Electronic health records (EHRs) contain protected health information (PHI) that proves valuable to healthcare professionals and patients alike. Professionally, they allow providers to diagnose, attend, and treat patients. Personally, they assist patients with data access, provider communication, and care engagement.
Many providers leveraging these record systems are Health Insurance Portability and Accountability Act, or HIPAA-covered entities (CEs)—and HIPAA requires them to safeguard the PHI they collect and store.
Offered access to this regulated data increased by almost 24% between 2014 and 2017, according to a 2017 report by the Office of the National Coordinator of Health Information Technology (ONC). The report, based on data from the National Cancer Institute 2017 Health Information Trends Survey, noted that three in ten individuals who were offered access to their online medical records viewed them.
Health Data Privacy and Security Issues
The individual use of consumer devices and health applications, or apps, has also increased.
These technological advancements collect and store significant amounts of PHI and patient-generated data. But unlike healthcare providers, many are non-HIPAA covered entities, or NCEs, so this consumer data falls outside the scope of federal regulations.
“Once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate,” the Department of Health and Human Services (HHS) wrote in a statement on the interoperability of electronic health information.
Unaware of privacy implications, patients use these digital tools and software to improve their care. The ONC report, referenced above, showed: an estimated 44% of participating tablet and smartphone owners installed a health or wellness app, and about one-third owned an electronic monitoring device.
Many apps and devices, however, engage in data sharing practices that compromise consumer privacy. When the Privacy Rights Clearinghouse (PRC) studied 43 health and fitness apps, for instance, it found that all posed some risk to the privacy and confidentiality of user information.
Protecting Personal Health Data Act: Addressing Modern Privacy and Security Concerns
To protect the privacy of consumer health information, U. S. Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK), introduced a new piece of legislation in June.
The proposed legislation, known as the Protecting Personal Health Data Act, S. 1842, would enact privacy and security protections on health data possessed by NCEs.
These entities “use consumer-facing technology to collect, handle, analyze, and share health information about individuals – sometimes without those individuals’ knowledge,” wrote Dr. Karen B. DeSalvo and Jocelyn Samuels, J.D., in an ONC blog post introducing a report on the subject. This has been proven by recent studies published in JAMA and BMJ.
The report, developed in coordination with the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC), noted the challenges of safeguarding electronic health information (EHI) in the age of technological innovation advancement—and the need for oversight and improvement in the maintenance, access, confidentiality, and integrity of such data.
Klobuchar’s proposal, co-sponsored by Murkowski, seeks to address these emerging concerns.
“New technologies have made it easier for people to monitor their own health, but health tracking apps and home DNA testing kits have also given companies access to personal, private data with limited oversight,” Klobuchar said in the bill’s press release.
“This legislation will protect consumers’ personal health data by requiring that regulations be issued by the federal agencies that have the expertise to keep up with advances in technology.”
This Act also proposes that “the Department of Health and Human Services (HHS) Secretary, in consultation with the Federal Trade Commission (FTC) chairman, the National Coordinator, relevant stakeholders and other Federal agencies, promulgate regulations to help strengthen privacy and security protections for consumers’ personal health data that is collected, processed, analyzed, or used by consumer devices, services, applications, and software.” Devices, services, applications, and software in the bill include: direct-to-consumer genetic testing services, cloud-based and mobile technologies, internet-based web apps and social media sites.
This new bill proposes the creation of guidelines for the protection of modern consumer health information, according to Senator Murkowski. To respect patient confidentiality on the provider side—and avoid future legal risks, however, before recommending these newer engagement channels, healthcare organizations may find it helpful to: better understand federal and state health information regulations; research recommendations, ensuring they are compliant, secure, and transparent; discuss potential privacy implications with patients.