Groups push for regs to oversee entities not regulated by HIPAA
Despite congressional pressure extending for more than 20 years, many healthcare patients still do not have easy access to their own health information.
In a new issue brief, the American Medical Informatics Association and the American Health Information Management Association explore the challenges patients face and why access hasn’t improved.
In the view of Congress, patient access to their health data improves care, enables research and empowers Americans to live healthy lifestyles. Yet challenges remain with the proliferation of mobile health programs and health social media applications, which often are not covered under HIPAA’s right of access.
While patients struggle for access, entities that are not covered by HIPAA—such as providers, vendors and other stakeholders—are having little problem getting the data they need.
“While Congress has passed several policies and the U.S. Department of Health and Human Services has implemented a host of programs to improve patient data access, patients find that they have little access to or control of their health information collected by most non-HIPAA-covered entities (NCEs),” AMIA and AHIMA contend.
A 2016 report from the Office of the National Coordinator for Health Information Technology found entities that operate outside the scope of HIPAA are managing individual identifiable health information with no obligation to abide by HIPAA rules because they are not considered covered entities or business associates.
ONC further notes that while some HIPAA non-covered entities may be regulated under the Federal Trade Commission or state laws, other entities managing consumer health data may not fall under any type of regulation across the nation.
“Rather, it may be left to the discretion of the health application itself as to whether such information may be shared with the individual,” AMIA and AHIMA contend. Similarity most state laws focus their concerns on security protocols.
“This kind of oversight does not provide the same level of protections for consumers as HIPAA, which offers such safeguards as breach notification; restrictions on the sale, use and reuse of PHI by third parties; and the individual right of access.”
The bottom line is that most health consumers are not aware they have no legal right nor control of their data collected by an entity that’s not covered by HIPAA regulations.
Consequently, the two associations recommend lawmakers develop a fix or direct HHS to define HIPAA non-covered entities in law and, at minimum, extend the HIPAA right of access to non-covered entities.
“The goal of such a policy is to create a uniform data access policy for individuals using technology developed by an entity that produces or manages their individually identifiable health information, regardless of commercial or legal status,” AMIA and AHIMA assert. As the lines between consumer and medical information systems continue to blur, Congress must ensure that rights endowed by HIPAA to patients inside the hospital and within the physician’s office also apply beyond the clinical setting.”