In September, Senator Cassidy issued a request to help identify solutions to modernize HIPAA and ensure that all health data in the United States is adequately protected. His office on February 21 “outlined ways to improve privacy protection of Americans' sensitive health data” based on feedback from industry groups, hospitals, electronic health records vendors, medical technology companies and think tanks. A report was published. The report makes several recommendations, including:
- Modernize the HIPAA framework.
- Protect health data in the HIPAA gray area that is not covered by HIPAA.and
- Regulating data outside of HIPAA.
Recognizing that the United States lacks a comprehensive data privacy law and that each state has developed disparate and disparate legislation, the report was created by the Senate Health, Education, Labor, and Pensions Committee (HELP Committee) to We are calling on them to be at the forefront of privacy law development. Because “the healthcare sector needs to play a clear role, with clear considerations.” It focuses on collected information and proposes increased regulation of health/wellness data, biological samples, genetic data, research, and other types. Information in the “gray area” such as financial data, geolocation data, and biometric data.
Improving HIPAA to account for technological advances and digital care
The report includes specific recommendations to improve protections suitable for more technologically advanced digital health systems. Specifically, he proposes the following parliamentary speech:
- Minimum Requirements – Congress has asked the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) to explain how the minimum standards align with other regulatory requirements, including the health data system interoperability requirements mandated by Sec. should be directed to provide clear guidance on whether thecent The cure of the century.
- Access/Third Party Directive Request – Congress should more clearly define what requests are subject to patient charges to ensure that only genuine requests on behalf of patients benefit from them.
- Coordinate the processing of all health data – Congress continues efforts in the Coronavirus Aid, Relief, and Economic Security (CARES) Act to remove “outdated and complex barriers” to sharing Part 2 data (including substance use disorder information), and HIPAA You must ensure the complete integrity of all health data within your organization. and ensuring that HIPAA remains the federal floor protecting medical records.
- Patient ownership of medical data – Congress should clarify how patient health information can and cannot be used in research, giving patients “confidence in autonomy over their health information,” and creating future developments. This is because of concerns about allowing health information (even anonymized data) to be used in datasets created by the government. Artificial intelligence (AI) tools can erode patient ownership and autonomy over the use of their health data.
This report takes the position that HIPAA can function better with individual updates and clarifications to the existing framework, and that major rewrites of HIPAA are based on decades of case law and established laws. They point out that it fundamentally overturns previous precedents and leads to confusion in patient care. However, the report also encourages reassessment and possible changes to fundamental elements, such as the exclusion of anonymized data and research activities.
Closing the health data gap in the HIPAA “gray zone”
A common theme throughout the report is concern that treating certain health data under different legal regimes can create uncertainty and confusion and lead to inappropriate withholding or disclosure of health information. . This is especially problematic for data that falls into the “gray zone” of medical information, which is not explicitly covered by HIPAA but can still have “significant implications for patient privacy and health.” These areas include:
- Intake services (such as online intake forms to identify potential providers).
- Health data removed from HIPAA (such as records shared pursuant to an access request or directed disclosure).
- Patient-generated health data.
- Data generated by sensors.and
- Genetic data from DTC testing.
The report calls on Congress to provide clarity for businesses and patients to address these “gray areas”.
- We require that developers of consumer wellness applications and devices make it clear to consumers that information generated from the use of wellness apps is not covered by HIPAA.
- Preventing consumer discrimination based on the collection of identifiable health data from sensors on wearable technologies (such as menstrual trackers, pedometers, smart watches with accelerometers and sudden fall sensors).
- Building on existing state law and industry principles, legislate appropriate notice and consent requirements and safeguards to protect consumers and meet their expectations.
- Consider ways to extend additional protections to genetic data collected by DTC genetic testing laboratories. This includes requiring DTC companies to disclose that the genetic data they collect is not subject to HIPAA and implementing certain human subject research protections.and
- It explores specific areas where OCR's guidance is inadequate and in need of updating, and helps address concerns that OCR's interpretation of HIPAA has not kept up with a more digital health care system.
The report also suggests additional requirements for non-traditional entities such as large technology companies operating in the healthcare sector. For example, the report suggests that non-traditional entities operating in the healthcare sector:
- Subject to “HIPAA-like” protection and increased transparency requirements.
- Provides users with notice when health information generated under the HIPAA Framework is transferred from a HIPAA covered entity to a non-HIPAA environment.
- Explain in plain language upfront how personal data will be collected and shared
- Provide clear information about your practices to help consumers decide whether they are comfortable using a particular wellness app.and
- Obtain explicit patient consent before selling or disclosing data to third parties.
Some of these recommendations are already required by HIPAA, state consumer privacy laws, and state health privacy laws, or may unintentionally cause significant confusion and lack of clarity for individuals and entities. It may be missing.
Streamline non-HIPAA data requirements
The report calls on Congress to implement comprehensive data privacy reform, including recognizing HHS OCR as the primary enforcement agency for health data. The report acknowledges that many regulators and states have issued their own proposals and initiated enforcement actions, stating that such approaches are unfeasible and require certain types of health data to be It points out that there is a risk of building a hierarchical system that protects some things more than others. The report calls on Congress to consider how to best balance existing enforcement, with the Federal Trade Commission (FTC) seeking to become more involved and expanding the scope of its authority through the Health Breach Notification Rule. It warns you that you are about to do so. They are especially concerned about non-HIPAA data, such as location information, financial data, internet searches, and biometric data. These data can be subject to many rules as each sector seeks to develop its own rules.
While the report encourages efforts to improve interoperability, Congress is seeking to improve patient privacy and create a more sustainable framework for future information sharing. They say guardrails need to be built around how health data is shared. The report urges Congress to consider legislation similar to those in place in several states, creating a federal floor for gray zone and non-HIPAA health data, and providing regulatory certainty. and to allow states to continue to supplement requirements to meet their individual needs.
This report highlights several areas that need attention and suggests where Congress and federal agencies may focus their efforts as they consider updates to HIPAA and further regulation of health information. It serves as a pioneer to show what is possible. It is important for those working in the health and wellness field to closely monitor these developments and engage as appropriate with policy makers on these issues.