Sen. Cassidy Proposes Legislative Updates to Improve Health Data Privacy
Senator Bill Cassidy (R-LA), Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (HELP) Committee, has published a white paper that proposes updates to the Health Insurance Portability and Accountability Act (HIPAA) to improve privacy protections for health information and urges Congress to take action to expand privacy protections for all health data.
The white paper – Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era – follows Sen. Cassidy’s September 2023 request for information from healthcare industry stakeholders on the current state of HIPAA, how best to enhance health data privacy, and ensure that health data collected by entities that are not bound by HIPAA is also protected.
New technologies are being introduced in healthcare and interoperability of health data is increasing, which is helping to improve care and patients’ access to their health information; however, new technology has increased the attack surface and improved access can easily lead to increased vulnerability for inappropriate data disclosures and attacks by malicious actors. Sen. Cassidy points out that 137 countries have now passed comprehensive data privacy laws, but not the United States. In the absence of a federal data privacy law, individual states have passed their own data privacy laws, but only 13 states have done so to date. “Congress needs to act to fill the gap,” said Sen. Cassidy. While all types of personal data need to be protected, there is a pressing need for action to be taken to improve health data privacy due to the highly sensitive nature of health data, the value of that data to cyber actors, and the increase in cyberattacks on healthcare entities to gain access to health data.
Based on the responses to the RFI, Sen. Cassidy has included several proposals in the white paper for possible legislative action to improve health data privacy, including updates to HIPAA, measures that will protect health data that falls into the “HIPAA gray area”, and health data that is not currently subject to the HIPAA regulations. Sen. Cassidy said HIPAA is a robust health data privacy framework that strikes a balance between safeguarding patient privacy and allowing health data to be shared for purposes such as improving care and supporting clinical research; however, HIPAA is in need of an update to account for a more technically advanced and digital health care system. Sen. Cassidy is not calling for a major rewrite of HIPAA, which would likely result in disruption to patient care, instead, discreet updates and clarifications will be sufficient to ensure that HIPAA continues to function as intended in the future.
Improve Protection for All Healthcare Data
One of the concerns from respondents to the RFI relates to the different treatment of certain types of health data, such as records relating to substance use disorder which are covered by the Part 2 regulations and the proposed updates to the Privacy Rule that will treat reproductive health data differently to other types of health data. Sen. Cassidy warns that treating types of health data differently could result in uncertainty and confusion, and inappropriate withholding of health information from providers that need it. As required by the CARES Act of 2020, the HHS is urged to continue to improve the harmonization of Part 2 regulations with HIPAA to reduce the regulatory burden for entities that must comply with both regulations and warns of the problems that may arise from introducing regulations covering specific data types and suggests privacy protections should instead be improved for all types of health data.
Guidance Required on the HIPAA Minimum Necessary Standard
The minimum necessary standard of HIPAA, which requires disclosures of PHI to be limited to the minimum necessary amount to allow a request to be fulfilled, is one of the most important of the HIPAA safeguards. While it was straightforward to comply with this standard when sharing paper records when printing or faxing by physically redacting certain data, there are technical challenges with compliance with the standard when sharing data digitally. Stakeholders that responded to the RFI said it was challenging to segment certain types of data in electronic health records to allow similar redactions, and the consequence is likely to be under-sharing of data due to fears of HIPAA violations due to over-sharing. “Congress should direct the HHS Office for Civil Rights (OCR) to provide clear guidance on how the minimum necessary standard aligns with other regulatory requirements, including health data system interoperability requirements mandated by the 21st Century Cures Act,” suggests Sen. Cassidy. “This would continue to balance protecting against unnecessary disclosures of PHI while providing more certainty to stakeholders that they can share information to improve patient care.”
Address Uncertainty in the HIPAA Right of Access Third Party Directive
The HIPAA Right of Access allows patients to receive a copy of their health data within 30 days of submitting a request and to only be charged a reasonable cost-based fee. The HIPAA Right of Access was amended by the HITECH Act of 2009 to allow other parties to initiate requests from covered entities with written authorization from patients, and requests to have records transmitted to third parties are not limited to the reasonable cost-based fee requirements that apply to individuals. Almost 80% of covered entities contract with specialized release of information (ROI) service companies to fulfill these requests to ease the burden and cost of providing those services themselves.
Sen. Cassidy explained that fraudulent and abusive actors take advantage of pathways for requesting medical records. They dupe patients into signing lengthy forms that allow them to masquerade as the patient, promising payouts through medical malpractice suits. While these actors are not truly acting on the patient’s behalf, they are able to receive the low patient rate. In 2020, the ROI firm CIOX Health sued the HHS over this issue and claimed that these fraudulent requests that were charged at the low patient rate were costing the company more than $10 million per year. If these companies determine that it is not financially viable to provide these record-related services, health systems and health plans may be forced to meet these requests themselves which has been estimated to cost more than $1 billion each year. Sen. Cassidy has called for Congress to act and more clearly define which requests should be eligible for the patient rate.
Congress Should Clarify How Patient Information Can be Used for Research Purposes
Researchers can generally use patients’ health information for research purposes without being subject to the HIPAA Privacy Rule, provided that patient health data is deidentified – stripped of all identifiers that tie that information to the patient. Artificial intelligence (AI) is being increasingly trained on deidentified health data, and some stakeholders have raised concerns that datasets used to train AI tools could undermine patient ownership and autonomy over the use of their health data.
Sen. Cassidy suggests that Congress should examine whether the existing exemptions permitting de-identified data to be used for research should consider a patient’s ability to opt in or opt out of participation, and the risk of re-identification should be examined to ensure that patient data shared for research purposes can never be personally identified without explicit consent.
Addressing the HIPAA Gray Area
There are considerable gaps between the privacy expectations of patients and consumers and the actual protections that are in place. Some data types are not explicitly covered by HIPAA even though uses and disclosures of that data can have significant privacy and health implications for patients. The data that falls into these gray areas includes data related to intake services, the removal of health data from HIPAA, patient-generated wellness data, sensor-generated data, and direct-to-consumer collected genetic data.
For example, digital health companies may use platforms that require patients to complete forms that ask for detailed health information to allow them to be matched with providers that offer the healthcare services they need. These companies are collecting data that would be protected by HIPAA if collected by a healthcare provider, but they are not HIPAA-regulated entities and HIPAA protections do not apply.
Healthcare providers are required to provide patient records to the health apps of a patient’s choosing, but when that information is transferred, HIPAA protections are removed. Wellness and health data collected by wearable devices and health applications is not bound by HIPAA, but many Americans falsely assume that HIPAA applies. Direct-to-consumer (DTC) companies offering analysis of DNA are also not subject to HIPAA and there is significant concern that genetic data is being sold to data brokers and employers and that genetic data could be used to discriminate against individuals or be used for other nefarious purposes.
These gray areas should be addressed by Congress. For example, Sen. Cassidy suggests that Congress should provide greater clarity by ensuring that HIPAA protections cover intake information, legislate that software developers must include warnings that HIPAA does not apply, and Congress should legislate appropriate notice and consent requirements and safeguards to protect consumers and meet their expectations regarding the treatment of their genetic data.
Protecting Health Data Not Covered by HIPAA
A great deal of data is collected from Americans that has implications on individual health and privacy, including geolocation data, financial data, internet searches, and biometric data. For instance, internet searches can reveal a lot about an individual’s health concerns, geolocation data reveals locations an individual has visited (e.g. a reproductive health clinic), and financial information reveals the amount individuals spend in pharmacies. Huge volumes of data are being collected that can be combined to build up detailed profiles of individuals and that information can be used for almost unlimited purposes due to a lack of regulations. A handful of states have introduced privacy laws concerning these types of data, but this patchwork of privacy laws is unworkable. Sen. Cassidy has called for Congress to act and says comprehensive privacy reform is needed and that privacy reform is needed now.
