Listen Up

Friday, January 24, 2020

True or False: Your Patients' Health Data Is Protected by Privacy Rights? Right ?

When you are checking into your doctors' office for the first time, you are handed a HIPAA form. Within that document is legalese describing how your information will be protected....some of the time. Few people read it, skipping to the signature form. Patients skip to the forms about their past and present medical issues

The following is a guest article by Deborah Hsieh, Chief Policy & Strategy Officer at Ciox. 

When most of your patients hear “health data rights,” they likely think of HIPAA, or the long forms they rarely read in their doctors’ offices. What they may take for granted is the protections for health data that covered entities must provide.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and is the framework on which health data protection has been constructed. The initial intent of the Act was to support the continuation of health insurance coverage and to ensure the security and confidentiality of patient information/data. The regulation fundamentally acknowledged the value of health data and the need for protection.

Where do health privacy rights start and end?

Despite the almost quarter-century that has passed since HIPAA was first enacted, there is relatively limited awareness of health privacy rights beyond compliance and legal experts. News of Google and Ascension’s partnership in November surprised the general public, including legislators, and perhaps exposed that limited awareness. One element many individuals are unfamiliar with is that the same health data that is protected when held by a covered entity – a healthcare provider, healthcare payer or business associate of one of those parties – is not protected if it is held by anyone else.

Almost 25 years have passed since HIPAA was created.  Since that time there have been many changes, electronic health records, health information exchanges, telehealth, telemedicine, and remote monitoring to mention a few.


Many of the new companies bringing innovations in digital health are not covered entities or business associates, which means patients have no privacy protections for health data obtained by, shared with and/or created with those companies. As digital health companies and applications become more prevalent and consumers share more of their health data through the applications, consumers must understand their health data rights and how their data is being used so they can make informed choices. In addition to that, without defined protections, someone who is not a covered entity or business associate may also not be held accountable for any breaches of privacy in health data. Based on who holds the data, your patients may not have any recourse.

Protections for health data security are just as critical as those for privacy. In December, the Centers for Medicare and Medicaid Services (CMS) closed access to Blue Button 2.0, as a bug in the code “may be causing certain beneficiary protected health information to be inadvertently shared with another beneficiary or the wrong BB2.0 application.” CMS’s Blue Button 2.0 has been a prime example of the potential of application programming interfaces (API) and increased access to and exchange of health data. That an application created and run by the federal government still suffers from security issues should increase attention to and scrutiny of the security capabilities of other applications accessing health data.

Given this complex landscape, what should you do?

Providers, payers and their business associates should ensure they are abreast of current discussions about healthcare data privacy and security. Administrative actions include a proposed regulation by the Office of the National Coordinator for Health Information Technology related to healthcare data interoperability and exchange and plan to revisit HIPAA. The legislature is also increasing its attention to privacy generally, including for healthcare data. There is great potential for increased access and exchange of health data to improve healthcare delivery; however, there should be recognition and mitigation of the potential challenges to privacy and security, as well as thorough patient understanding.

Finally, healthcare stakeholders should be proactive in helping consumers understand the protections, or lack thereof, for their healthcare data. You can create a more positive consumer experience by educating your patients about their rights and the potential consequences of healthcare data sharing choices.

The important thing for patients to know is you have the right to opt-out of interoperability. Your electronic health record would then be inaccessible to other entities other than your physician. In that situation, you are the owner of your medical data and it cannot be released unless you sign a specific waiver to share it.

Twenty or more years have passed since HIPAA went into effect.  It is most likely there will be no improvement.  There will always be bugs, hacks, and phishing for your data.  In today's world, your data is worth a lot of money. Entities will buy it, and resell it.  There are criminal elements and marketing enterprises that are dedicated to creating revenues from your data.







True or False: Your Patients' Health Data Is Protected by Privacy Rights? | Healthcare IT Today:

No comments: