Last week, a proposed bipartisan bill hefted the congressional health data privacy discussion off of the back burner and reignited the potential for The Health Insurance Portability and Accountability Act (HIPAA) modernization, or the potential for a federal health data privacy law.
As HIPAA was drafted long before the sector’s digital innovation efforts, as well as the remote care tech and consumer-driven health apps, there are a number of critical regulatory gaps.
In 2019, it seemed as if individual congressional members would introduce new health privacy proposals each week outlining their take on the best way forward to combat systemic health data challenges. Most of these bills centered around health data that fell outside of HIPAA regulation.
The Department of Health and Human Services itself put out a request for comment on its proposed plan for overhauling the outdated rule in late 2018, but the agency has been silent on these efforts with the change in administration and the ongoing response to the pandemic.
Some have even called for HHS to take care of these issues with its own rules, particularly with the increased use of APIs for ongoing interoperability efforts. But industry stakeholders warned that it’s Congress that holds the onus for health data privacy regulation and consumer protection rules that apply to consumer-facing health apps.
While many proposed initiatives and legislation have received strong feedback, any progress for health data privacy efforts have remained stagnant during the pandemic response for the last two years.
Rather than continue on the previous method of individual opinings, the newest proposed legislation would gather a commission centered on discussing these key challenges in an actionable way, including feasibility and cost effectiveness. The proposal’s directional shift holds potential for actually jumpstarting the long-overdue health data privacy overhaul in the U.S.
Particularly, as the health data commission was proposed in 2016 by Lucia Savage, chief privacy and regulatory officer for Omada Health, during her tenure as HHS Office of the National Coordinator chief privacy officer.
Savage and her team sent a report to Congress in 2016 on this exact issue: “examining the difference between HIPAA privacy rules and those outside HIPAA.” Just two administrations ago, her team recommended the establishment of a commission, as it’s “through a commission that policy makers can become better informed.”
As federal privacy law has not changed since 2016, a commission can inform Congress “not only about the state of the law, but also about how even if the laws are different, to consumers the tech is the same.” A commission can also provide a platform for sharing information and hashing out differences.
Indeed, when the wave of health data privacy discussions occurred in 2019 — with much talk and struggle to make any real progress, the one thing both parties could agree upon was that any federal health data privacy law would require bipartisan support.
During a December 2019 hearing on a possible unified federal privacy law, Sen. Richard Blumenthal, D-Conn., explained that U.S. individuals are “angry and scared” and pushing for a national law, stressing he did not believe every state would draft its own law.
At the time, it became clear that Congress hoped that a federal privacy law “won’t create too much inconsistency, but that’s where we are going if we fail to act.”
Time to "eat the elephant" in small pieces?
Instead of introducing ideas for patient consent, a federal data standard, or the establishment of a federal data protection agency, the latest bill would set up a federal commission to examine the current challenges to securing and regulating data that falls outside of HIPAA, as well as privacy challenges facing consumers due to third-party data sharing among health apps.
Two years later, Blumenthal’s sentiments remain true. As Savage explained, one issue a possible commission could focus on with careful attention is whether Congress will write “a law for privacy of health information or for general consumer privacy protection.”
“The truth is, that although we’ve had dozens of privacy-improving federal proposals since the Cambridge Analytica scandal erupted in 2018, none has gotten significant traction,” said Savage. “Maybe it's time to eat the elephant in smaller chunks and start with some of the information people worry about the most, their health information.”
“That’s how I see this proposal working: examine whether it makes sense to ensure all health information, wherever collected and used, is treated the same. I recognize, however, that this narrower focus leaves the other issues of consumer privacy untouched,” she added.
As the regulatory clock continues to tick away to interoperability and info blocking efforts, a commission to examine health data privacy could not come at a more ideal time. For Dan Golder, a principal at Impact Advisors, the hope is that any proposed legislation will modernize HIPAA, while perhaps pulling the reins in a little on interoperability to provide a strong balance.
Further, the commission should examine provider burden. As all industry stakeholders know, any added regulatory hurdles or challenges for providers are often met with a great deal of pushback. Meaning, “is the cure going to be worse than the disease.”
“There doesn't have to be a provider burden at all,” said Golder. “We don't have to make it difficult for providers. We don't have to make it difficult for patients. Technically, it might be really difficult. But I think that’s where the challenge lies.”
The hope is that the commission can find a way to strike a much needed balance, while raising patient awareness on privacy risks, particularly around third-party apps, permissions, and potential tracking. Golder stressed that it’s critical to sharing health information, as an imperative for improving care and outcomes.
But the trick is: “How can we do that safely, effectively, and maintain privacy and security for the patients?” As it stands, consumers freely share their data and immediately lose control over who’s seen it, using it, and the manner it’s used, he explained.
“That's the real goal here and the real challenge, and unfortunately, it's not going to be easy,” said Golder.
Sharing health data in age of hyper-connectivity
Like most things in healthcare, regulatory speed is much slower than innovation. In healthcare, it’s a particular issue as tech modernization and digital health are much needed. But far too often those efforts far outpace supportive regulation to accomplish these needs in a secure fashion.
Those in the industry, both tech and healthcare, are well-aware of how this hyper-connectivity has fueled data sharing and the challenges of understanding where the data is being stored, used, or even protected. Even for leaders, there’s an element of faith that the parties that hold our data are doing the right things.
“But I think if people really realized how much of their information is being shared, I think there would be some open eyes,” Golder added.
It’s that need for trust, above all else, that begs for a commission to examine these issues and improve transparency for both consumers and the businesses serving them.
In the digital health space, Savage noted that “too often consumers, researchers, and policy makers conflate the communications medium (an app), with the business model (ad tech vs. clinical grade healthcare services).
“For digital health and especially virtual-first healthcare providers like Omada, improving understanding that the app is the method behind legitimate, private, and HIPAA-regulated use of health information to deliver clinical-grade healthcare, can only be helpful,” Savage added.
In an ideal world, that would mean the commission would focus on what Golder’s termed “patient awareness.” Consumers should know what data has been shared and to whom, as well as methods for rescinding those permissions and retracting data access, or even the data itself.
As it stands, there is currently no solution for that. The E.U. has The General Data Protection Regulation, a highly restrictive privacy regulation that heavily burdens companies, while vastly protecting patient privacy.
However, given the overall complexity of the U.S. healthcare system, such a rule would be a near-impossibility.
The challenge ahead: Health data vs. consumer data
The complex challenges faced by healthcare and policy measures gets at Savage’s key question: “should policy-making and legislation start with health data (vs. other consumer data)?”
For Savage, “it should, if only to fortify trust in the rest of federal policy-making for a learning health system, such as people having confidence that there are minimum privacy standards for how the apps they choose to use to manage their health hold that data when those individuals get it from their doctor’s offices under ONC’s Info Blocking rules.”
At the end of the day, for any data sharing initiatives to work in the healthcare space and have a “learning health system,” individuals who share their data for these purposes but be able to trust what the provider is doing with that data.
Further, a commission examining these issues provides a chance to “pressure test whether HIPAA is ‘outdated’ because it was written in 2000, 2002 and 2011.”
Savage said she does not believe it is: “I can find an express rule about how Amazon Alexa when used in a healthcare setting is regulated… But a lot of people think ‘old’ necessarily means ‘outdated.’”
“A commission gives the public a chance to evaluate whether that is true,” said Savage.
Most consumers aren’t aware of some of the tech items being developed and implemented on their devices, some of which put privacy at risk. Golder explained that as the industry thinks about rewriting HIPAA, it can hopefully address some of these privacy concerns.