We Must Go Beyond New HHS Rules to Better Protect Sensitive Health Information
As government leaders, policymakers, and technology companies continue to navigate the global coronavirus pandemic, CDT is actively monitoring the latest responses and working to ensure they are grounded in civil rights and liberties. Our policy teams aim to help leaders craft solutions that balance the unique needs of the moment, while still respecting and upholding individual human rights. Find more of our work at cdt.org/coronavirus.
Data revealing details about our physical and mental health is everywhere, even in places we may not even think to look. It takes the form of medical records prepared by our doctors, DNA analyses, output from fitness tracker and health apps, web-browsing history, social media habits, and geolocation data. All of these data points have the ability to reveal probative information about our physical and mental health. Current efforts being considered and undertaken by governments, health organizations, and industry to confront the COVID-19 pandemic demonstrate just how prevalent this data is and how valuable it can be. Indeed, these data points have incredible potential to confront Coronavirus and improve our health, but sometimes this data falls outside of our control and is used in ways that we, as patients and consumers, never intended.
This focus on health data underscores the importance of recent action taken by the U.S. Department of Health and Human Services (HHS) that will make health data held by doctors, insurance companies, and similar entities available for download by patients. This is a crucial component of patient rights, but once health records leave the protection of HIPAA, they do not have clear and enforceable privacy rights out in the open data ecosystem. It is past time to get to work developing the best ways to coexist with this unregulated data – whether it is created by doctors or consumer-facing services and devices – so that we may utilize it in ways that truly empower patients to achieve desired health outcomes and better protect their privacy.
Current laws governing the privacy of health data
Consumer data, including data about health, is not regulated by a single national privacy framework. What protections apply depends on who holds the data. Currently, there is a patchwork of federal and state laws that can apply to certain sets of health data. The one most people are likely familiar with is the Health Insurance Portability and Accountability Act (HIPAA). Enacted in the late 90s, HIPAA and its subsequent Privacy Rule gives individuals rights regarding the use and disclosure of their health data within the healthcare system. So long as your health data is controlled by your doctor or your health insurer, you as the patient have some enforceable privacy rights protecting that data from unwanted disclosure.
HIPAA also gives patients the right to access and, if they wish, move their personal health data outside of HIPAA covered entities. Importantly, once that health data lands in the hands of an entity outside of HIPAA, the accompanying HIPAA privacy protections no longer apply and those records are treated the same as any other information held by individuals or companies. It is likely that HHS’s recently finalized Interoperability Rules will result in even more health data, including medical records, falling outside the boundaries of HIPAA privacy protections.
Allowing patients to have access to their health records and the ability to store them where they wish empowers individuals. CDT supports the goal of giving patients better access and control over their individual health records, but we continue to have concerns with the lack of adequate privacy protections found in the HHS rules.
The impact of new rules governing the release of data held by HIPAA entities
So, we now find ourselves incentivised and empowered to move health data into applications and services that lack a uniform set of privacy protections. While we continue to wait for a comprehensive national consumer privacy bill, there is a void where privacy protections should exist. The resulting privacy gap leaves individuals vulnerable to having their sensitive personal health information repurposed, misused, and even exploited or disclosed to their detriment.
Congress continues to make inroads on a comprehensive privacy law that would better protect all unregulated data. However, it tends to work slowly. We should do several things to prepare for inevitable change by working together now to develop and implement meaningful privacy protections for consumer health data.
To that end, we need to tackle some challenging questions like what types of data are we actually talking about – i.e., what is health data? It clearly encapsulates more than just our doctor’s records. We should also consider if there are certain types of data that are so sensitive, like individual DNA analysis, that should garner greater protection. Moreover, are there certain uses that should simply be taken off the table – like personalized, targeted ads based off of a doctor’s notes? Let’s also not forget key considerations around individual control and corporate responsibilities. Finally, this data is also potentially very powerful and insightful, so how should we best leverage it for research and the development of life-saving treatments while also protecting individual privacy? Thankfully, several industry players, associations, government agencies, and advocates have advanced ideas regarding how best to address these issues. CDT is committed to working together and developing answers to these questions. That’s why CDT is working with the eHealth Initiative Foundation and the Robert Wood Johnson Foundation, along with dozens of partners, to build options that better protect patient privacy. The signs are everywhere. It is time to act. And while we continue to wait for federal legislation, there are solutions that we can implement today to protect the privacy of our health data.
