-covered entities. Some of the challenges to the HIPAA divide include:
- Individuals may not understand when data about their health is protected by law, and when it is not. It is often unclear to both companies and consumers whether HIPAA applies to certain health data and if so, what HIPAA protection means.
- Cybersecurity may be a greater issue as data is collected by Internet of Things (IoT) devices. As more IoT devices are generating and storing health data, there may be new risks to the security of this information and limited action to mitigate these risks.
- Individuals may not have rights with respect to data outside the HIPAA context. Individual rights under HIPAA, including the right of access and amendment of data, do not carry over to data held by non-covered entities, leaving individuals with little control over data held by data holders who may not represent their interests.
- Differential protections may limit health innovation. Data holders covered by HIPAA may be less willing to share data with non-covered entities that are not subject to the same protections. This regulatory uncertainty can take significant time and resources for companies to resolve as they enter the health care space, creating a barrier to entry for smaller startups.
- HIPAA coverage may drive unanticipated market decisions. Companies that have difficulty accessing data to develop new products and services may look for creative solutions. For example, a technology company may purchase or merge with a covered entity that holds the data or a company may also offer services that involve access to a health data at a low cost in order to access the data, de-identify it, and use it for other purposes.
Addressing Confusion and Gaps
Innovators are increasingly acquiring large quantities of health information to power machine learning and algorithm development to make new products and services for the health care market. This health data is a prime target for those who wish to make money off of the data and for those that see an opportunity to threaten national security. Health care data is too fluid, and too valuable, to protect only when it resides with a particular data holder.
Should the burden of sifting through complex legal language and disclosures fall to the patient? Should there be guidelines for communicating with individuals and getting their consent? Should the federal government consider implementing baseline reasonable privacy protections that align with HIPAA and govern how non-covered entities use our health information?
Reasonable baseline of privacy protections that apply to all health information and that are easier and more reliable for innovators and patients may engender greater trust in the health technology sector. Some options are:
- Extend HIPAA to all health data. This is fraught with problems because HIPAA was not intended for all types of entities that may hold health data.
- Create new privacy rules and carve out HIPAA protected entities or data. This would increase consumer protection, but different rules would need to be harmonized.
- Impose consequences on certain uses of data. There can be legal prohibitions on certain uses of identifiable data, such as discrimination in employment, or on re-identifying de-identified data.
- Keep the status quo and let the market decide. This puts the burden on the individual, which is difficult given that privacy policies can be lengthy and complex and there may not be clear actions the individual can take to protect their data. Particularly in health care, individuals may not be in a position to freely refuse a particular service or application.
These options (other than the status quo) would require legislative changes. But, as the government is establishing policy to encourage data availability outside the HIPAA-protected environment, some baseline privacy and security protections for any entity that holds identifiable health data may be helpful. Some baseline policies or best practices could include:
- Adopt established industry practice for security protections such as multi-factor authentication and encryption of data at rest and in transit.
Additionally, any entity that holds identifiable health data – regardless of whether these companies are subject to HIPAA – could agree not to:
- Sell individuals’ health data to third parties, without individuals’ express consent after clear disclosure of company’s financial interest.
- Use individuals’ health data to discriminate against them, deny them/cause them to be ineligible for products or services (ex. housing, credit, insurance, or other financial products), or result in any unjust or prejudicial outcome.
Many of these concepts already have their roots in existing federal laws or the Fair Information Practices Principles (FIPPS). They could help build trust and they would not prevent innovation. Industry established policies can guide industry action or be relied upon or referenced by policy-makers. As more data is captured and maintained outside the traditional health care system and as health care lines blur, it may be time to ensure that the value of the individuals’ interest is considered as companies use their data.