Groups Call for Alignment of HIPAA Privacy Rule, Other RegsOrganizations Express Concerns About HHS' Proposed HIPAA Changes
As the Department of Health and Human Services weighs potential modifications to the HIPAA Privacy Rule, regulators must consider aligning those changes with other health data regulations that deal with privacy, patient access to records and secure exchange of electronic health information, some industry groups commenting on the proposal say.
The Healthcare Information and Management Systems Society went even farther, commenting: "Our nation needs a comprehensive health privacy law that encompasses all these issues from a broader perspective and one that is implementable."
HHS OCR will review the public comments before deciding whether to make changes and move forward with issuing a final rule or a revised proposed rule.
HHS says the proposed changes in the HIPAA Privacy Rule are aimed at strengthening individuals’ rights to access their own electronic health information; improving health information sharing for patient care coordination and case management; facilitating greater family involvement in the care of individuals experiencing emergencies or health crises; and enhancing flexibilities for disclosures during public health emergencies, such as the opioid addiction epidemic and the COVID-19 pandemic.
Some industry groups commented, however, that some of the proposals could create more confusion among healthcare organizations because they don't align well with other regulations. They also argued that some proposed changes present potential new security and privacy risks.
For instance, the 21st Century Cures Act's health IT interoperability and information blocking regulations that recently went into effect allow patients to access their health information via smartphones and application programming interfaces.
The College of Healthcare Information Management Executives, which represents CIOs and CISOs, raised concerns that in the proposed HIPAA changes, the agency defines "personal health application" as a direct-to-consumer application used for the individual’s own purposes that would fall outside the scope of HIPAA's protection.
"PHAs are not subject to HIPAA privacy and security obligations and, thus, can share patient protected health information," CHIME writes. "While we support the definition of PHA, CHIME is concerned about the privacy implications of proposals in this proposed rule to require covered entities to transmit electronic health information to PHAs without requiring those PHAs to include privacy controls."
CHIME notes that because PHAs fall outside the scope of HIPAA, there are no controls in place for PHA vendors, such as business associate agreements, to help support privacy and security of patient information.
"How does OCR plan to ensure patient data is not used in ways not intended by patients?" CHIME asks. "And, how will this work alongside more stringent state laws?"
The American Hospital Association voiced similar concerns about personal health applications.
"In order to protect patients and prevent unreasonable demands on providers, it is essential that the definition of 'personal health application' be limited," the AHA writes.
"Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records."
CHIME also notes that OCR has proposed that a covered entity may require all personal health applications to "register" before the entity provides the app access to the patient's information. But it voices concerns about expecting covered entities to vet the PHAs allowed to access patient data.
"How does OCR envision this will work when providers find an app has been built by a nation-state or actor that has been designated by the federal government as an entity we should not do business with?" CHIME asks.
"What will happen if citizens here download the app? Will providers still be required to share data with that app at the direction of the patient? Given the historic challenges faced by our sector with ever-growing cybersecurity threats, it’s imperative that we do not jeopardize patient data or national security."
Some industry groups, including HIMSS, urged HHS OCR to align any potential HIPAA Privacy Rule changes with other regulations, including the provisions of the 21st Century Cures Act regulations, as well as the Confidentiality of Substance Use Disorder Patient Records regulations, more commonly known as 42 CFR Part 2. The latter pertains to patient records associated with federally assisted substance use disorder treatment programs.
"Federal agencies must work together to foster the development of robust, up-to-date privacy and security frameworks and guidance to encourage widespread adoption, acceptance and trust of new, innovative technologies that support the free flow of information between patients and providers," HIMSS says. "States also have a role to play in how their laws interact with federal data privacy regulations."
Privacy and security are "inextricably linked," HIMSS says. "And the concerns in the cybersecurity world are even more manifest with respect to privacy, HIPAA and the interoperability regulations. For this reason, HIMSS supports greater alignment and harmonization of federal and state health data privacy laws, including HIPAA."