The Tech Policy Greenhouse is an online symposium where experts tackle the most difficult policy challenges facing innovation and technology today. These are problems that don't have easy solutions, where every decision involves tradeoffs and unintended consequences, so we've gathered a wide variety of voices to help dissect existing policy proposals and better inform new ones.

The Pandemic And The Evolution Of Health Care Privacy

from the tradeoffs-are-everywhere dept

When I teach privacy law, I try to make the issues real for the students. It often isn’t that hard — privacy issues remain in the news almost every day. The evolution of the pandemic has made more of these issues real and is leading to a series of critical questions for the future of health care privacy. These issues are not new, but the focus of the attention on pandemic issues has made the need for discussion and resolution of these issues even more critical.

We are seeing four distinct categories of issues arising from the pandemic.

The differing interests of patients

We have seen over the past several years a variety of health care policy goals where there is a tension between an individual’s interest in privacy and their interests in some other aspect of the operation of the health care system.

For example, in the recent federal debate over “information blocking,” there was a substantial and visible (and mostly pre-pandemic) discussion about whether the interest of patients in having access to their medical information should take precedence over the protection of those records under the U.S. Health Insurance Portability and Accountability Act Privacy and Security rules. A variety of relevant stakeholders tried to find a “win-win” in this situation, but the eventual result is that — because of the limited scope of the HIPAA rules — there will be situations in which a patient’s interest in receiving access to their medical records will mean that those records, once released, will not be subject to the full protections of the HIPAA Privacy and Security rules.

The primary choice in this situation was to favor a patient’s interest in access to their records over their privacy and security interests (although the regulations tried to balance these the best they could).

A similar issue has played out with the recent Department of Health and Human Services enforcement guidance related to telehealth. As part of its pandemic response, HHS has made clear that it will not be taking enforcement action involving telehealth visits; this means that health care providers interested in providing telehealth services did not need to be concerned about the details of the HIPAA Security Rule in conducting these visits. Whether this enforcement waiver was required is a different question, but the clear intent is to provide support for telehealth visits at a time when telehealth visits are critical to the interests of patients in receiving health care.

Through this health care enforcement waiver, the government selected the benefits to consumers (and the health care system) from enhanced telehealth opportunities over the more specific privacy and security interest of the HIPAA rules.

Balance between privacy interests and health care system interests

HHS also has issued other HIPAA guidance stemming from the pandemic. While the justification for these actions is less clear, the goal is to facilitate the operation of the health care system at a time when the system is stressed, by reducing otherwise applicable HIPAA obligations.

This has led to a waiver of certain HIPAA requirements (including the obligation to provide a privacy notice and an opportunity for a request for restrictions or confidential communication). This was a policy choice, but why this choice actually helped the system — at a clear detriment to privacy interests — is less clear.

Similarly, HHS has announced that business associates now can make disclosures of patient information for public health purposes – increasing the sources of public health disclosures is what the Privacy Rule previously seems to have permitted.

How to address non-HIPAA health data issues (e.g., employee health data)

We also are seeing a focus on health care privacy interests during the pandemic where HIPAA is largely irrelevant. This is not a new issue. I have been writing about this issue of “non-HIPAA health data” for almost 10 years.

Here, however, the focus has been on health care information of employees and others in connection with access to business locations and business activities. This employee information is not subject to HIPAA (primarily HIPAA for most employers applies only through their health insurance benefits plan), but other laws, such as the Americans with Disabilities Act, clearly apply.

For site visitors, guests, service workers and others, there may be no generally applicable privacy law — at least in the United States — regulating how personal health information can be collected and used. This means that when companies in the U.S. think about how they can share specific health information about specific individuals, the current primary health care privacy law is irrelevant.

How to address non-health data relevant to the health care system (e.g., location data for health monitoring)

Last, we also are seeing the evolution of a related health care issue: the increasing recognition in a variety of circumstances that information that isn’t clearly about health does, in fact, matter when operating the health care system.

In the pre-pandemic HIPAA context, there was a regulatory proceeding where HHS was exploring whether to modify the HIPAA rules to permit, for example, the sharing of protected health information with social service organizations — even though these organizations do not fit cleanly into the HIPAA framework.

The inquiry reflects a recognition that social issues — food or housing needs, for example — can play an important role in the overall health of an individual. In the pandemic situation, we are focused now on location data and how it can be used for public health purposes. This data doesn’t — by itself — say anything about your health, but it will be used to identify the movements of individuals affected by the coronavirus and identify others for whom there also are health-related risks.

This is both a health care privacy and a civil liberties issue. It is exactly the kind of issue that is addressed throughout the HIPAA rules, where the smooth operation of the health care system was incorporated as a means of modifying otherwise applicable privacy interests.

But this is a different order of magnitude and one in which the full attention of society is focused on these issues in a way that HIPAA seldom catches the public’s attention.

I raise these issues not because there is a clear or obvious answer. These clearly are difficult times, and we must take advantage of the opportunity presented by these pandemic challenges to evaluate the issues, but we must also be careful not to let the emergency circumstances dictate bad choices.

In the national privacy law debate, the role of the health care system has taken a back seat to the larger privacy debate. This is both understandable and problematic. The health care industry has viewed privacy law as relatively settled for many years, but we are increasingly recognizing that this is not really the case.

The HIPAA rules often work well where they apply, but there are both more situations in which they don’t apply, and a broader range of events where the rules may not work well. The pandemic has led to the immediate need to address some of these complications in real time, but we will need to ensure that these issues remain in the public debate and that the increasing complexities of health care privacy can be addressed appropriately in any future U.S. privacy law.

Kirk Nahra is a Partner with WilmerHale in Washington, D.C. where he co-chairs their global Cybersecurity and Privacy Practice.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: covid-19, healthcare, hipaa, pandemic, privacy


Reader Comments

Subscribe: RSS

View by: Thread


  1. identicon
    bobob, 12 Jun 2020 @ 12:45pm

    The privacy issue would be much simpler if the US had universal healthcare. That would eliminate a lot of business interests in sharing that information (e.g., insurance companies) and it would make that information pretty much irrelevant to employers who offer "health care" plans as a "benefit." With those competing interests out of the way, there would be a lot fewer arguments for not giving patients more control over that information.

    As for the pandemic, this is really not something new with respect to sharing data and contact tracing. Contact tracing has been public policy practically forever for sexually transmitted diseases. One could probably argue either way on that issue, but it's always possible to "opt out" by simply telling the physician you have no idea who you were in contact with and say whatever you want about where you've been to avoid the problem altogether.

    For those people addicted to cell phone apps or can't live without your phone attached to you, sorry, you're fucked, but at least you can try an intervention to become less attached to your phone.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 12 Jun 2020 @ 3:05pm

    "the national privacy law debate"

    there is no "national privacy law debate" -- just the usual gaggle of government politicians and bureaucrats endlessly tinkering with a substantially collectivized U.S. health care system.

    "Privacy Law" as presented here seems merely a contrived term for the murky, confused bureaucratic process of ever-changing government rules imposed upon the public.

    To rationally discuss any "law" in the American context, one must first understand the formal constitutional legal structure of the United States.
    Casually assume all government health care interventions are generally "lawful" is a major error.

    link to this | view in thread ]

  3. icon
    Upstream (profile), 12 Jun 2020 @ 4:29pm

    Complexity much?

    I am not at all familiar with the details of HIPPA, but I have always had the impression that it creates a lot of complexity, obstacles, requirements to be met, etc, for not much actual security or privacy. In an effort to educate my self just a bit, so as to make a reasonable comment here, I looked up "hippa summary." The first three results were:

    Summary of the HIPPA Security Rule | HHS.gov
    Summary of the HIPPA Security Rule | HHS.gov
    HIPPA for Dummies - HIPPA Guide

    These are some fairly hefty web pages! Well into the tl;dr category, at least for me, right now. But I would have to say that the sheer size of these "summaries" tends to strongly reinforce the first half of my impression regarding complexity, obstacles, and requirements to be met.

    Anyway, I then tried Wikipedia. Another long page, but I did some skimming and found this gem:

    Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.

    Some more skimming and I began to realize just how lol funny the phrase Administrative Simplification is. These bureaucrats have a sense of humor that just won't quit.

    A bit more skimming of the Wikipedia article and the following words and phrases came up regarding security and privace, or lack thereof:

    the OCR has a long backlog and ignores most complaints

    it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations.

    unauthorized employees repeatedly and without legitimate cause looked at the electronic protected health information of numerous UCLAHS patients

    "flexibility" may provide too much latitude to covered entities

    Misuse and disclosures of PHI
    No protection in place of health information
    Patient unable to access their health information
    Using or disclosing more than the minimum necessary protected health information
    No safeguards of electronic protected health information.

    All of this tended to reinforce the second half of my impression, that HIPPA does little to enhance security or privacy.

    So, while my information isn't much better than it was before, I am still left with the impression that HIPPA is mainly an exercise in bureaucratic BS.

    link to this | view in thread ]

  4. icon
    Mike Masnick (profile), 12 Jun 2020 @ 6:05pm

    Re: Complexity much?

    Not to make light of all of this and your research. But somewhere along the way, you might have noticed that you misspelled HIPAA. ;)

    (Honestly, almost everyone does, so you're not alone, but in discussion about the law, it's generally seen as evidence of a newbie with opinions...)

    link to this | view in thread ]

  5. icon
    tz1 (profile), 13 Jun 2020 @ 1:22pm

    Re:

    There simply would be no privacy. In order to get health care from the state, you would have to agree to share all information with the police, researchers, whatever. And probably give up any right to sue for malpractice or damages as it true for Vaccines today. There are several layers of problems which just get worst. There is more duct tape than duct now. Employer's paying was a WW2 policy to get around wage and price controls - you couldn't raise wages, but could offer to pay for all medical care. Insurance is also a misnomer - you don't buy fire insurance AFTER your house has burned down. You don't buy car insurance to cover paying for routine maintainence. The first part is to sort the no market parts from the others. The ER maybe should be from local taxes like police and fire. Chronic problems like dialysis and insulin maybe should be handled by large fixed price to the vendors - Insulin was found in the 1930s, but now the FDA only allows the $ hundreds per month super bioengineered and PATENTED version that most people can't afford. Why not the orignal pig (or other) pancreas option which if developed might cost pennies a dose today?

    link to this | view in thread ]

  6. icon
    tz1 (profile), 13 Jun 2020 @ 1:23pm

    Wonderful,

    Consider that Telemedicine is sometimes used for reproductive counseling, i.e. STDs and Abortion. Scarlet As database anyone?

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 16 Jun 2020 @ 10:50am

    Question about "The Differing Interests of Patients"

    "...there will be situations in which a patient’s interest in receiving access to their medical records will mean that those records, once released, will not be subject to the full protections of the HIPAA Privacy and Security rules."

    This is interesting; actually very interesting. Being a layman, I'm trying to figure out why this would be the case.

    Why would a medical entity giving a patient his own medical records now relieve the medical entity from still having to observe HIPAA rules about those particular records?

    If a third, unauthorized party obtained the private records, wouldn't the medical entity just have to prove said entity didn't release them to said unauthorized party absolve them of liability? In other words, it's not the medical entity's fault if the unauthorized party somehow obtained the records from the patient.

    I understand HIPAA is written in legalese and, like all bureaucratically-generated rules and regs, are overly bureaucratic and confusing.

    But if I'm, say, a lawyer, and I have "private document X" in my office safe, and I give a copy of "document X" to the person "document X" is written about, I still have an obligation to keep "document X" in my office safe. It doesn't mean I can leave "document X" in my car or bring it home.

    Or am I totally misinterpreting Mr. Nahra's words?

    link to this | view in thread ]

  8. icon
    Dilanio (profile), 29 Jan 2022 @ 6:21am

    That is a really actual topic for me

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.