AMIA Calls for Greater Alignment of Federal Data Privacy Rules
The American Medical Informatics Association (AMIA) is calling for the Trump Administration to tighten data privacy rules through greater alignment of HIPAA and the Common Rule and recommends adoption of a more integrated approach to privacy that includes both the healthcare and consumer sectors.
The call follows a request for comment by the NTIA to initiate a conversation about consumer privacy. In a letter to the National Telecommunications and Information Administration (NTIA), a division of the Department of Commerce, AMIA explained that its comments are informed by extensive experience of dealing with both the Health Insurance Portability and Accountability Act and the Federal Protections for Human Subjects Research (Common Rule).
Currently, there is a patchwork of federal and state regulations that complicates compliance and creates information sharing challenges which results in ‘perverse outcomes’ due to different interpretations of existing privacy policies.
AMIA illustrated the problem of the current patchwork of privacy policies using Pennsylvania and New Jersey as an example. Pennsylvania and New Jersey are neighboring states, but they have different policies covering HIV/AIDS data. If an HIV/AIDS patient from Pennsylvania was to visit a hospital in New Jersey, information on their HIV/AIDS diagnosis would not be accessible by clinicians in New Jersey, even though the information has high importance in treatment decisions. The patient would also be unlikely to receive their data from the New Jersey hospital to take back to their healthcare provider in Pennsylvania.
“AMIA encourages the administration to ensure that federal rules lay a common foundation across jurisdictional and geographic boundaries while also providing a process for jurisdictions to address local needs and norms.”
In recent years there has been a significant increase in consumer devices and information systems that record similar information to medical devices and healthcare information systems. The line between the two has been blurred. Action is therefore required to develop concordant privacy policies across health and consumer data ecosystems.
HIPAA was introduced 22 years ago in 1996 at a time when healthcare organizations were predominantly using paper records. While HIPAA has been updated to account for the shift to electronic records, AMIA points out that the adoption of health-related technologies that were unavailable in 1996 has resulted in the formation of gaps that now endanger patient privacy.
The changes made to HIPAA through the introduction of the Privacy Rule have ensured that patients have access to their health data and greater control over what is done with that information. What is now required are similar rights and protections for consumers.
While AMIA does not suggest that either HIPAA or the Common Rule should be applied to the consumer data ecosystem, both “should serve as important and informative inputs to [the] conversation on consumer data privacy.”
AMIA has called for the Federal Trade Commission (FTC) to develop a consumer data strategy that “Supports trust, safety, efficacy, and transparency across the proliferation of commercial and non-proprietary information resources,” and suggests that the time is right to develop an “ethical framework around the collection, use, storage, and disclosure of the personal information consumers may provide to organizations.”