This blog post was written by Kenny Gutierrez, EFF Bridge Fellow.
Recently proposed modifications to the federal Health Insurance Portability and Accountability Act (HIPAA) would invade your most personal and intimate health data. The Office of Civil Rights (OCR), which is part of the U.S. Department of Health and Human Services (HHS), proposes loosening our health privacy protections to address misunderstandings by health professionals about currently permissible disclosures.
EFF recently filed objections to the proposed modifications. The most troubling change would expand the sharing of your health data without your permission, by enlarging the definition of “health care operations” to include “case management” and “care coordination,” which is particularly troubling since these broad terms are not defined. Additionally, the modifications seek to lower the standard of disclosure for emergencies. They also will require covered entities to disclose personal health information (PHI) to uncovered health mobile applications upon patient request. Individually, the changes are troublesome enough. When combined, the impact on the release of PHI, with and without consent, is a threat to patient health and privacy.
Trust in Healthcare Is Crucial
The proposed modifications would undermine the requisite trust by patients for health professionals to disclose their sensitive and intimate medical information. If patients no longer feel their doctors will protect their PHI, they will not disclose it or even seek treatment. For example, since there is pervasive prejudice and stigma surrounding addiction, an opiate- dependent patient will probably be less likely to seek treatment, or fully disclose the severity of their condition, if they fear their diagnosis could be shared without their consent. Consequently, the HHS proposal will hinder care coordination and case management. That would increase the cost of healthcare, because of decreased preventative care in the short-term, and increased treatment in the long-term, which is significantly more expensive. Untreated mental illness costs the nation more than $100 billion annually. Currently, only 2.5 million of the 21.2 million people suffering from mental illness seek treatment.
The current HIPAA privacy rule is flexible enough, counter to the misguided assertions of some health care professionals. It protects patient privacy while allowing disclosure, without patient consent, in critical instances such as for treatment, in an emergency, and when a patient is a threat to themselves or public safety.
So, why does HHS seek to modify an already flexible rule? Two congressional hearings, in 2013 and 2015, revealed that there is significant misunderstanding of HIPAA and permissive disclosures amongst medical professionals. As a result, HIPAA is misperceived as rigidly anti-disclosure, and mistakenly framed it as a “regulatory barrier” or “burden.” Many of the proposed modifications double down on this misunderstanding with privacy deregulation, rather than directly addressing some professionals’ confusion with improved training, education, and guidance.
The HHS Proposals Would Reduce Our Health Privacy
Modifications to HIPAA will cause more problems than solutions. Here is a brief overview of the most troubling modifications:
- The proposed rule would massively expand a covered entity’s (CE) use and disclosure of personal health information (PHI) without patient consent. Specifically, it allows unconsented use and disclosure for “care coordination” and “case management,” without adequately defining these vague and overbroad terms. This expanded exception would swallow the consent requirement for many uses and disclosure decisions. Consequently, Big Data (such as corporate data brokers) would obtain and sell this PHI. That could lead to discrimination in insurance policies, housing, employment, and other critical areas because of pre-existing medical conditions, such as substance abuse, mental health illness, or severe disabilities that carry a stigma.
- HHS seeks to lower the standard of unconsented disclosure from “professional judgment” to “good faith belief.” This would undermine patient trust. Currently, a covered entity may disclose some PHI based on their “professional judgment” that it is in the individual’s best interest. The modification would lower this standard to a “good faith belief,” and apparently shift the burden to the injured individual to prove their doctor’s lack of good faith. Professional judgment is properly narrower: it is objective and grounded in expert standards. “Good faith” is both broader and subjective.
- Currently, to disclose PHI in an emergency, the standard for disclosure is “imminent” harm, which invokes a level of certainty that harm is surely impending. HHS proposes instead just “reasonably foreseeable” harm, which is too broad and permissive. This could lead to a doctor disclosing your PHI because you have a sugar-filled diet, you’re a smoker, or you have unprotected sex. Harm in such cases would not be “imminent,” but it could be “reasonably foreseeable.”
Weaker HIPAA Rules for Phone Health Apps Would Hand Our Data to Brokers
The proposed modifications will likely result in more intimate, sensitive, and highly valuable information being sent to entities not covered by HIPAA, including data brokers.
Most Americans have personal health application on their phones for health goals, such as weight management, stress management, and smoking cessation. However, these apps are not covered by HIPAA privacy protections.
A 2014 Federal Trade Commission study revealed that 12 personal health apps and devices transmitted information to 76 different third parties, and some of the data could be linked back to specific users. In addition, 18 third parties received device-specific identifiers, and 22 received other key health information.
If the proposed HIPAA modifications are adopted, a covered provider would be required to share a patient’s PHI with their health app’s developer upon the patient’s request. This places too much burden on patients. They are often ill-equipped to understand privacy policies, terms of use, and permissions. They may also not realize all of the consequences of such sharing of personal health information. In many ways, the deck is stacked against them. App and device policies, practices, and permissions are often confusing and unclear.
Worse, depending on where the PHI is stored, other apps may grant themselves access to your PHI through their own separate permissions. Such permissions have serious consequences because many apps can access data on one’s device that is unrelated to what the app is supposed to do. In a study of 99 apps, researchers found that free apps included more unnecessary permissions than paid apps.
Next Steps
During the pandemic, we have learned once again the importance of trust in the health care system. Ignoring CDC guidelines, many people have not worn masks or practiced social distancing, which has fueled the spread of the virus. These are symptoms of public distrust of health care professionals. Trust is critical in prevention, diagnosis, and treatment.
The proposed HHS changes to HIPAA’s health privacy rules would undoubtedly lead to increased disclosures of PHI without patient consent, undermining the necessary trust the health care system requires. That’s why EFF opposes these changes and will keep fighting for your health privacy.