Taken together, the ONC Cures Act and the CMS Interoperability and Patient Access Final Rule were generally applauded for boosting patient access to their clinical data, but they also re-ignited a debate about data privacy and appropriate usage, as some advocates felt the HIPAA framework requires amending to protect privacy as patients and clinicians embrace new data-driven tools to manage their health and deliver care.
Then the COVID-19 pandemic hit, and it raised the data privacy debate to a whole new level. The emergency powers granted to public health agencies, combined with the power of smartphone technology, could allow tracking of individuals in ways never seen before in the United States.
In a recent essay on the Electronic Frontier Foundation website, Adam Schwartz and Matthew Guariglia argue that there is a hazard that any data surveillance infrastructure built to contain COVID-19 could long outlive the crisis it was intended to address. “The government and its corporate cooperators must roll back any invasive programs created in the name of public health after the crisis has been contained,” they write, adding that “any government use of ‘big data’ to track virus spread must be clearly and quickly explained to the public. This includes publication of detailed information about the information being gathered, the retention period for the information, the tools used to process that information, the ways these tools guide public health decisions, and whether these tools have had any positive or negative outcomes.”
In a Q&A with Healthcare Innovation’s Rajiv Leventhal, the Mayo Clinic’s John Halamka, M.D., stressed that the key to success would be to make contact tracing using smartphones voluntary and anonymous. He says this presents a fascinating informatics challenge: protecting privacy while at the same time having people share geo-location for the purposes of understanding contact tracking.
Expanding on HIPAA
In December 2019 Bari co-authored a paper in Health Affairs that suggested several changes to health data privacy laws. One was to define individually identifiable health information as an inherently protected class of data, rather than a class that is protected only when created or held by certain entities. “If my patient data is held by a covered entity under HIPAA, it is protected while inside the digital walls of that organization, but as soon as I use my right of access, which has been further strengthened by the ONC and CMS rules, and take my data via standardized API to a third-party app that I use on my phone, the data is no longer protected under HIPAA,” Bari explains. “The data is the same. It is still individually identifiable health information, which is very personal and private. I want to be able to use it, but I want it to be protected. And I don’t want apps to advertise or sell the data in a way that I am not in agreement with. Just because the data has moved to a new location doesn’t mean it changes. The data itself should be inherently protected, not just based on its location. That is important.”
Bari also suggests codifying the permitted uses of such individually identifiable health information, absent explicit, ongoing, and granular patient consent. The fact that patients may not understand the ramifications of what they are consenting to is problematic. “That is a huge deal in every consumer-facing application,” she says. “We have the classic problem of terms of service that nobody reads and everyone agrees to. It is incredibly important with health information. Specifically, we want to make it clear that apps or third parties or other non-covered entities have to apply a fiduciary principle that they can’t do something that is not in the best interest of the individual, much like what clinicians already have to do.”
Steven Lane, M.D., is a practicing primary care physician and clinical informaticist at Sutter Health in Northern California, where he serves as clinical informatics director for privacy, information security and interoperability. He agrees with Bari that health data privacy laws need refreshing. “If you give your data to a vendor that is not covered by anything more than the FTC’s requirement that the vendor follow their own terms and conditions, it creates a real problem for a lot of people,” Lane explains. “We do need some guiding legislation. We need something new that is not HIPAA but that is informed by our decades of experience with HIPAA.” Like Bari, Lane stresses it is about the data, not about who is holding it. But he admits that allowing an individual to break down every piece of data about them and make a choice about what purpose it can be used for and who it can be shared with — “from a policy or legal perspective, that doesn’t exist, and it is a really thorny problem,” he says. “There was a ton of work put into HIPAA over years, but it is sorely outdated. That is the issue.”
Codifying permitted uses
Lane also agrees with Bari about codifying permitted purposed. Under HIPAA, data is shared for treatment, payment and operations (TPO). “We understand treatment and payment, but operations can be broad,” he says. “Operations include a bunch of things that need to be enumerated and codified so people know what is going on. Today, data can be accessed for a permitted purpose, and then once you have it, you can use it for any other permitted purpose. That is a problem. I could send data to an HIE or payer, and say you are getting it because you perform some care coordination function. But once you have this data, you can use it for risk stratification or to inform prior authorization decisions. You get into thorny issues about contracting between payers and providers and underwriting for the population.”
The legislative front
Because of the pandemic, there have been rumors that the CMS and ONC rules could be delayed, but Lucia Savage, chief privacy and regulatory officer at Omada Health and former chief privacy officer at ONC, says “the need for people to have access to their own data is more acute now than ever. Because of the pandemic, you can’t go to the hospital for a paper copy of your record. You are not allowed to, but you might need those records.”
Before the COVID crisis, there was some momentum in Congress about updating consumer privacy laws, with as many as a dozen proposals in the works, she says. “I think Congress is rightfully paying attention to the economy and the COVID crisis, so these bills have come to a halt for the time being, but I don’t think anyone who is thoughtful in this space would say there shouldn’t be some revisions to privacy laws. Even Google, Apple and Microsoft have said we need a better comprehensive national law.” She says Alastair Mactaggart led the ballot initiative campaign that would eventually lead to the creation of the California Consumer Privacy Act (CCPA) in part to goad Congress into taking action on a national scale.
With COVID-19 in the spotlight, Bari doesn’t anticipate sweeping data privacy legislation in the U.S. in the next year or so. “A few things could change that, in my opinion,” she says. “The first could be 20 or 30 states passing copycat legislation of the CCPA. That starts to create problems for the federal government in terms of coordinating with the states. So if there were enough state activity, they could push Congress to act.”