Senator Bill Cassidy (R-LA), who is a member of the U.S. Senate Health, Education, Labor, and Pensions (HELP) Committee, has filed a white paper that requests for information (RFI) suggesting revisions to the Health Insurance Portability and Accountability Act (HIPAA) to enhance health data privacy protections and prompts Congress to do something to broaden privacy protections for all health information.
The white paper entitled “Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era” discusses the following:
- request for information from healthcare sector stakeholders about the present status of HIPAA
- the best way to improve health data privacy
- ensure that health information obtained by entities not covered by HIPAA is secure
The growing new technologies in medical care and interoperability of health information help to enhance care and patients’ access to their medical data; nevertheless, new technology also increases the attack surface and enhanced access can quickly lead to more vulnerability for improper data sharing and attacks by threat actors. Sen. Cassidy remarks that 137 countries now have approved data privacy laws, but the United States has not. In the lack of a national data privacy legislation, 13 states have legislated their own data privacy regulations. Although all types of personal information must be secured, there is an urgent need to act and enhance health data privacy because of the sensitivity of health information, the value of that information to cyber actors, and the growing cyberattacks on healthcare providers to acquire access to health information.
According to the reactions to the RFI, Sen. Cassidy has added several recommendations in the white paper for legislative actions to enhance health information privacy, which includes revisions to HIPAA, steps that will safeguard health information that are in the “HIPAA gray area”, and health information that is not presently governed by the HIPAA regulations. Sen. Cassidy stated HIPAA is a health data privacy system that balances protecting patient privacy and enabling the sharing of health data for things like enhancing care and aiding clinical research; nevertheless, HIPAA needs a revision to address a more technically enhanced and digital health care framework. There is no need for a major edit of HIPAA, just subtle updates and annotations to make certain that HIPAA works as intended.
Enhance Safety for All Healthcare Information
One concern regarding the RFI deals with the diverse treatment of some types of health information, for example, records associated with substance use disorder are regulated by the Part 2 rules and the suggested changes to the Privacy Law that will deal with reproductive health information differently from other types of health information. Sen. Cassidy says that it could cause doubt and confusion, and unacceptable withholding of health data from providers that require it. The CARES Act of 2020 urges the HHS to enhance the harmonization of HIPAA Part 2 rules to minimize the regulatory pressure for entities that have to abide by the two regulations and the problems that may occur due to rules addressing particular data types and recommends privacy protections must rather be enhanced for all types of health information.
Guidance Needed on the HIPAA Minimum Necessary Standard
The minimum necessary standard of HIPAA, which calls for PHI disclosures to be confined to the minimum necessary information to fulfill a request, is a very important HIPAA safeguard. Although it was easy to follow this standard when sharing physical documents by printing or faxing, there are technical difficulties when it comes to sharing information digitally. It was difficult to separate certain types of information in electronic health records to permit the same redactions, and the result is under-sharing of information because of fearing HIPAA violations as a result of over-sharing. Congress must instruct the HHS Office for Civil Rights (OCR) to give clear instructions on the implementation of the minimum necessary standard aligning with other regulatory standards, such as the health data system interoperability standards under the 21st Century Cures Act. This would help to balance safeguarding against needless sharing of PHI while assuring stakeholders that data is shared to enhance patient care.
Deal with Uncertainty in the HIPAA Right of Access Third Party Directive
The HIPAA Right of Access gives patients the right to obtain a copy of their health information within 30 days of requesting and paying only a fair cost-based rate. The HITECH Act of 2009 modified the HIPAA Right of Access permitting other parties to request from covered entities, with the patient’s written consent, the transmission of records to third parties, and such a process is not restricted to the fair cost-based rate requirements that apply to individuals. About 80% of covered entities partner with specialized release of information (ROI) service providers to accomplish these requests to relieve the burden and cost of offering those services on their own.
Sen. Cassidy mentioned that fake and abusive actors exploit the process of requesting medical documents. They trick patients into signing long forms that enable them to pose as the patient, promising payouts through medical malpractice suits. Although these actors aren’t truly working on behalf of the patient, they get the low patient fee. In 2020, the ROI company CIOX Health filed a lawsuit against the HHS concerning this issue and stated that these fake requests were billed at the low patient price and were costing the business over $10 million annually. If these organizations decide that it is not financially feasible to give these record-associated services, health systems, and health plans may be compelled to fulfill these requests on their own which approximately cost over $1 billion every year. Sen. Cassidy called on Congress to take action and define which requests must be qualified for the patient price.
Congress Must Explain How Patient Data May be Used for Research Applications
Researchers can usually utilize patients’ health data for research without being controlled by the HIPAA Privacy Rule, so long as patient health information is deidentified – removed from all identifiers that link that data to the individual. Artificial intelligence (AI) is being taught to deidentify health information, and stakeholders have brought up fears that datasets employed to teach AI tools might undermine patient control and independence over using their health information.
Sen. Cassidy recommends that Congress ought to look at whether the current exemptions allowing de-identified information to be utilized for research must take into account a patient’s capability to opt in or opt out of involvement, and the danger of re-identification must be reviewed to make sure that patient information shared for research cannot be personally identified with no explicit permission.
Dealing with the HIPAA Gray Area
There are significant gaps between the expected privacy and the actual protections that are implemented. Certain data types aren’t protected by HIPAA, though uses and disclosures of that information can have considerable privacy and health effects for individuals. The information that is categorized into these gray areas consists of information associated with intake services, the deletion of health information from HIPAA, wellness information generated by patients, sensor-generated information, and direct-to-consumer obtained genetic information.
For instance, digital health firms could use programs that ask patients to fill up forms of detailed health data to enable them to be partnered with companies that provide the medical services they require. These firms are gathering information that would be secured by HIPAA if obtained by a healthcare company, but if they are not HIPAA-covered entities, HIPAA protections are not applicable.
Healthcare companies must input patient data into the health applications of a patient’s choice, however, when that data is transmitted, it is no longer protected by HIPAA. Wellness and health information gathered by wearable devices and health apps is not subject to HIPAA, yet a lot of Americans mistakenly think that HIPAA is applicable. Direct-to-consumer (DTC) businesses providing DNA analysis are not governed by HIPAA and there is substantial concern that data brokers and companies are purchasing genetic information and that genetic information may be utilized to discriminate against people or be utilized for other nefarious uses.
These gray areas must be resolved by Congress. Sen. Cassidy recommends that Congress ought to offer more clarity by making sure that HIPAA protections include intake data, legislate that software creators should include notices that HIPAA doesn’t apply, and Congress must legislate proper notice and permission requirements and safety measures to protect individuals and satisfy their expectations concerning how their genetic information is treated.
Protecting Health Information Not Governed by HIPAA
A lot of data is obtained from Americans that have effects on personal health and privacy, which include geolocation information, financial information, internet searches, and biometric information. For example, internet searches can show a lot regarding a person’s health issues, geolocation information shows places a person has gone to (e.g. a reproductive health clinic), and financial data shows how much people spend in pharmacies. Big volumes of information are being gathered to create comprehensive profiles of people and that data may be utilized for nearly unlimited purposes because of insufficient rules. A few states have privacy legislation related to these types of information, but this patchwork of privacy regulations is impractical. Sen. Cassidy has required Congress to take action and says comprehensive privacy reform is required and that privacy reform is required today.