Proposed legislation asks for panel to assess update to HIPAA
The act calls for establishing a commission to determine how best to protect patient privacy while enabling sharing for specific purposes.
Two U.S. senators have introduced legislation seeking to recast longstanding laws and regulations governing health privacy.
The proposed legislation calls for the creation of a health and privacy commission to research ways to modernize current rules put in place by the Health Insurance Portability and Accountability Act (HIPAA), which has provided the legal guardrails for sharing health information.
The introduction of the Health Data Use and Privacy Commission Act by Bill Cassidy, MD (R-La.) and Tammy Baldwin (D-Wis.) is the latest and most pointed effort to revisit HIPAA, a 25-year-old law that was designed to protect interactions between patients and clinicians.
Many industry observers contend HIPAA has become outdated as more healthcare information is retained in electronic formats, whether in electronic health records systems or in consumers’ smartphones.
Cassidy and Baldwin say that the portability of health information today on personal devices puts health data “at significant potential risk.”
The senators’ legislation would enable the new commission to give an official recommendation to Congress on how to modernize the use of health data and privacy laws “to ensure patient privacy and trust while balancing the need of doctors to have information at their fingertips to provide care.”
HIPAA restrictions were sometimes blamed with challenges to distributing information during the COVID-19 pandemic, and other industry reports suggest that HIPAA has been invoked as a reason for not being able to share health information more widely. With growing calls for interoperability and easier information exchange, there’s been a growing call to re-examine how privacy laws may be out of step with the current information environment.
The free flow of health information is causing concerns among patients, who increasingly believe that they are losing control over their information.
“As a doctor, the potential of new technology to improve patient care seems limitless, but Americans must be able to trust that their personal health data is protected,” Cassidy says. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”
Consumers need better protection for their health data, Baldwin adds. The Health Data Use and Privacy Commission Act can “help inform how we can modernize healthcare privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”
The proposed act would form a commission that would conduct a coordinated, comprehensive review of existing protections of personal health data, both at the state and federal level; detail current practices for health data use by healthcare and other industries; provide recommendations to Congress on whether federal legislation is needed to update health data privacy rules; and determine the best path for updating laws.
Under the proposed act, the commission would be required to submit a report to Congress and the President six months after members are appointed.
The specific tasks for the commission including assessing potential threats; determining purposes for which sharing health information is appropriate and potential impacts if privacy rules are too stringent; establishing the effectiveness of existing statutes and regulations; recommendations on the need for federal regulations; weighing the potential impact of new regulations, particularly regarding medical outcomes and public health; assessing non-legislative solutions; and reviewing whether self-regulation is effective.
The proposed legislation is supported by several healthcare professional groups as well as technology solution providers, including athenahealth, Epic, IBM and Teledoc Health.
Over the past several years, several efforts have emerged to revamp HIPAA, regulations that were released in the 1990s when health records were generally paper-based. In 2019, several privacy groups proposed areas proposed potential areas that a new federal privacy standard or law should address.
Recent information blocking provisions from the Office of the National Coordinator for Health Information Technology have raised concerns about protections for that data. For example, the American Medical Association raised this issue in 2019 when ONC first proposed facilitating patient access to information through third-party apps. Also, collaborations between large technology companies and healthcare providers that involve data sharing also have raised privacy concerns.
A deeper dive into the current needs of privacy legislation is needed, but the proposed act may not fully solve current shortcomings in HIPAA, says Matthew Fisher, general counsel for Carium, a virtual care platform company, and an expert on HIPAA and privacy challenges in healthcare.
The Cassidy-Baldwin proposal "is a bit of a double-edged sword for privacy," Fisher says. "The positive is that a bill has been introduced to start shifting focus back to privacy, which is arguably long overdue." In recent years, there's been increased recognition that privacy laws needed to be updated and expanded to address many developments driving data creation and utilization, "and bringing privacy back into the spotlight can get those discussions going again."
But the proposal lacks necessary urgency to make immediate changes, Fisher contends. "The creation of a commission to study privacy issues means that a lot more time would pass before real action occurs. The timeline includes getting the bill passed, forming the commission, letting the commission study the issue, drafting and distributing a report, and then waiting for Congress to take action again. Is all of that is necessary? Why not dive directly into drafting immediately impactful legislation now, especially since research and recommendations can be found now to address the issues with privacy and healthcare data."
Because there may not be immediate changes to HIPAA, "Accordingly, all must continue to operate in the current world while also proactively working to promote privacy in a more comprehensive manner," he concludes.