The Pandemic And The Evolution Of Health Care Privacy
from the tradeoffs-are-everywhere dept
When I teach privacy law, I try to make the issues real for the students. It often isn’t that hard — privacy issues remain in the news almost every day. The evolution of the pandemic has made more of these issues real and is leading to a series of critical questions for the future of health care privacy. These issues are not new, but the focus of the attention on pandemic issues has made the need for discussion and resolution of these issues even more critical.
We are seeing four distinct categories of issues arising from the pandemic.
The differing interests of patients
We have seen over the past several years a variety of health care policy goals where there is a tension between an individual’s interest in privacy and their interests in some other aspect of the operation of the health care system.
For example, in the recent federal debate over “information blocking,” there was a substantial and visible (and mostly pre-pandemic) discussion about whether the interest of patients in having access to their medical information should take precedence over the protection of those records under the U.S. Health Insurance Portability and Accountability Act Privacy and Security rules. A variety of relevant stakeholders tried to find a “win-win” in this situation, but the eventual result is that — because of the limited scope of the HIPAA rules — there will be situations in which a patient’s interest in receiving access to their medical records will mean that those records, once released, will not be subject to the full protections of the HIPAA Privacy and Security rules.
The primary choice in this situation was to favor a patient’s interest in access to their records over their privacy and security interests (although the regulations tried to balance these the best they could).
A similar issue has played out with the recent Department of Health and Human Services enforcement guidance related to telehealth. As part of its pandemic response, HHS has made clear that it will not be taking enforcement action involving telehealth visits; this means that health care providers interested in providing telehealth services did not need to be concerned about the details of the HIPAA Security Rule in conducting these visits. Whether this enforcement waiver was required is a different question, but the clear intent is to provide support for telehealth visits at a time when telehealth visits are critical to the interests of patients in receiving health care.
Through this health care enforcement waiver, the government selected the benefits to consumers (and the health care system) from enhanced telehealth opportunities over the more specific privacy and security interest of the HIPAA rules.
Balance between privacy interests and health care system interests
HHS also has issued other HIPAA guidance stemming from the pandemic. While the justification for these actions is less clear, the goal is to facilitate the operation of the health care system at a time when the system is stressed, by reducing otherwise applicable HIPAA obligations.
This has led to a waiver of certain HIPAA requirements (including the obligation to provide a privacy notice and an opportunity for a request for restrictions or confidential communication). This was a policy choice, but why this choice actually helped the system — at a clear detriment to privacy interests — is less clear.
Similarly, HHS has announced that business associates now can make disclosures of patient information for public health purposes – increasing the sources of public health disclosures is what the Privacy Rule previously seems to have permitted.
How to address non-HIPAA health data issues (e.g., employee health data)
We also are seeing a focus on health care privacy interests during the pandemic where HIPAA is largely irrelevant. This is not a new issue. I have been writing about this issue of “non-HIPAA health data” for almost 10 years.
Here, however, the focus has been on health care information of employees and others in connection with access to business locations and business activities. This employee information is not subject to HIPAA (primarily HIPAA for most employers applies only through their health insurance benefits plan), but other laws, such as the Americans with Disabilities Act, clearly apply.
For site visitors, guests, service workers and others, there may be no generally applicable privacy law — at least in the United States — regulating how personal health information can be collected and used. This means that when companies in the U.S. think about how they can share specific health information about specific individuals, the current primary health care privacy law is irrelevant.
How to address non-health data relevant to the health care system (e.g., location data for health monitoring)
Last, we also are seeing the evolution of a related health care issue: the increasing recognition in a variety of circumstances that information that isn’t clearly about health does, in fact, matter when operating the health care system.
In the pre-pandemic HIPAA context, there was a regulatory proceeding where HHS was exploring whether to modify the HIPAA rules to permit, for example, the sharing of protected health information with social service organizations — even though these organizations do not fit cleanly into the HIPAA framework.
The inquiry reflects a recognition that social issues — food or housing needs, for example — can play an important role in the overall health of an individual. In the pandemic situation, we are focused now on location data and how it can be used for public health purposes. This data doesn’t — by itself — say anything about your health, but it will be used to identify the movements of individuals affected by the coronavirus and identify others for whom there also are health-related risks.
This is both a health care privacy and a civil liberties issue. It is exactly the kind of issue that is addressed throughout the HIPAA rules, where the smooth operation of the health care system was incorporated as a means of modifying otherwise applicable privacy interests.
But this is a different order of magnitude and one in which the full attention of society is focused on these issues in a way that HIPAA seldom catches the public’s attention.
I raise these issues not because there is a clear or obvious answer. These clearly are difficult times, and we must take advantage of the opportunity presented by these pandemic challenges to evaluate the issues, but we must also be careful not to let the emergency circumstances dictate bad choices.
In the national privacy law debate, the role of the health care system has taken a back seat to the larger privacy debate. This is both understandable and problematic. The health care industry has viewed privacy law as relatively settled for many years, but we are increasingly recognizing that this is not really the case.
The HIPAA rules often work well where they apply, but there are both more situations in which they don’t apply, and a broader range of events where the rules may not work well. The pandemic has led to the immediate need to address some of these complications in real time, but we will need to ensure that these issues remain in the public debate and that the increasing complexities of health care privacy can be addressed appropriately in any future U.S. privacy law.
Kirk Nahra is a Partner with WilmerHale in Washington, D.C. where he co-chairs their global Cybersecurity and Privacy Practice.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: covid-19, healthcare, hipaa, pandemic, privacy
Reader Comments
Subscribe: RSS
View by: Thread
The privacy issue would be much simpler if the US had universal healthcare. That would eliminate a lot of business interests in sharing that information (e.g., insurance companies) and it would make that information pretty much irrelevant to employers who offer "health care" plans as a "benefit." With those competing interests out of the way, there would be a lot fewer arguments for not giving patients more control over that information.
As for the pandemic, this is really not something new with respect to sharing data and contact tracing. Contact tracing has been public policy practically forever for sexually transmitted diseases. One could probably argue either way on that issue, but it's always possible to "opt out" by simply telling the physician you have no idea who you were in contact with and say whatever you want about where you've been to avoid the problem altogether.
For those people addicted to cell phone apps or can't live without your phone attached to you, sorry, you're fucked, but at least you can try an intervention to become less attached to your phone.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
"the national privacy law debate"
there is no "national privacy law debate" -- just the usual gaggle of government politicians and bureaucrats endlessly tinkering with a substantially collectivized U.S. health care system.
"Privacy Law" as presented here seems merely a contrived term for the murky, confused bureaucratic process of ever-changing government rules imposed upon the public.
To rationally discuss any "law" in the American context, one must first understand the formal constitutional legal structure of the United States.
Casually assume all government health care interventions are generally "lawful" is a major error.
[ link to this | view in chronology ]
Complexity much?
I am not at all familiar with the details of HIPPA, but I have always had the impression that it creates a lot of complexity, obstacles, requirements to be met, etc, for not much actual security or privacy. In an effort to educate my self just a bit, so as to make a reasonable comment here, I looked up "hippa summary." The first three results were:
Summary of the HIPPA Security Rule | HHS.gov
Summary of the HIPPA Security Rule | HHS.gov
HIPPA for Dummies - HIPPA Guide
These are some fairly hefty web pages! Well into the tl;dr category, at least for me, right now. But I would have to say that the sheer size of these "summaries" tends to strongly reinforce the first half of my impression regarding complexity, obstacles, and requirements to be met.
Anyway, I then tried Wikipedia. Another long page, but I did some skimming and found this gem:
Some more skimming and I began to realize just how lol funny the phrase Administrative Simplification is. These bureaucrats have a sense of humor that just won't quit.
A bit more skimming of the Wikipedia article and the following words and phrases came up regarding security and privace, or lack thereof:
All of this tended to reinforce the second half of my impression, that HIPPA does little to enhance security or privacy.
So, while my information isn't much better than it was before, I am still left with the impression that HIPPA is mainly an exercise in bureaucratic BS.
[ link to this | view in chronology ]
Re: Complexity much?
Not to make light of all of this and your research. But somewhere along the way, you might have noticed that you misspelled HIPAA. ;)
(Honestly, almost everyone does, so you're not alone, but in discussion about the law, it's generally seen as evidence of a newbie with opinions...)
[ link to this | view in chronology ]
Wonderful,
[ link to this | view in chronology ]
Question about "The Differing Interests of Patients"
"...there will be situations in which a patient’s interest in receiving access to their medical records will mean that those records, once released, will not be subject to the full protections of the HIPAA Privacy and Security rules."
This is interesting; actually very interesting. Being a layman, I'm trying to figure out why this would be the case.
Why would a medical entity giving a patient his own medical records now relieve the medical entity from still having to observe HIPAA rules about those particular records?
If a third, unauthorized party obtained the private records, wouldn't the medical entity just have to prove said entity didn't release them to said unauthorized party absolve them of liability? In other words, it's not the medical entity's fault if the unauthorized party somehow obtained the records from the patient.
I understand HIPAA is written in legalese and, like all bureaucratically-generated rules and regs, are overly bureaucratic and confusing.
But if I'm, say, a lawyer, and I have "private document X" in my office safe, and I give a copy of "document X" to the person "document X" is written about, I still have an obligation to keep "document X" in my office safe. It doesn't mean I can leave "document X" in my car or bring it home.
Or am I totally misinterpreting Mr. Nahra's words?
[ link to this | view in chronology ]
That is a really actual topic for me
[ link to this | view in chronology ]