Report: Why health data privacy needs more than HIPAA

Everyone who has an interest in healthcare data, including researchers, regulators, patients, and healthcare providers, now faces a conundrum. The increasing availability of health data from medical records, mobile sensors and apps, and public health sources is transforming the health sector. It’s becoming possible to predict medical vulnerabilities and tailor prevention and treatment to the individual more accurately than ever before. But the new promise of personalized medicine also carries significant risks. As the use of personal health data increases, so does the risk of privacy violations — and the harms that can result to both individuals and communities.

The nonprofit Center for Open Data Enterprise (CODE) has just released a report on Balancing Privacy With Health Data Access — the findings of CODE’s research and a recent roundtable on the topic co-hosted with the Office of the Chief Technology Officer (CTO) at the U.S. Department of Health and Human Services (HHS). The roundtable and the report include not only the perspectives of policymakers, but input from patients, patient advocates, and a broad range of stakeholders with an interest in health data privacy.

“The roundtable described in this report addressed the challenge: How should we balance the need for privacy with access to health data that can make groundbreaking insights possible?” says HHS Chief Data Officer Mona Siddiqui. “That discussion is part of a national effort to address data privacy at different levels of government. At HHS, we are at the center of this national conversation. Those of us who believe in technology’s potential for good must lean into this conversation and embrace that it will be messy, incremental, and iterative. But at the end of the day, the voice of the consumer and the voice of the patient needs to be loudest.”

The report finds that the privacy protections in the Health Insurance and Portability Accountability Act (HIPAA), passed in 1996, are no longer sufficient to ensure the data security that consumers need. For example, HIPAA does not cover many of the companies that gather health data from fitness trackers, genetic analyses, or other commercial processes and devices that are widely used. On another level, public data on social determinants of health (SDOH), including income, education, housing, and other factors, is increasingly used to predict health risks for individuals and communities – a trend that promises great opportunities to improve prevention and treatment, but also raises the risk of discrimination in health care coverage.

The CODE report provides a roadmap for healthcare professionals, policymakers, and patients and their advocates to understand the state of health data privacy, shortcomings in the current system, and possible remedies. It concludes with recommendations for improving health data privacy and use in several ways:

• Improve individual access to health data. HIPAA gives patients the right to access their health data, but many people don’t know it. By educating the public and enforcing this right, HHS can help give individuals more power over their data and how it is used.
• Hold health-related “business associates” accountable. HIPAA’s rules cover only certain kinds of businesses and organizations, including healthcare plans, providers, and clearinghouses. The rules are also supposed to cover “business associates” of those covered entities, but HHS does not monitor or enforce its rules directly for these business associates. The report recommends that HHS work with privacy experts to close this potential loophole.
• Help startups comply with HIPAA’s requirements. The cost of meeting HIPAA’s requirements can be prohibitive for data-driven health startups if they plan to download and analyze sensitive health data. However, HHS can provide “data containers” that enable these startups to work with sensitive data that is anonymized and held by HHS, avoiding the need for them to download the data and secure it. The Centers for Medicare and Medicaid Services (CMS) has developed a Virtual Research Data Center that can be expanded and used as a model for other, similar solutions.
• Create industry-wide ethical guidelines for consumer-generated health data. “Consumer-generated” health data, including data from fitness trackers, genomic analyses, and social media, is now virtually unregulated. HHS could convene industry leaders to develop ethical guidelines for data collection and use and communicate those to their customers.
• Increase access to data on social determinants of health – with legal protections. HHS and other government agencies, researchers, philanthropies, healthcare providers, insurers, and others all have a stake in using SDOH data to improve individual health. As the use of SDOH data grows, stakeholders should determine the best ways to increase access to this data while preventing its misused.
• Use technology to improve patient consent for data sharing. Current methods of informed consent for the research use of data – a standard requirement of research protocols – are not sophisticated enough to allow for new uses of data as research opportunities evolve. New technology platforms can enable patients to provide “dynamic consent,” allowing them to choose more precisely how they do or don’t want their data shared and used in the future.
• Create patient-centered outreach and engagement programs. HHS and its partners can help clear up the current confusion around health data privacy. The next step could be to undertake a comprehensive outreach strategy to educate the public about patients’ data privacy rights and current regulations.
• Adopt legislation to broaden data privacy rights. Many roundtable participants believed that new legislation – not just enhancements to HIPAA – are necessary to protect the privacy of new kinds of health data, particularly the consumer-generated data that is now unregulated.

Congress and HHS are now proposing regulatory changes that can improve the balance of privacy protection and health data access. Senators Amy Klobuchar and Lisa Murkowski have introduced the Protecting Personal Health Data Act, which would create a comprehensive set of policies to regulate the use and sharing of consumer-generated health data. And last month, in a move to increase access to data whose use is overly constrained, HHS proposed revising the privacy rule known as 42 CFR Part 2 to facilitate research on opioid addiction. Participants at a roundtable that CODE co-hosted with HHS in July 2018, which focused on data sharing to address the opioid crisis, specifically identified this rule as a major roadblock to research that restricts access to sensitive data without providing significantly more patient protection than HIPAA does.

HHS has also proposed additional measures to make data appropriately usable while protecting privacy, and has released a Request for Information on possible ways that HIPAA should be improved. The need for new approaches to health data privacy is clear – and HHS is moving forward to address them.

Joel Gurin is President, and Paul Kuhne is Roundtables Program Manager, at the Center for Open Data Enterprise.