By MATTHEW HOLT

I am dipping into two rumbling controversies that probably only data nerds and chronic care management nerds care about, but as ever they reveal quite a bit about who has power and how the truth can get obfuscated in American health care. 

This piece is about the data nerds but hopefully will help non-nerds understand why this matters. (You’ll have to wait for the one about diabetes & chronic care).

Think about data as a precious resource that drives economies, and then you’ll understand why there’s conflict.

A little history. Back in 1996 a law was passed that was supposed to make it easy to move your health insurance from employer to employer. It was called HIPAA (the first 3 letters stand for Health Insurance Portability–you didn’t know that, did you!). And no it didn’t help make insurance portable.

The “Accountability” (the 1st A, the second one stands for “Act”) part was basically a bunch of admin simplification standards for electronic forms insurers had been asking for. A bunch of privacy legislation got jammed in there too. One part of the “privacy” idea was that you, the patient, were supposed to be able to get a copy of your health data when you asked. As Regina Holliday pointed out in her art and story (73 cents), decades later you couldn’t.

Meanwhile, over the last 30 years America’s venerable community and parochial hospitals merged into large health systems, mostly to be able to stick it to insurers and employers on price. Blake Madden put out a chart of 91 health systems with more than $1bn in revenue this week and there are about 22 with over $10bn in revenue and a bunch more above $5bn. You don’t need me to remind you that many of those systems are guilty with extreme prejudice of monopolistic price gouging, screwing over their clinicians, suing poor people, managing huge hedge funds, and paying dozens of executives like they’re playing for the soon to be ex-Oakland A’s. A few got LA Dodgers’ style money. More than 15 years since Regina picked up her paintbrush to complain about her husband Fred’s treatment and the lack of access to his records, suffice it to say that many big health systems don’t engender much in the way of trust. 

Meanwhile almost all of those systems, which already get 55-65% of their revenue from the taxpayer, received additional huge public subsidies to install electronic medical records which both pissed off their physicians and made several EMR vendors rich. One vendor, Epic Systems, became so wealthy that it has an office complex modeled after a theme park, including an 11,000 seat underground theater that looks like something from a 70’s sci-fi movie. Epic has also been criticized for monopolistic practices and related behavior, in particular limiting what its ex-employees could do and what its users could publicly complain about. Fortune’s Seth Joseph has been hammering away at them, to little avail as its software now manages 45%+ of all encounters with that number still increasing. (Northwell, Intermountain & UPMC are three huge health systems that recently tossed previous vendors to get on Epic).

Meanwhile some regulations did get passed about what was required from those who got those huge public subsidies and they have actually had some effect. The money from the 2009 HITECH act was spent mostly in the 2011-14 period and by the mid teens most hospitals and doctors had EMRs. There was a lot of talk about data exchange between providers but not much action. However, there were three major national networks set up, one mostly working with Epic and its clients called Carequality. Epic meanwhile had pretty successfully set up a client to client exchange called Care Everywhere (remember that).

Then, mostly driven by Joe Biden when he was VP, in 2016 Congress passed the 21st Century Cures Act which among many other things basically said that providers had to make data available in a modern format (i.e. via API). ONC, the bit of HHS that manages this stuff, eventually came up with some regulations and by the early 2020’s data access became real across a series of national networks. However, the access was restricted to data needed for “treatment” even though the law promised several other reasons to get health data.

As you might guess, a bunch of things then happened. First a series of VC-backed tech companies got created that basically extract data from hospital APIs in part via those national networks. These are commonly called “on-ramp” companies. Second, a bunch of companies started trying to use that data for a number of purposes, most ostensibly to deliver services to patients and play with their data outside those 91 big hospital systems.

Which brings us to the last couple of weeks. It became publicly known among the health data nerd crowd that one of the onramp companies, Particle Health, had been cut off from the Carequality Network and thus couldn’t provide its clients with data.

The supposed reason was that they were getting data without a “treatment” reason.

Now if you really want to understand all this in detail, go read Brendan Keeler’s excellent piece “Epic v Particle”. Basically Particle cried foul and unusually both Michael Marchant, a UC Davis Health employee & the Chair of the big health systems on the ”Care Everywhere Committee” (remember that from earlier?) and then Epic itself responded. Particle’s founder Troy Bannister in a linkedin post and an official release from Particle said that they had not received notice or any evidence of what they’d done wrong. Michael said they had. I started quoting the Dire Straits line “two men say they’re Jesus, one of them must be wrong.” (FD. Troy was briefly an intern at Health 2.0 long, long ago).

Then Epic publicly released a letter to its clients explaining that, contrary to what Troy & Particle said, it had been discussing this with Particle for months and had had several meetings before and after it cut them off. So unless Particle’s legal counsel was parsing its words very very carefully, they knew Epic and its clients were unhappy, and it was unlikely Troy was Jesus. Michael might still be, of course. (Update: as of 4/15/23 Particle says only some feeds were cut off not all of them as Epic suggested)

In the letter Epic named 4 companies who were using Particle’s data in a way it didn’t like– Reveleer and MDPortals (who are one not two companies as they merged in 2023 before this issue started), Novellia and Integritort. 

So what do they do with the data. Reveleer says that “leveraging our AI-enabled platform with NLP and MDPortals’ sophisticated interoperability allows us to deliver providers a pre-encounter clinical summary of patients within their EHR workflow at the point of care.” Sounds like treatment to me. But Reveleer also does analysis for health plans. You can see why hospitals might not like them.

Novellia is a PHR company, presumably using “treatment” to enable consumers to access their data to manage their own care. This was EXACTLY what Joe Biden wanted the 21st  Century Cures Act to give patients the right to do and what Epic CEO Judy Faulkner told him he shouldn’t want (depending exactly who you believe about that conversation). But it’s probably not a particular “treatment” under HIPAA, because who believes patients can treat themselves or need to know about their own data anyway? (I’ll just lock you all in a room with Dave deBronkart, Susannah Fox and Regina Holliday if you want the real answer). This is apparently the line where ONC folded in its ruling to the vested interests that providers (and their EMR vendors) didn’t have to provide data to patient requests.

Finally, Integritort does sound like it’s looking for records so it (or its law firm customers) can sue someone for bad treatment (or as it turns out defend them for it). Is that “treatment” under the HIPAA definition?  Almost certainly not. On the other hand, do the providers cutting them off have a vested interest in making sure no outside expert can review what they’ve been up to? I think we all know the answer to that question. 

But anyway it looks like Particle switched off Integritort’s access to Carequality on March 22nd before Particle was entirely switched off by Carequality sometime around April 1.

What is not answered in the letter is why, if Carequality can identify who these records are going to, it needed to switch all Particle’s access off. Additionally, you would think that Particle’s path of least resistance would be to cut off the named clients Epic/Carequality was concerned about and try to sort through things while keeping its system running–which it seems it did with Integritort. Whatever happened, instead of this negotiation continuing behind the scenes, we all got to witness a major power play–with clearly Epic & its big customers winning for now.

I think most people who are interested in getting access to data for patients are all agreed on the need for new “paths” which were already defined in the regulations but not implemented, and also presumably for agreed standards (with associated liability) of “know your customer laws” for the onramps like Particle to make sure that the clients using them are doing the right things vis a vis confirming patient identity et al. 

Slight digression: I am confused about why identity proofing is such a big deal. In recent weeks I have had to prove my identity for the IRS, for a credit union, and for the TSA. Not to mention for lots of other websites. There are companies like IDme, Clear and many others that do exactly this. I don’t see anything so specific about health care that is different from credit cards, bank accounts, airport safety, etc. Why can those agencies/organizations access all that data online but for some reason it’s a bridge too far for health care?

However you can see where the fault lines are being drawn. There are a lot of organizations, many backed by rich VCs or huge quasi-tech corporations, that think they can do a much better job of caring for Americans than the current incumbents do. (Whether they can or not is another matter, but remember we are spending 18% of GDP when everyone else spends 10-12%). Those organizations, which include huge health plans, tech cos, retail clinics, startup virtual care clinics, and a whole lot more, need data. Not everything they or the intermediaries they do will fit the “treatment” definition the current holders of that data want to use. On the other hand, the current incumbents and their vendors are extremely uninterested in any changes to their business model.

Data may be the new oil but, like oil, data needs refining to power economies and power health care services. We spent much of the last century fighting about access to oil, and we’re going to spend a lot of this one fighting about data. Health care will be no exception.

Matthew Holt is the publisher of The Health Care Blog

How will the reversal of Roe v. Wade impact virtual care and digital health companies from a health data privacy standpoint, particularly as States crack down on the use of telehealth as a mechanism for obtaining abortions and begin to look at digital health data as potential evidence in criminal cases where abortions are illegal?

Health data privacy expert and rightfully-so-self-proclaimed HIPAA Scholar, Deven McGraw, who spent three years as Deputy Director of the Health Information Privacy Office at HHS and currently leads Data Sharing and Stewardship at Invitae, gives us her hot take on what’s happened from a health data privacy standpoint and how it will impact health tech businesses and healthcare consumers in the short and long terms.

Deven’s take: “We’ve really jumped the shark in terms of what the consequences are of health data falling into the hands of people who intend to use it in order to pursue a criminal case either against a woman (or a man) seeking a service, or the provider that performed the service…” So, what does that mean for those who are dealing with digital health data? What are the limitations as far as what HIPAA can protect for patients and what it can’t? What loopholes have Deven worried about the privacy law’s ability to stand-up to the challenges now posed by the Dobbs decision? And, what does all this mean for the telehealth-based businesses that are providing services to these patients?

We have a sweeping conversation about the shifting health data privacy landscape in the wake of Roe’s reversal in this latest episode of our special monthly Virtual Care Regulatory Round-up Series, sponsored by the health tech company powering the virtual care industry, Wheel.

In this edition’s tidbits, I have to return to the stunning impact of the Dobbs ruling. We know will happen because it is already happening in Texas where the 6 week law was already being enforced in contravention of Roe v Wade.

Taxpayer money is going to “pregnancy crisis centers” that flat out lie to vulnerable patients about the impact of abortions on their health. Doctors are questioning women who have miscarried–at a moment that is already terrible for them, and women who have miscarried are being denied basic D&Cs–which can kill them.

Don’t get me started on the absolute nonsense being talked–and passed into law –about ectopic pregnancies, of which there are over 130,000 each year in the US, being carried to term. How unlikely is it that an ectopic pregnancy makes it to term with no ill effects? Let me tell you a story. My dad was an OBGYN. He and his anesthetist saved the life of a woman and her baby who somehow had made it to term while being ectopic. During the surgery she needed 12 pints of blood (a normal woman has 7-8 pints in her body) and he considered it the greatest piece of surgery he did in his entire career. He thought that he and the patients were very lucky. So I demand that crazy legislation saying ectopic pregnancies have to be carried to term also mandates that my dad is around to do every single C-Section. Unlikely, as he’s dead, but no crazier than the legislation in Indiana.

Then there’s the impact on telehealth. Most abortions are done using drugs but more and more of the pandemic-era exemptions to prescribing drugs and seeing patients over telehealth across state lines are being withdrawn. Clearly the state-based licensing of doctors is itself ridiculous in an age of online commerce, but despite the DOJ statements the legality of prescribing abortifacients across state lines is very unclear and, as Deven McGraw explained in this harrowing piece on THCB Gang, HIPAA doesn’t protect patient privacy from local law enforcement. So what happens to someone in a state where abortion is banned if they have to go to hospital because of a complication from taking an abortifacient? Trump thinks they should go to jail.

What is clear is that bans on abortion don’t stop abortions. But they do endanger women. And if the pregnancy crisis center stops a woman from getting an abortion, do they help afterwards? Why yes, if you mean by “helping”, they have a celebratory dinner and light a fricking candle.

The HIPAA Privacy Rule gives patients the right to copies of their medical records, with rare exceptions. When patients need a copy of their medical records, most start the process by calling their doctor’s office and asking for how to get access. The receptionist or office staff point them in the right direction, whether it’s instructing them to write down their request and sending it to the office, pointing them to contact the medical records or radiology department (if the practice is large enough), or assisting them in setting up their patient portal, if the practice is using an electronic health record (EHR). Being able to connect with a person inside the four walls of medicine is often crucial for many patients and their carepartners who may be unsure of exactly how to request their records.

But what happens to those records when a doctor closes or leaves the practice?

Independent practices close for a variety of reasons. Physicians may merge with a large practice or health system, retire, they may sell or close their practice for personal reasons, they may file for bankruptcy, or they may get sick and die. The COVID19 pandemic has had devastating financial consequences on many small, independent, and rural practices, leading to their consequent closure, acquisition, or merger.

What should patients do when their doctor’s office closes, and they need a copy of their medical records? This is especially challenging when a doctor may not have had an EHR, as is the case with many independent practices as well as more rural settings. On September 26, 2020, a tweet from Cait DesRoches, Executive Director of OpenNotes, inquired about how a family member may get access to medical records from her physican’s practice that closed, triggering a robust conversation that led to the realization that patients and families are not well informed in these circumstances.

Prevention is Worth a Pound of Cure

It can be much more difficult to get copies of records after a practice has closed. Patients should get copies of their medical records as they are generated instead of waiting until they’re needed. HIPAA Privacy Rule guidance states that individuals can get digital copies of digital information (or even digital copies of records kept on paper, as long as the practice has a scanner). Companies are developing tools and services that enable individuals and their care partners to collect, use, and store health records. Request digital (or paper, if that is preferred) copies of blood work, imaging, discharge instructions, and corresponding reports before you leave the practice.

What Happens to Medical Records When Offices Close? The Law

The Health Insurance Portability and Accountability Act (HIPAA) does not require a physician to retain medical records for any particular period of time. (HIPAA covered entities – which include physicians who bill health insurers for care – are required to keep records demonstrating compliance with HIPAA for at least six years – but those records are distinct from medical records.) However, if the physician still has those medical records – or has placed them in storage for safekeeping – the HIPAA requirements to produce them when a patient requests still apply.

State laws typically set medical record retention requirements for physicians and may also require the physician to take particular steps (such as notifying a patient) prior to or upon closure of a practice. 

An example of some of these state laws:

• In California, physicians must notify patients in advance of closure of the practice, and are still responsible for safeguarding records and making sure they are available to patients. The California Medical Association recommends physicians keep records for at least ten years from the last date the patient was seen.
• New York requires that medical records be retained for six years from the date of the most recent entry in the record, and patients are required to informed when a practice closes.
• Virginia prohibits the transfer of medical records as part of the closure or sale of a practice until the provider has first attempted to notify by the patient by mail or by publishing notice in a newspaper of general circulation in the area.
• Texas law requires physicians to keep records for a minimum of seven years after the date of last treatment, and physicians leaving a practice are required to notify patients.

During the record retention period, these records are considered to be still “available” and subject to the HIPAA right of access. Consult the medical board or the state medical society in the state where the physician has practiced for further information about physician requirements in the event of closure of a practice. The Medical Board should also have information about how to file a complaint if the physician’s practice has closed without any notice or information about how to obtain records. 

Irrespective of legal requirements, the American Academy of Family Physicians recommend that patients be notified by a letter that the office is closing, giving them the opportunity to obtain a copy of their medical records or have records forwarded to a physician of their choosing. The office may post an update on their website or social media page(s), if ones exist or run an ad in the local newspaper. Patients should be notified who will be the custodian of the medical records and their contact information.

Sorry! The Office Is Closed

Unfortunately, the reality is that most individuals do not get copies of their medical records throughout their care journey. This leaves patients and carepartners in need of records facing significant uncertainty, stress, and frustration when they unexpectedly find out that their doctor’s office has closed. Here are a number of critical tips to assist patients in gathering their medical records, directly and indirectly, in the event their doctor’s office has closed.

1. It is helpful to know when the office may have closed: was it recently or many years ago? As noted above, state laws govern how long records must be retained as well as how they must be handled with respect to confidentiality, privacy, and how they may be destroyed, when and if needed. Typically, records that are about 10 years from the last documented encounter, may be candidates to be destroyed and may be more difficult to obtain as a copy.  (As noted above, state laws may allow for them to be destroyed even sooner than 10 years.)

• Individuals should refer to the letter they may have received notifying them of the office closing and contact the designated records custodian. Updates may also have been posted to the physician or practice’s website or social media page, if available. The local librarian may assist with researching for the office closure notice in archived newspapers or posts in the public domain.

• Insurance companies, current and previous, should be contacted to request any claims that may have been received from the specific physician or provider’s practice. A supervisor should be requested and relayed specific information about the health information needed and why is it critical for one’s care. In the event individuals are encountering difficulty getting traction over the phone, individuals may turn to social media for help.  If the respective insurance company has a Twitter account, individuals may tweet their request while including the insurance company’s Twitter handle. Social media managers are often very responsive and may be an additional avenue for connecting individuals to the information they need if it is perceived that delays in response may be detrimental to their company’s reputation.

• Is there another doctor or professional now at the same physical office/facility location? Individuals should address the request in-person or via a call. The new office staff often receive many of the same questions from other previous patients and may have contact information for a point person on hand. They may also have the records in question if the practice was acquired (where applicable).

• Individuals should contact their local chamber of commerce, borough hall, or local Department of Health. If the office closure was recent, someone may know a way to connect with the doctor or a former staff member for more information.

• Did the doctor have other doctors on staff? If so, individuals may search for the other doctors who may still be in practice at another location to see if they may have a contact for where records have been retained.

• Individuals may quickly determine if their doctor is on social media, such as LinkedIn, Twitter, and Facebook, and respectfully direct message them with their request for more information.

• Individuals may search the internet for any recent press releases that may feature the doctor’s work, activism, or research and contact the respective article’s author or journalist. At minimum, they may be willing to forward the request for records to the doctor.

• If individuals need specific information on medications, they may contact the pharmacy that was used to fill respective prescriptions so as to request copies of prescription records.

1. Individuals should contact their primary care doctor, and other members of their  care team, to see if records were forwarded to them for continuity of care purposes.

1. If an individual’s doctor is deceased, the state medical licensing board may be contacted to determine the care provider’s county of residence. Consequently, the specific state’s county probate court may be contacted to confirm if there is a designated executor of estate that has authority over records retention processes. Alternatively, an obituary may list surviving next of kin which may also be contacted for more information on records retention.

1. If medical records were available digitally, individuals may look up their state and “health information exchange (HIE)”.  An HIE is a secure network that supports the electronic exchange of patient health information among trusted data entities typically across an entire state. Individuals should research if there is an HIE that may serve their local area. An HIE’s website will have a phone number and email to contact directly with your request.

1. If imaging was performed, individuals may reach out to the respective imaging center or the location where imaging was done to request copies of images on CDs and the corresponding reports.

1. If bloodwork was performed, individuals may contact the lab, such as Quest or LabCorp, that processed the tests directly for copies of final lab reports. Individuals may contact their insurance company, current or previous, if they are unsure of the names of the labs that may have been in-network via their plan; individuals can also use their right of access to get copies of claims from their health plan, which may identify the lab that processed the tests.

1.  If individuals are in need of immunization records they may contact their state Department of Health as they may have an immunization registry. The Immunization Action Coalition also has information on locating immunization records.

1. If individuals are working within the framework of a specific diagnosis or condition, they may research non-profits that support patients within that specific disease state and reach out for peer health support, where other individuals diagnosed with the same condition may also be able to assist in navigating these barriers to patient access based on their own lived experiences.

1. A state’s medical board, Office of the Attorney General (AG) and state’s Department of Health are all resources for additional support.

Individuals may also file a complaint with the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) if all efforts have been exhausted and the needed medical records have not been obtained.

A closed practice does not need to be a dead end for patient access. Proactively requesting copies of medical records throughout one’s care journey can prevent encountering such patient access barriers. Continuing to share best practices for navigating patient access barriers, from legal, regulatory, and practical standpoints, is in the best interest of all patients.

Grace Cordovano, PhD, BCPA is a board-certified patient advocate specializing in the oncology space, a patient experience enhancer, and information unblocker.

Deven McGraw , JD, MPH, LLM (@healthprivacy) is the Chief Regulatory Officer at Ciitizen (and former official at OCR and ONC). She blogs at ciitizen.com.

Aaron Miri is the Chief Information Officer for The University of Texas at Austin comprising of the Dell Medical School, UT Health Austin clinical enterprise, research, and community impact missions.

By ADRIAN GROPPER and DEBORAH C. PEEL

September 4, 2020

Thank you, ONC for the opportunity you gave me to speak in June. Also, thank you for the format of your August meeting where the Zoom chat feature offered a wonderful venue for an inclusive commentary and discussion as the talks were happening. Beats lining up at the microphone any day.

Here is a brief recap of my suggestions, in no particular order:

• Patient identity is not different from human identity. Working on healthcare-specific solutions is not only expensive, but also ineffective. As some of your speakers made clear, the economic value of patient ID requires access to social determinants of health, non-HIPAA wearables, social relationships, assisted living, and economic correlates. Access to these will not be covered by HIPAA so any solution that depends on HIPAA-derived federations, including the incumbent HIEs, is not going to work. The Surescripts approach, for example, may be surveilling 315 million people already but it’s a dead end.
• HIPAA does not provide a right to consent. Because HIPAA is not broad enough to drive the economic and social benefits of patient identity, a HIPAA-based solution cannot be effective in the long run. A national patient ID strategy must be based on consent. One way to introduce consent into the solution is to involve payer IDs. Although not everyone is insured, yet, those who are have every reason to provide strongly validated identity voluntarily. Leveraging the near-universal consensus against surprise medical bills will align incentives even further.
• TEFCA depends on patient identity on a scale that stresses probabilistic matching. As it stands, TEFCA is not guaranteed to succeed because it still depends on new regulation and enforcement. The incumbent state and vendor HIE interests have almost no economic reason to cooperate. Major integrated delivery networks invested in “Epic Everywhere” as a way to control local competition have no reason to help TEFCA dilute their expensive investment. To derive value and equity benefits from TEFCA, its governance strategy will need to be much more patient-focused than it is so far. The tendency for ONC to stand back and wait for Sequoia to do its thing will lead to failure. If ONC wants TEFCA to succeed you will need to give consumers and economists the lead, with incumbent HIEs, hospitals, and vendors in an advisory role. Furthermore, all of TEFCA’s and Sequoia’s doings need to be in the open and subject to Federal transparency regs.
• Regardless the pace of insurance or health reform, our nation needs timely and accurate data to drive health policy and provide the resilience essential to dealing with public health emergencies. Research uses of health data can also be improved. Most of all, a remedy for the health access disparities unique to the US among rich nations, will require patient trust and unprecedented transparency into how healthcare is delivered, to whom, and at what cost. As the disgusting lobbying over ending surprise medical bills has clearly shown, the majority of private and incumbent interest, including the AMA, have little regard for the social impact of their policies. Patient identity strategy is critical to providing the sunshine and driving the science we need to serve the interest of all Americans.
• Self-Sovereign Identity (SSI) in the form of standardized decentralized identifiers (DID) is certainly going to be part of the patient ID solution because the alternative, federated identity (as in OpenID Connect) has already failed both in healthcare and other markets. The reason OpenIDConnect has failed is inadequate privacy. Nobody wants “Sign In with Facebook” to mean that Facebook gets to track everywhere they sign-into and that Facebook gets to cancel their account on a whim and have them lose control of the services that depend on the Facebook-controlled credentials. I am not aware of any successful consumer-level federation for single sign-on, in or out of healthcare, except for ATMs, which benefit from the huge homogeneity and deep regulation of banks. So, wherever overall strategy we go forward in TEFCA and beyond, please consider that there is no current alternative to SSI for the patient ID components.

Signed,

Adrian Gropper, MD

CTO, Patient Privacy Rights

Deborah C. Peel, MD

President and Founder, Patient Privacy Rights

By DAN LINTON

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

Privacy concerns are on the rise. Over the last couple of years, survey after survey have clearly shown a dramatic rise in overall consumer privacy awareness and concern – driven primarily by the never-ending litany of ongoing data breaches that make the news.

The healthcare industry has been somewhat shielded from this, seemingly due to the trust that patients extend to their doctors and, by proxy, the organizations they work with. HITECH and HIPAA legislation have acted as a perceived layer of safety and protection.

But healthcare is not immune from privacy issues.

Most people aren’t even aware of the hundreds of data breaches of unsecured health information in the last 24 months which are being investigated by the U.S. Department of Health & Human Services Office for Civil Rights. In fact, research indicates that consumers still trust healthcare organizations with their data more so than many other industries.

But for how much longer?

Studies show that, although trust is still high, consumers are becoming increasingly concerned about privacy in healthcare. The perceived shielding that federal legislation provides and the implicit trust healthcare enjoys are both decreasing as other industries continue to receive arguably well-deserved scrutiny over their privacy and data protection practices.

And What About the CCPA?

Many medical and healthcare organizations that are covered entities under HIPAA mistakenly believe they are fully exempt from consumer privacy legislation, such as the California Consumer Protection Act (CCPA). The CCPA does have an exemption for HIPAA protected data and current CCPA regulations are neither clear nor final. However, most legal opinions indicate that many types of data collected by healthcare organizations that are not regulated by HIPAA most definitely will be covered by the CCPA.

Data sources such as website cookies, health apps, conferences, marketing initiatives, fundraisers and more represent personally identifiable information that does fall under the CCPA. As such, medical organizations that handle that kind of data must be CCPA compliant. While EHR databases may be exempt, the CCPA’s definition of personal information is much broader and includes almost any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Of course, both HIPAA and CCPA have specific requirements for compliance, and preparing for the CCPA is something most healthcare businesses should already be ahead of.

Beyond compliance issues, sustained public attention and skepticism over privacy issues will come to the healthcare industry sooner or later – and along with it will come potentially mammoth impacts to medical businesses. And because of the impending rise in public awareness and media scrutiny, hiding under the cover of compliance with HIPAA and the CCPA is no longer a viable choice.

The CCPA isn’t the end result of the rise of privacy concerns, it’s a bellwether for what’s to come, and it’s time for healthcare organizations to step up.

Getting and staying in compliance with both HIPAA and the CCPA are obviously critical, but they are only a first step. As healthcare begins to embrace big tech and the incredible promise those partnerships can bring, the medical industry must think far beyond legal compliance and embrace real data privacy principles as core operating commitments and key competitive differentiators.

Transparency, Choice and Accountability

Patient trust in healthcare isn’t permanent or unassailable, and being trusted doesn’t absolve healthcare organizations from ongoing transparent communication. In the modern and connected world, trust must be earned on an ongoing basis with both transparency and consistency of action.

Companies that use personal healthcare data must be transparent about their practices and provide consumers a sense of control by giving them a real choice to opt in or out whenever possible. Organizations also need to communicate clearly with consumers about where their data is coming from, why it’s being collected, and how vendors and service providers are used in providing the services that they need.

Transparency must also be in lockstep with consistency of action. That means healthcare businesses must not only be clear about their actions, they must enable public accountability mechanisms such as advisory boards, complaint processes, official advocates, ombudsmen and more.

Data Protection and Security

Patients have a right to know their healthcare data is private and safe. Medical organizations should not only use advanced security technology and governance for all data, but also communicate to consumers about how their data is protected – whether mandated by legislative requirements or not. Encryption, data minimization, retention and deletion protocols, and other privacy-related organizational measures should be enacted and communicated.

Make a Difference and Add Value

Personal healthcare data is sensitive and should be used to advance medicine, improve outcomes and make the world a healthier place – not solely for financial gain. Beyond legal compliance, healthcare must embrace respect and ethics, with a public commitment to using personal data to add value to people’s lives. Organizations must also clearly communicate the difference they are making by using personal data, both for the individuals themselves and to healthcare and medicine as a whole.

While these principles may seem counter-intuitive to some, this moment is actually an incredible opportunity for healthcare organizations to embrace these principles and get ahead of their competitors.

Other industries have clearly demonstrated that those who embrace privacy are rewarded, while those who do not are punished. Financial gain will come by acting beyond privacy compliance, whereas waiting for the inevitable incidents that will damage and degrade patient trust, whether a data breach or public relations issue, is not a sound business strategy.

The healthcare industry has the opportunity right now to build upon its history of patient trust, but that opportunity won’t be realized by simply maintaining the status quo.

Dan Linton, CIPP/US, CIPP/E, CIPM, is the Global Data Privacy Officer at W2O, where he supports internal and client data privacy and protection practices with a specific focus on GDPR, CCPA and the impact of global privacy legislation on healthcare marketing and communications.

This article originally appeared in the American Bar Association’s Health eSource here.

By KIRK NAHRA

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

Congress is debating whether to enact a national privacy law.  Such a law would upend the approach that has been taken so far in connection with privacy law in the United States, which has either been sector specific (healthcare, financial services, education) or has addressed specific practices (telemarketing, email marketing, data gathering from children).  The United States does not, today, have a national privacy law.  Pressure from the European Union’s General Data Protection Regulation (GDPR)¹ and from California, through the California Consumer Privacy Act (CCPA),² are driving some of this national debate.  

The conventional wisdom is that, while the United States is moving towards this legislation, there is still a long way to go.  Part of this debate is a significant disagreement about many of the core provisions of what would go into this law, including (but clearly not limited to) how to treat healthcare — either as a category of data or as an industry.

So far, healthcare data may not be getting enough attention in the debate, driven (in part) by the sense of many that healthcare privacy already has been addressed.  Due to the odd legislative history of the Health Insurance Portability and Accountability Act of 1996 (HIPAA),³ however, we are seeing the implications of a law that (1) was driven by considerations not involving privacy and security, and (2) reflected a concept of an industry that no longer reflects how the healthcare system works today.  Accordingly, there is  a growing volume of  “non-HIPAA health data,” across enormous segments of the economy, and the challenge of figuring out how to address concerns about this data in a system where there is no specific regulation of this data today.

The substantial history behind the HIPAA experience to date also provides meaningful insight into how a future privacy law could work.  There are critical elements of HIPAA that have worked well  — for both consumers and industry — and from which we may take lessons for the future.  At the same time, the gaps in HIPAA’s protections — mainly the result of a legislative accident and significant technological and industry change — have grown to largely untenable levels. These gaps have led to a broad range of entities that create, use, and disclose healthcare information outside of the reach of the HIPAA Rules.  This growing range of non-HIPAA health data needs to be addressed in some way.

This leads to the national debate.  There are a variety of approaches that are being applied today to healthcare.  This article will explore some of the models to date, and reviews other efforts to provide standards for the treatment of healthcare data.  In addition, this article will look at a new challenge — the usefulness of data that does not seem to be about our health in the healthcare industry. The primary goal of this article is to identify these issues and begin (or, to be fair, continue) a dialogue (although one that has largely stalled and then been taken over by the broader national privacy law debate) on how these principles should be applied to protect consumers while at the same time permit the critical healthcare industry to move forward effectively and efficiently.  

Setting the Stage

The HIPAA Privacy Rule⁴ has set the standard for the privacy of healthcare information in the United States since the Rule went into effect in 2003.  Despite criticism from various directions, it has fundamentally reshaped the privacy and security environment for the healthcare industry by creating a set of national baseline standards across the healthcare industry.

Yet, from the beginning the HIPAA Privacy Rule has had important gaps.  The Privacy Rule was the result of a series of Congressional judgments about “scope,” driven by issues having nothing to do with privacy, such as the portability of health insurance coverage and the transmission of standardized electronic transactions.  As a result of the HIPAA statute, the U.S. Department of Health and Human Services (HHS) only had the authority to write a privacy rule focused on HIPAA “covered entities”  (healthcare providers, health plans and healthcare clearinghouses) —meaning that certain segments of relevant industries that regularly use or create healthcare information, such as life insurers or workers compensation carriers, were not within the reach of the HIPAA Rules.  Therefore, the HIPAA Privacy Rule and the other HIPAA Rules  have always been “limited scope” Rules, rather than a general health information privacy regulation.  Bound by the statutory framework, the Privacy Rule focuses on “who” had one’s healthcare information rather than the information itself.⁵

In the beginning, while critical gaps certainly existed, these gaps were somewhat limited, and large components of the healthcare industry — including most healthcare providers and health insurers — were covered by the HIPAA Rules.  What has changed in recent years is the enormous range of entities that create, use, and disclose healthcare information outside of the reach of the HIPAA Rules. The system now has reached (and passed) a tipping point on this issue, such that there is enormous concern about how this “non-HIPAA” healthcare data is being addressed, and how the privacy interests of individuals are being protected (if at all) for this non-HIPAA healthcare data.

So, what exactly is the problem?  Because of the limited scope of the HIPAA statute, a broad range of entities that collect, analyze, and disclose personal health information are not regulated by the HIPAA Rules. For example, numerous web sites gather and distribute healthcare information without the involvement of a covered entity (meaning that these web sites are not covered by the HIPAA  Rules).  These range from commercial health information web sites, to patient support groups, to personal health records.  There has been  a significant expansion of mobile applications directed to healthcare data or offered in connection with health information or overall wellness.  The entire concept of wearables post-dates the HIPAA Rules and generally such wearables fall outside the scope of the HIPAA Rules. The growing expansion of “direct to consumer” healthcare activities primarily avoid regulation by the HIPAA Rules. A wide range of the largest tech companies in the world also are becoming involved — to varying degrees and through varying means — in the collection and analysis of health-related data.  Unless a HIPAA covered entity is involved, these activities generally are outside of the scope of the HIPAA Rules, and are subject to few explicit privacy requirements (other than general principles such as the idea that you must follow what you say in a privacy notice and have reasonable and appropriate security practices).⁶

In addition, as “patient engagement” becomes an important theme of healthcare reform, there is increased concern about how patients view such uses of data, and whether there are meaningful ways for patients to understand how their data is being used.⁷  The complexity of the regulatory structure (where protections depend on sources of data rather than “kind” of data), and the difficulty of determining data sources (which are often difficult, if not impossible, to determine), has led to an increased call for broader but simplified regulation of healthcare data overall.  There are meaningful situations across the healthcare spectrum that involve data that is protected by HIPAA at one point and then, through permitted disclosures, no longer receives the protections of the HIPAA Rules.  These growing gaps call into question the lines that were drawn by the HIPAA statute, and easily could lead to a re-evaluation of the overall HIPAA framework.

At the same time, there also has been an increased usage by HIPAA covered entities of personal data that would not traditionally be viewed as “healthcare information.”  As just one example, the New York Times reported on “health plan prediction models” that use consumer data obtained from data brokers, such as income, marital status, and number of cars owned, to predict emergency room use and urgent care needs.⁸  A 2013 study by the SAS Institute⁹ found that television usage patterns, mail order buying habits and investments in stocks and bonds were all variables with predictive power to understand patient risks for particular health outcomes. This kind of information usage by HIPAA covered entities — relying on data that is not traditionally viewed as healthcare information and which is widely available outside of healthcare contexts and for a wide variety of non-healthcare usages — threatens to blow up the concept of what “health information” means.

This convergence of data creation and usage is leading to an increasing debate about what should be done, if anything, about this non-HIPAA healthcare data and the application of the HIPAA Privacy Rule to data that does not directly involve the provision of healthcare.  It is clear that this debate will be ongoing and extensive.  It is not clear at all what the results of the debate will be.

Today’s Discussion

Moving to the current debate about a national privacy law.  Driven by the GDPR, the CCPA, and a broad variety of privacy and data security “scandals” involving tech companies, large scale security breaches and the like, there has been a more extensive debate about a national privacy law than at any point in American history.  How can the approach taken for healthcare data help guide this discussion? 

What can be Learned from the HIPAA Model?

For better or worse, the core elements of the HIPAA Rules can be summarized as follows.  The HIPAA Rules incorporate a specific set of covered entities — those companies (or perhaps individuals) directly subject to the law.  By defining a set of regulated entities, HIPAA is typical of the U.S. approach to privacy law, which is one that has favored sector-specific regulation.  It then incorporates a means of addressing service providers (first by contract, then by law after legislative change).¹⁰

One of the key choices in the development of the HIPAA Privacy Rule — one that can be an enormously useful model in the development of a national privacy law — involves the approach to consumer consent and the related ability of these covered entities to use and disclose regulated information.  The idea of “consent” under the HIPAA Privacy Rule is straightforward – consent is presumed for certain key areas for uses and disclosures of personal information, tied to “normal” operations of the healthcare industry.  For this set of purposes — Treatment, Payment and Health Care Operations — consent is presumed under the law.¹¹  (Note that, unlike some other laws such as the Gramm-Leach-Bliley Act,¹² which focuses its privacy obligations on disclosures of personal information, the HIPAA Privacy Rule applies to both uses and disclosures of information).  This defined set of “permitted” purposes is tied both to normal activities that we want to encourage in the healthcare system (for the benefit of all healthcare stakeholders) and to effective operations of the healthcare system, consistent with consumer expectations.  Note that this idea of “appropriate” purposes for permitted disclosures seems consistent with the idea of “context,” which has emerged in the Obama Administration Consumer Privacy Bill of Rights¹³ and other emerging views on a future privacy law.

The HIPAA Privacy Rule  also permits disclosures for certain public policy purposes under section 512 of the HIPAA Privacy Rule, such as public health and regulatory investigations, where consumer consent is viewed as not directly relevant.  All other uses and disclosures are permitted only with explicit patient permission.¹⁴ 

The HIPAA Privacy Rule  incorporates a series of individual rights with a continuing focus on the importance of access to the consumer’s information. There are a series of administrative requirements.  The HIPAA Rules also include a separate set of security principles and a breach notification rule.  There is primary civil enforcement through the HHS Office for Civil Rights, potential criminal enforcement through the Department of Justice, and parallel civil enforcement through state attorneys general.  There is no private right of action.

Other Healthcare Privacy Regimes

How else can the privacy of healthcare information be addressed?  Remember, HIPAA is not really a health information privacy rule — it is a rule that protects certain information in certain contexts when held by certain kinds of entities. Other regimes have chosen different approaches to healthcare privacy.

GDPR

GDPR takes a very different approach from HIPAA.  Under GDPR, health information is treated as sensitive data, but there are no specific requirements for the healthcare industry per se.  GDPR is therefore both broader and narrower than HIPAA in its approach.  It applies to more kinds of entities that have or use health information, but applies to less information than if that information were held in the United States by a covered entity (for example, a name or social security number held by a U.S. hospital is protected by HIPAA, while such information would not be health information under GDPR).  There is very little additional consideration in GDPR of the healthcare industry on its own.   

The California Medical Information Act

Some states have their own laws that mirror HIPAA to some extent. Technically, HIPAA sets a federal floor for privacy protection. It preempts weaker state laws but permits more stringent laws that provide greater privacy protections. California, for example, has the Confidentiality of Medical Information Act (CMIA).¹⁵  This is a freestanding law different from CCPA (described below) that is parallel to HIPAA. It clearly includes many HIPAA covered entities and business associates, but also includes additional entities that are not subject to HIPAA. It is extremely challenging — to say the least — to evaluate the differences between the HIPAA Rules and the CMIA for HIPAA covered entities (and very difficult to apply the law to other kinds of entities that appear to be subject to it), as the CMIA incorporates some portions of the HIPAA Rules, adds other items, subtracts some, and writes others in different ways using similar but not identical words for similar practices.  The approach of this law is to define the healthcare industry in its own way, and then to impose a similar set of use and disclosure limitations on that industry.  The defined industry not only includes the healthcare providers and health plans subject to HIPAA, but also includes:

Any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information, in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the  individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part.  California Code, Civil Code – CIV § 56.06(b).

There is a somewhat analogous law in Texas¹⁶ (analogous both as to the CMIA’s broader scope and its overall ambiguity about who it applies to and confusion about how it is similar to or different from the HIPAA Rules.). 

CCPA

Then, since California is not confusing enough for healthcare, we now superimpose CCPA on the existing structure.  CCPA is a general, all-purpose privacy law generally applicable to all personal information of California residents. As a general matter, CCPA exempts entities covered by HIPAA.  It exempts covered entities for any HIPAA covered data, and business associates for their HIPAA activities (so an accounting firm that provides services to hospitals is exempted for that work, but not for its work involving banks or retailers). Intriguingly, it also exempts entities covered by the CMIA.  CCPA does seem to cover certain medical information that is held by entities that are not subject to HIPAA or the CMIA. Presumably, the collective approach in California covers all healthcare information in some way (with the potential exception of certain employer-collected health information not subject to HIPAA). CCPA, however, is emphasizing the challenges for an industry that now regularly crosses the lines for these different laws because of the business and compliance challenges of applying different standards to the same or similar business practices, depending on details about particular business relationships or data flows. 

Federal Concepts So Far

At the federal level, one is starting to see a variety of approaches to the overall question of national privacy legislation.  While healthcare has not recently been a focus of this debate, each approach has its own perspective on healthcare and health information, along with its own strengths and weaknesses.

The Klobuchar/Murkowski Proposal¹⁷ is the only current legislative proposal that focuses on the issue of non-HIPAA health data. It creates a focused solution to the scope problems left by HIPAA’s legislative history.  While recognizing the problem, it takes a “first step” approach to a solution: it requires a task force and then regulations “to help strengthen privacy and security protections for consumers’ personal health data … collected … by consumer devices.”¹⁸  It provides a specific set of topics for regulators to consider under the legislation. This proposal  targets this current gap, but would not create a uniform set of rules across the industry, as there would still be different rules for data covered by the HIPAA Rules compared to non-HIPAA data.

Other approaches are more general, and take varying approaches to how a new law would intersect with HIPAA. The Wyden bill¹⁹ is mainly focused on expanding and increasing Federal Trade Commission (FTC) authority. This bill would presumably allow the FTC to treat non-HIPAA companies the same as other companies under their existing standards, and does not challenge the FTC’s authority in connection with HIPAA covered entities.   

The Intel proposal — a carefully thought-through private sector initiative — primarily focuses on modified and expanded FTC authority as part of its broad overall approach to privacy regulation.²⁰  It includes some specific requirements related to health information. It provides certain preemption, but not for laws that go beyond HIPAA.  It excludes HIPAA covered entities generally.

Another approach from Senator Schatz²¹ defines “sensitive data” to include healthcare data.  Again, its focus seems to be on the FTC.  However, unlike other proposals, the obligations seem to be superimposed on HIPAA.

Senator Rubio’s proposal²² includes medical history and biometrics as categories of data subject to the law but not health data overall.  It generally exempts entities subject to HIPAA and preempts state law.

The broader Senator Markey privacy proposal²³  includes health information among the protected data elements.  While the language is somewhat unclear, it seems to apply in addition to HIPAA.

In the House, Congresswoman DelBene has introduced “The Information Transparency & Personal Data Control Act.”²⁴ This proposal creates a wide range of obligations related to “sensitive personal information,” including health information, but does not otherwise address the healthcare industry per se.  These provisions appear to be imposed on top of HIPAA, and there is an explicit carve-out from the preemption provision for state laws that are more stringent than HIPAA.

Where Are We Now?

There will be  significant debate over the next few years on the future of a federal privacy law.  While it might be possible for a healthcare “fix” to move separately, that seems unlikely at this point.

In thinking about the gaps in the current HIPAA structure, there are several options.  Moving from “most limited” to “broadest” in application, we could see specific proposals approaching this issue in the following ways:

• A specific set of principles applicable only to non-HIPAA healthcare data (with an obvious ambiguity about what “healthcare data” would mean);
• A set of principles (through an amendment to the scope of HIPAA or some new law) that would apply to all healthcare data; or
• A broader general privacy law that would apply to all personal data (with or without a carve-out for data currently covered by the HIPAA Rules), with recognition that it is increasingly difficult to identify “healthcare information.” 

In parallel consideration, a national privacy law could:

• Exempt the healthcare industry to the extent regulated by HIPAA;
• Include new provisions that apply to HIPAA covered entities in addition to the existing HIPAA provisions; or 
• Replace HIPAA with a new structure covering all healthcare information. 

At a minimum, it is anticipated that any new national privacy law would cover non-HIPAA healthcare data (and entities) but, unless a broader approach to health information is taken, would continue the status quo of different standards depending on who is holding the health information. 

Conclusion

Despite the importance of the healthcare industry, the HIPAA Rules, and health information to the overall debate about individual privacy, healthcare has not been a leading factor in the current national privacy legislative debate. This is unfortunate and can lead to problems for both the healthcare industry and a variety of other stakeholders interested in healthcare data and the privacy of this data.  The HIPAA rules — because of their detail and our broad experience with them since their implementation  — can provide some useful experience in evaluating the national debate, particularly in the HIPAA Privacy Rule’s approach to consent and the use and disclosure of covered information. 

In general, the healthcare industry and most relevant stakeholders are comfortable with the HIPAA Rules’ approach and the overall impact of the rules on the operation of the healthcare industry and the protection of patient data. Despite this comfort, the healthcare industry and these other stakeholders (including government, employers, researchers, patients and general consumers) need to consider what the next phase of privacy protection for health information should be.  The current status quo — where the protection of health information depends dramatically on who holds the information — likely may persist in a national privacy law setting.  That has important implications for consumers and for the healthcare industry. These differing standards create confusion and complexity that easily could be reduced through a common standard.  These same challenges emerge in the discussion over preemption: if a national privacy law preempts state law, but HIPAA covered entities are not subject to the national law, then presumably they will remain subject to state law.  The healthcare industry should be evaluating whether a common standard — even if different from the HIPAA Rules — would be better for the industry and for consumers.

Today, while the healthcare industry, the patient community, and broad variety of interested stakeholders all pay close attention to these privacy programs and the overall protection of patient data, this perspective is not obviously a part of the expanding national debate.  This is a mistake.  Both those in Congress and the healthcare industry need to be focusing on these issues involving health information, and should be thinking about the important role of privacy protection for health information in the broader context of an appropriate national privacy law.

Kirk Nahra is a Partner with WilmerHale in Washington, D.C. where he co-chairs their global Cybersecurity ad Privacy Practice. 

Footnotes

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, available at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32016R0679 (effective May 2018).
2. The California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (effective January 1, 2020).
3. Health Insurance Portability and Accountability Act of 1996, P.L.104–191.
4. The “HIPAA Rules” mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.  The HIPAA Privacy Rule is the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R., part 160 and part 164, subparts A and E.  The HIPAA Security Rule is the HIPAA Security Standards (45 C.F.R. Parts 160 and 164, Subpart C). The HIPAA Breach Notification Rule is the Notification in the Case of Breach of Unsecured Protected Health Information, as set forth at 45 C.F.R. Part 164 Subpart D.  
5. As part of the rules implementing the provisions of the HITECH Act of 2009, which amended HIPAA, the “reach” of the HIPAA Rules was extended in part to “business associates,” but this extension did not change the need to have a relevant “covered entity” involved in any collection of information. 
6. An important HHS publication tried to define the scope of regulation for this non-HIPAA health data.  This report is very useful, although the relevant guidelines and provisions evolve regularly.  See Department of Health and Human Services, “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” available at https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf.
7. Substantial questions remain about whether patients appropriately can access their own health information.  See McGraw, “The Patient Record Scorecard: What is it and Why we did it,” (Aug. 14, 2019), available at https://www.ciitizen.com/the-patient-record-scorecard-what-is-it-and-why-we-did-it/.  
8. See, e.g., Singer, “When a Health Plan Knows How You Shop,” (New York Times June 28, 2014), available at http://www.nytimes.com/2014/06/29/technology/when-a-health-plan-knows-how-you-shop.html?_r=0. 
9. Garla et al., “What do your consumer habits say about your health risk? Using third-party data to predict individual health risk and costs,” Paper 170-2013, SAS Global Forum (2013), available at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.381.2705&rep=rep1&type=pdf).  
10. The original HIPAA Privacy Rule created the concept of business associates, who are service providers to covered entities.  In the HITECH Act, Congress extended the scope of coverage for portions of the HIPAA Rules to apply directly to these business associates. 
11. 45 C.F.R § 164.506(a).
12. P.L. 106–102, 113 Stat. 1338, enacted November 12, 1999.
13. The White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (February 2012), available at https://obamawhitehouse.archives.gov/sites/default/files/privacy-final.pdf (Appendix A). 
14. 45 C.F.R. § 164.502(a).
15. CALIFORNIA CIVIL CODE §§ 56-56.16.
16. TEXAS HEALTH & SAFETY CODE § 181.001 et. seq (“Texas Medical Privacy Act”).
17. S. 1842, 116th Congress, “Protecting Personal Health Data Act,” available at https://www.congress.gov/bill/116th-congress/senate-bill/1842.
18. S. 1842, SEC. 4(a).
19. “Consumer Data Protection Act’’ (discussion draft), available at https://www.wyden.senate.gov/imo/media/doc/Wyden%20Privacy%20Bill%20Discussion%20Draft%20Nov%201.pdf. 
20. Intel, “Draft Model Privacy Law,” available at https://usprivacybill.intel.com/legislation/
21. S.3744, “Data Care Act of 2018,” available at https://www.congress.gov/bill/115th-congress/senate-bill/3744.
22. S.142, “American Data Dissemination Act,” available at https://www.congress.gov/116/bills/s142/BILLS-116s142is.pdf.
23. S.1214, “Privacy Bill of Rights Act,” available at https://www.congress.gov/116/bills/s1214/BILLS-116s1214is.pdf.
24. H.R. 2013 116th Congress, available at https://www.congress.gov/bill/116th-congress/house-bill/2013/text. 

By DEVEN McGRAW and VINCE KURAITIS

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

Early in 2019 the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) proposed rules intended to achieve “interoperability” of health information.

Among other things, these proposed rules would put more data in the hands of patients – in most cases, acting through apps or other online platforms or services the patients hire to collect and manage data on their behalf. Apps engaged by patients are not likely covered by federal privacy and security protections under the Health Insurance Portability and Accountability Act (HIPAA) — consequently, some have called on policymakers to extend HIPAA to cover these apps, a step that would require action from Congress.

In this post we point out why extending HIPAA is not a viable solution and would potentially undermine the purpose of enhancing patients’ ability to access their data more seamlessly:  to give them agency over health information, thereby empowering them to use it and share it to meet their needs.

In summary:

• HIPAA’s rules were not designed to address privacy risks introduced by widespread personal information collection and use in the modern digital ecosystem.  
• HIPAA’s rules were designed to support information flows within the health care system and allow for broad uses and disclosures of data by both covered entities and business associates without the need to obtain patient consent.
• HIPAA is “leaky” — it expressly allows covered entities and business associates to share data outside of HIPAA, including selling de-identified data, without patient consent.
• HIPAA’s rules protect data and also protect incumbents’ interests in controlling health data.
• Ultimately Congressional action is needed to establish meaningful privacy protections for personal data.

Why Is This Issue Salient Now?

The HIPAA Privacy Rule has provided patients with the right to copies of their health information, from both health care providers and health plans, since its inception (original rule finalized in 2000) — and the proposed rules double down on HIPAA’s promise. They require certified EHRs to include functionality that affirmatively makes information available to patients through open standard application programming interfaces (APIs) and impose a separate penalty structure for “blocking” information sought by patients, either when they act on their own or seek to access information through selected personal health record apps or platforms.

Stakeholders have expressed concerns that patients will be taken advantage of by apps, which are not covered by HIPAA and which will use, share, and monetize sensitive health information without the patient realizing — or meaningfully consenting to — what is happening.  This is a legitimate concern. HHS and NCVHS issued recent reports on this issue, and concerns surfaced in recent news reports about how technology companies handle personal information undermine public and health industry trust in expanding the health data ecosystem.

This dilemma — how to make more data available to improve health and wellness (including by providing it to patients) while addressing privacy risks — has been explored in several prior posts in this series, including “Health Data Outside HIPAA:  Will the Protecting Health Data Act Tame the Wild West” and “Patient Controlled Health Data: Balancing Regulated Protections with Patient Autonomy.”

Options for Addressing Privacy Outside of HIPAA

The Federal Trade Commission (FTC) has authority to require commercial apps to adopt reasonable security safeguards and be transparent with customers and the public about their data practices, and FTC can hold companies accountable when they are not living up to promises in their privacy policies and terms of service. They are essentially the consumer privacy watchdog in the U.S., and they have had cases involving companies’ use and disclosure of health information. However, the FTC’s authorities are unlikely to sufficiently protect health data outside of HIPAA, and the FTC’s recent track record with respect to abuses of consumer trust, particularly with respect to large tech companies, has been the subject of harsh criticism.

States are getting more active in enacting strong consumer data privacy laws, but these laws may not effectively fill the gaps. For example, the California Consumer Privacy Act does not apply to personal data in consumer-facing apps and services that collect information on California consumers from provider medical records (because these apps are already covered by the state’s health privacy law) —and yet these are the very types of apps that will have greater access to information in certified EHRs under the ONC proposed rules.   

Congress is considering legislation that would protect personal data ­— including health data —outside of HIPAA. While it is likely that Congress will take some action on personal data privacy, the scope of that legislation — and timing of enactment — is unclear, particularly in a presidential election year. 

Should HIPAA Be Extended?

What about extending HIPAA to cover these apps? Couldn’t Congress get that passed relatively quickly? We had this debate back in 2008 during consideration of HITECH, and Congress rightly rejected it.  Consumers should have control of information in apps designed and marketed for their use.  HIPAA’s rules were not designed to address privacy risks introduced by widespread personal information collection and use in the modern digital ecosystem.  Instead, HIPAA’s rules were designed to support information flows within the health care system and allow for broad uses and disclosures of data without the need to obtain patient consent — and, except in the case of disclosures for payment purposes when the patient has paid out of pocket for care, even over the patient’s objections. 

The HIPAA Privacy Rule allows providers and health plans to use and disclose identifiable health information for treatment, payment, and “health care operations” — commonly known as TPO.  TPO disclosures are the most common, but they are not the only disclosures permitted without patient consent.  The disclosures in Exhibit A are all expressly permitted by the Privacy Rule.

Problems With Extending HIPAA to Consumer Apps

HIPAA Expressly Allows Covered Entities and Business Associates to Share Data Outside of HIPAA

Access by consumer apps to health information is not the only threat to information moving outside of HIPAA’s coverage. HIPAA’s “protections” have always facilitated the disclosure of patient data outside of the health care system without a patient’s authorization. Each time identifiable health information is disclosed pursuant to one of these permitted purposes (see Exhibit A), the information potentially moves outside of HIPAA coverage unless it is disclosed to another entity that is already covered by the Rule (for example, to another covered entity (like doctors sharing information with one another for treatment purposes) or to a business associate).  Consequently, identifiable data moves legally by providers and plans outside of HIPAA every day and has done so since the HIPAA Privacy Rule first went into effect.  The recipient of HIPAA data may be required to protect that data pursuant to another law (for example, state privacy laws governing state public health departments), but this is not guaranteed.

Vendors to health care providers and health plans — known as business associates — also can take advantage of the HIPAA Privacy Rule permitted uses and disclosures, as long as their contracts — their business associate agreements (BAA) — allow this. In many respects, making consumer-facing apps business associates under HIPAA would be doubly problematic:  such apps could then share data permissively without the consumer’s authorization per the Privacy Rule and the health care provider or plan also would control (through the BAA) how the app’s data could be used and shared. (After all, by definition HIPAA business associates work “on behalf of” covered entities.)  This hardly serves the goals of democratizing health care, empowering patients with their data so they can use it — and share it — as they see fit.

De-Identified Data Can be Shared and Sold

HIPAA also permits the disclosure — and even the sale — of “de-identified” patient data, as long as the data are de-identified to HIPAA standards. Business associates may de-identify data they receive from a covered entity and use it, share it, and sell it as they please, as long as their BAA permits this. (In the experience of one of the authors, this is a fairly common provision in BAAs.)    

De-identified data is not as risky as fully identifiable data, but the data are not at zero risk of re-identification. Monetization of de-identified data is fairly common in the health care industry.  Adam Tanner’s book, Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records, describes how HIPAA de-identified data are commonly linked across data sets to compile detailed profiles of particular patients, even though these patients are not “identified” by name. And although there are many beneficial uses of de-identified data (such as for research purposes), Tanner’s book details purchase and sale of data for what he refers to as “mundane commercial purposes.” In another example, Practice Fusion, a certified electronic medical record product, was initially free for doctors if they agreed to be advertised to based on patient data; their agreements with physicians also gave them the right to de-identify and monetize the data. Recently, Omny Health, a health tech start up that enables providers to “sell” their data, was voted by the audience as the most promising new technology at the Health 2.0 conference in 2019.  Since HIPAA does not require disclosure of recipients of de-identified data, it is difficult to understand the full scope of this activity in the health care system (an issue also discussed in Tanner’s book).

Consumers know very little about actual data practices of entities covered by HIPAA, as the HIPAA Notice of Privacy Practices is only required to include information about what uses and disclosures are permitted by HIPAA (not information on which uses and disclosures are actually occurring) and is only required to be provided to patients by covered entities (not business associates).  And as noted earlier, patients are not asked for consent to these information flows (and for the most part, cannot stop them).  

Conclusion

In summary, HIPAA’s rules both protect data — but also protect incumbents’ interests in controlling health data, which gives rise to some skepticism on the motives behind opposition to the proposed rule due to “privacy” concerns. In our experience, entities covered by HIPAA rarely criticize it for being too lenient in its permitted uses and disclosures of health data.  

U.S. policymakers are poised to take meaningful steps to make patients’ access to all their digital health a more seamless process.  Some stakeholders have even gone so far as to suggest that ONC/CMS should delay implementation of the rules. But asking to hit the pause button in the name of privacy seems particularly ironic, since giving individuals the right to copies of their information is a hallmark of fair information practices, the foundation for all privacy law. At the same time, the rosy vision of a patient empowered with her digital health data, using it and sharing it as she pleases, is threatened by an app ecosystem that is not sufficiently transparent about data practices, that does not provide users with meaningful choices, and is not held sufficiently accountable for harmful uses and disclosures and failure to be responsible stewards of health data. 

Congressional action to establish meaningful privacy protections for personal data – including health data – is needed but extending HIPAA to consumer apps is not the answer. In the interim, greater transparency of consumer health app data sharing practices can at least help consumers make better choices about apps that fit their needs and values – and doesn’t necessarily require further Congressional action if such transparency is voluntary. Demand exists for more information on which apps have the best policies and track records with respect to protecting data, so it is not hard to envision a market developing for app rating services. Voluntary codes of conduct for apps have already been developed by the CARIN Alliance, the Consumer Technology Association, and the AMA’s Xcertia initiative. (Full disclosure: one of the authors (McGraw) contributed to the CARIN Alliance Code of Conduct.) Providers and consumer advocacy groups can point people to resources that will help them make data sharing choices that are right for them.  These transparency measures can help address privacy concerns while we await more meaningful protections from Congress.

Deven McGraw , JD, MPH, LLM (@healthprivacy) is the General Counsel and Chief Regulatory Officer at Ciitizen (and former official at OCR and ONC). She blogs at ciitizen.com.

Vince Kuraitis, JD/MBA (@VinceKuraitis) is an independent healthcare strategy consultant with over 30 years’ experience across 150+ healthcare organizations. He blogs at e-CareManagement.com.

By ANDREW DORSCH, MD

The question of how much time I spend in front of the screen has pestered me professionally and personally. 

A recent topic of conversation among parents at my children’s preschool has been how much screen time my toddlers’ brain can handle. It was spurred on by a study in JAMA Pediatrics that evaluated the association between screen time and brain structure in toddlers. The study reported that those children who spent more time with electronic devices had lower measures of organization in brain pathways involved in language and reading. 

As a neurologist, these findings worry me, for my children and for myself. I wonder if I’m changing the structure of my brain for the worse as a result of prolonged time spent in front of a computer completing medical documentation. I think that, without the move to electronic medical records, I might be in better stead — in more ways than one. Not only is using them potentially affecting my brain, they pose a danger to my patients, too, in that they threaten their privacy. 

As any practicing physician can tell you, electronic medical records represent a Pyrrhic victory of sorts. They present a tangible benefit in that medical documentation is now legible and information from different institutions can be obtained with the click of a button — compared to the method of decades past, in which a doctor hand-wrote notes in a paper chart — but there’s also a downside. 

For one, while they are supposed to maximize the efficiency of documentation,  the use of auto-filling “smart” phrases and other techniques designed to save time spent writing notes make them that much more difficult to read. Bloated notes contain limited nuggets of useful information buried within reams of data, where they serve as treasure troves for data miners but as barriers to efficient communication between medical providers.

Aside from the fact that any type of screen time can potentially degrade the structure of my brain, more time spent face-to-screen and less time face-to-face with the patient drains the medical encounter of its essential humanity. 

If anyone can disrupt a human connection, it’s the big tech companies. Last month Google announced a collaboration with the Ascension medical system, which operates hospitals across the country. In a blog post, Google stated that they would utilize their cloud computing and artificial intelligence expertise to develop tools that enable care providers to “more quickly and easily access relevant patient information.” 

This isn’t new; the announcement followed collaborations between Google and academic medical centers such as Stanford, UCSF, and the University of Chicago.

Leveraging the large patient populations of these institutions, Google has developed technologies that with intersect with patient care in ways ranging from the automatic recognition of words spoken during conversations in the doctor’s office to developing predictive models aimed at preventing unnecessary hospitalizations.These provide enticing solutions to the current drudgery of documentation.

But I am still hesitant to celebrate them. I’m already wary of big tech companies’ using and monitoring consumers’ private data and my concerns are only heightened by the entry of these businesses into the healthcare space.

The collaboration between Google and the University of Chicago, for example, is the focus of a lawsuit claiming that personal health information was shared without the express written consent of patients. Once companies like Google enter into the healthcare space, how do we know they will abide by the rules protecting the personal health information contained in medical records and, more importantly, who would know if they didn’t?

In an age where individuals can be identified from purportedly anonymous DNA samples and imaging algorithms have been used to identify individual faces reconstructed from routine MRI scans , Google’s being adjacent to — if not outrightly inside of   — my and my patients’ medical files requires more protections than the  Health Insurance Portability and Accountability Act (HIPAA) currently offers. 

Back in 1996 the framers of the seminal privacy law didn’t anticipate that people’s activity, financial, and search data would be stored alongside — perhaps even among — our medical diagnoses and symptoms. Questions regarding the provenance, permission, and permanence of the meta-data linking these types of information may not have even been conceived of as it would not have been thought possible that the technology would know us better than we know ourselves.

If HIPAA is insufficient to protect us, it’s probably easier to amend it than stop the steamroller that is big tech. For one, HIPAA should include explicit provisions about separating medical data from what is essentially marketing data. Google is here to make a sale. I’m here to save lives. 

Efforts to approach the documentation problem at its source by have been proposed by the Center for Medicare & Medicaid Services, which will implement new requirements for clinical encounters in 2021. While these changes will make electronic medical records easier to manage, it will not make them safer from invasion.  We need updated methods to protect all types of medical data and prevent the complete erosion of privacy that has already occurred with other online activities. 

Andrew Dorsch, MD, is an Assistant Professor in the Department of Neurological Sciences at Rush University Medical Center in Chicago and a Public Voices Fellow with The OpEd Project. 

By ADRIAN GROPPER, MD

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

It’s 2023. Alice, a patient at Ascension Seton Medical Center Austin, decides to get a second opinion at Mayo Clinic. She’s heard great things about Mayo’s collaboration with Google that everyone calls “The Platform”. Alice is worried, and hoping Mayo’s version of Dr. Google says something more than Ascension’s version of Dr. Google. Is her Ascension doctor also using The Platform?

Alice makes an appointment in the breast cancer practice using the Mayo patient portal. Mayo asks permission to access her health records. Alice is offered two choices, one uses HIPAA without her consent and the other is under her control. Her choice is:

• Enter her demographics and insurance info and have The Platform use HIPAA surveillance to gather her records wherever Mayo can find them, or
• Alice copies her Mayo Clinic ID and enters it into the patient portal of any hospital, lab, or payer to request her records be sent directly to Mayo.

Alice feels vulnerable. What other information will The Platform gather using their HIPAA surveillance power? She recalls a 2020 law that expanded HIPAA to allow access to her behavioral health records at Austin Rehab.

Alice prefers to avoid HIPAA surprises and picks the patient-directed choice. She enters her Mayo Clinic ID into Ascension’s patient portal. Unfortunately, Ascension is using the CARIN Alliance code of conduct and best practices. Ascension tells Alice that they will not honor her request to send records directly to Mayo. Ascension tells Alice that she must use the Apple Health platform or some other intermediary app to get her records if she wants control.  

Disappointed, Alice tells Ascension to email her records to her Gmail address. In a 2021 settlement with the Federal Trade Commission, Facebook and Google agreed that they will not use data in their messaging services for any other purposes, including “platforms”. Unfortunately, this constraint does not apply to smaller data brokers.

Alice gets her records from Ascension the old-fashion way, by plain Gmail under the government interpretation of her right of access. The rules even say that Alice can request direct transmission of her records in an insecure manner such as plain email if she chooses. But Alice can’t send them directly to Mayo because Mayo, also following CARIN Alliance guidelines, insists that Alice install an app on her phone or sign up for some other platform. 

Alice wonders how we got from clear Federal regulations for patient-directed access to anywhere to the situation where she’s forced to wait days for her records, receive them by email and then mail them to Mayo. Alice wonders.

—

It’s December 2019. 

This post is about the relationship between two related health records technologies: patient-directed uses of data and platforms for uses of patient data. As physicians and patients, we’re now familiar with the first generation of platforms for patient data called electronic health records or EHR. To understand why CARIN matters, the only thing about EHRs that you need to keep in mind is that neither physicians nor patients get to choose the EHR. The hospitals do. The hospitals now have bigger things in mind, but first they have to get past the frustration that drove the massively bipartisan 21st Century Cures Act in 2016. The hospitals and big tech vendors are preparing for artificial intelligence and machine learning “platforms”. Patient consent and transparency of business deals between hospitals and tech stand in their way.

A platform is something everything else is built on. The platform operator decides who can do what, and uses that power for profit. We’re familiar with Google and Apple as the platforms for mobile apps. Google and Apple decide. A platform for use of health data will have the inside track on machine learning and artificial intelligence for us as patients and doctors. The more data, the better. What will be the relationship between the hospital controlled platform of today’s EHRs and tomorrow’s AI-enabled platforms? Will patients choose a doctor, a hospital, or just send health records to the AI directly? Will US health AI compete with Chinese AI given that the Chinese AI has access to a lot more kinds of data from a lot more places? The practices that will control much of tomorrows digital health are being worked out, mostly behind closed doors, by lobbyists, today.

Three years on, the nation still awaits regulations on “information blocking” based on the Cures Act. Even so, American Health Information Management Association (AHIMA), American Medical Association (AMA, American Medical Informatics Association (AMIA), College of Healthcare Information Management Executives (CHIME), Federation of American Hospitals (FAH), Medical Group Management Association (MGMA), and Premier Inc. are sending letters to House and Senate committees hoping for a further delay of the regulations. 

Access to vast amounts of patient data for machine learning is also driving efforts to weaken HIPAA’s already weak privacy provisions. Here’s a very nice summary by Kirk Nahra. Are we headed for parity with Chinese surveillance practices? 

For their part, our leading health IT academics propose “… strengthening the federal role in protecting health data under patient-mediated data exchange…” Where is this data we’re protecting? In hospital EHRs, of course. We’re led to believe that hospitals are the safe place for our data and patient-directed uses need to be “balanced” by the risk of bypassing the hospitals and their EHRs. Which brings us back to CARIN Alliance as the self-appointed spokes-lobby for patient-directed health information exchange.

According to CARIN, “Consumer-directed exchange occurs when a consumer or an authorized caregiver invokes their HIPAA Individual Right of Access (45 CFR § 164.524) and requests their digital health information from a HIPAA covered entity (CE) via an application or other third-party data steward.” (emphasis added) A third-party data steward is a fancy name for platform. But do you or your doctor need a platform to manage uses of your data?

HIPAA does not say that the individual right of access has to involve a third party data steward. We are familiar with our right to ask one hospital to send health records directly to another hospital, or to a lawyer, or anywhere else using mail or fax. But CARIN limits the patient’s HIPAA right of access dramatically: “All of the data exchange is based on the foundation of a consumer who invokes their individual right of access or consent to request their own health information. This type of data exchange does not involve any covered entity to covered entity data exchange.” (emphasis added)

By restricting the meaning of patient-directed access beyond what the law allows, everybody in CARIN gets something they want. The hospitals get to keep more control over doctors and patients while also using the patient data without consent for machine learning and artificial intelligence in secret business deals. The technology vendors get to expand their role as data brokers. And government gets to outsource some of their responsibility for equity, access, and patient safety to private industry. To promote these interests, the CARIN version of patient-directed access reduces the control over data uses for physicians as well as patients much beyond what the law would allow.

The CARIN model for digital health and machine learning is simple. Support as much use and sale by hospitals and EHR vendors without consent while also limiting consented use to platform providers like Amazon, Google, IBM, Microsoft, Oracle and Salesforce, along with CARIN board member Apple. 

CARIN seems to be a miracle of consensus. They have mobilized the White House and HHS to their cause. Respected public interest organizations like The Commonwealth Fund are lending their name to these policies. Is it time for this patient advocate to join the party?

Some of what CARIN is advocating by championing the expansion of the FHIR interface standards is worthwhile. But before I sign on, what I want CARIN to do is:

• Remove the scope limitation on hospital-to-hospital patient-directed sharing.
• Suspend work on the Code of Conduct – here’s why.
• Separate work on FHIR data itself from work on access authorization to FHIR data.
• Do all work in an open forum with open remote access, open minutes, and an email list for discussion between meetings. Participation in the HEART Workgroup (co-chaired by ONC) and also designed to promote patient-directed uses would be part of this.

Digital health is our future. Will it look like The Mayo Platform with Google and Google’s proprietary artificial intelligence behind the curtain? Will digital health be controlled by proprietary and often opaque Google or Apple or Facebook app store policies?

The CARIN / CMS Connectathon and CARIN Community meeting are taking place this week.  Wouldn’t it be a dream if they would engage in a public conversation of these policies from Alice’s perspective. And for my friends Chris and John at Mayo, what can they do to earn Alice’s trust in their Platform by giving her and her doctors unprecedented transparency and control.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country.