Yesterday, the Center for Democracy & Technology (CDT) issued comments to a proposed rule from Health and Human Services (HHS). The proposed rule makes significant changes to health privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA). Most of HHS’ proposed modifications were positive from a health privacy perspective, and CDT supported these. However, several other proposals would be detrimental to patient privacy if HHS chooses to implement them. The proposed rule deals with numerous health privacy issues, and this blog post will summarize our comments on four of them.
[For more on the contents of the proposed rule, please see my earlier blog post and policy post. And check here for CDT’s position on HHS’ proposal to remove privacy protections from the health information of the dead.]
Marketing: When a company gives money to a covered entity (such as a hospital or pharmacy) to send out a communication encouraging patients to try or buy a product, that communication is marketing. Covered entities should be required to obtain patient consent before sending out such communications, regardless of whether the communication is sent to an individual or to a population (i.e., everyone with diabetes). Congress created an exception to this rule for drugs that the patient is currently taking, and CDT recommended HHS apply the exception to generic equivalents as well.
Business associates: Business associates are organizations that have contracted with covered entities to perform functions on their behalf. They are required to have a contract with the covered entity, called a “business associates agreement” which lists their duties, such as privacy protection. Congress made business associates directly responsible for complying with HIPAA’s privacy requirements, rather than merely contractually obligated to do so through their agreements.
CDT supported this modification, but believes that broadly-worded agreements can allow business associates to inappropriately use patient data for purposes other than that for which the business associate contracted to perform. To close the loophole, HHS should require the agreements to list with specificity those functions the business associate will perform for the covered entity, and limit the business associate’s use and disclosure of patient data to those specific functions.
Research: HIPAA requires covered entities to obtain patient authorization to use or disclose patient data for research, and HIPAA prohibits covered entities from conditioning a patient’s treatment or payment on obtaining an authorization from the patient. However, there is an exception to this general rule that permits conditioning research-related treatment on an authorization for the research itself. The proposed rule would allow covered entities to combine conditioned and unconditioned authorizations for research.
CDT urged HHS to develop a more comprehensive approach to patient privacy for research, rather than the current system that relies too heavily on patient consent. Although compound authorization forms are reasonable in theory, patient understanding of the difference between conditioned and unconditioned treatment is crucial. HHS should issue guidance on how best to structure compound authorizations to maximize patient awareness. HHS should also require authorization requests for future research to detail the purposes of the future research.
Individual access: Patients have the right to request access to or copies of their personal health information. Current regulations give health care providers thirty days to respond the requests, with the possibility for a thirty-day extension. In the proposed rule, HHS stated that it wants to reduce this timeframe for electronic health records.
HHS deserves praise for its initiative to reduce the time it takes for patients to obtain copies of their records. CDT recommended HHS to adopt a timeframe of three business days for providers to respond to patient record requests. The recently-issued rules for the massive “meaningful use” program established a three-day timeframe requirement for record requests, clearly indicating that HHS believes this is an achievable turnaround time. CDT also urged HHS to encourage health care providers to adopt the capability to allow patients to download their health information.