Personal health information is no longer private, and HIPAA is almost 25 years old.
That’s one way of summing up the problems laid out in a recent commentary at HealthAffairs, in which Lisa Bari and Daniel P. O’Neill, two longtime health IT professionals working at the federal level, argue that US privacy laws need significant updating in order for digital technology to live up to its promise in health care.
For starters, the two lay out quite clearly how, despite good intentions and public promises, health data is increasingly at risk. “Social media platforms, wearable fitness trackers, and apps to manage pregnancy and mental health all collect health data that can be shared for advertising purposes and appended to medical records and other consumer information,” they note, adding, “even when health information is stripped of personal identifiers, it can often be re-identified with low effort.”
In short, they argue, (w)ith rapid growth in the range and volume of patient data, which is available in digital form, the limits of the HIPAA framework—now almost a quarter century old—merit legislative attention. Without clear guardrails, public trust may crumble in the face of repeated scandals and so undermine the potential for digital health to facilitate an era of more accessible, coordinated, and personalized care.”
To address the challenge and shore up privacy protections for the digital health era, the two recommend five proposals “to adapt the HIPAA framework to protect privacy as patients and clinicians embrace new data-driven tools to manage their health and deliver care.”
First, “define individually identifiable health information as an inherently protected class of data, rather than a class that is protected only when created or held by certain entities.”
Second, create “new definitions of individually identifiable health information ‘custodians’ and ‘processors,’ whose obligations (and liability) are like those of covered entities and business associates under existing law.”
Next, give individuals the “individuals’ right to access, amend, and delete individually identifiable health information” no matter who the custodian or processor may be, as well as the right to “know about and control the use or disclosure of their own data, including any participation in de-identified data sets used for research purposes.”
Conversely, they urge lawmakers to “codify the permitted uses of such individually identifiable health information, absent explicit, ongoing, and granular patient consent.” For example, they say, “a heart rate monitor worn for fitness could be permitted to use the data to share personalized, clinically validated health information for the patient’s benefit, but could not use the same data to power targeted advertising, which would benefit the company that produces the monitor.”
Finally, “specify clear parameters for consumer-friendly and revocable consent, for any use or disclosure of data” beyond those previously identified permitted categories.
The bottom line, they say, is that “the market is charging ahead,” and while the myriad changes to come will increase data access options for patients while helping doctors provide more personalized care, those changes will be most productive if legislators adapt HIPAA “to facilitate responsible, constructive innovation and ensure patient confidence in the new world of digital health.”