Overview
As Big Tech companies face continued scrutiny over their handling of personal health information, the limitations of US health privacy regulation in a digital age are becoming more evident. Policymakers, both in the US and around the world, are trying to keep up with a rapidly changing health tech landscape. While data sharing is critical to increasing efficiency and spurring innovation, concerns about patient privacy are at an all-time high. How do regulators ensure that patients are protected without stifling important advances in health technology? And what are the pitfalls regulators should be aware of?
This month’s tech regulation digest focuses on Health Insurance Portability and Accountability Act (HIPAA) rules—their shortcomings and what regulators can learn from Europe’s General Data Protection Regulation (GDPR).
Background
HIPAA was passed in 1996 to require national standards for protecting patients’ private health information from being shared without their consent. To implement these standards, the US Department of Health and Human Services (HHS) established the HIPAA Privacy Rule and the HIPAA Security Rule, which form the basis of the regulatory framework that currently governs patient data. Those rules took effect in 2002, that is, years before the widespread adoption of electronic health records, as explained in Vox. They require covered entities to abide by certain protocols when dealing with patient data, like using secure online portals for patient interface, requiring hospitals to provide patients with a notice of their privacy practices, and allowing patients to access their medical records.
There is a lot of confusion about what kind of information is protected by HIPAA, and the answer comes down to the type of entities that have to abide by HIPAA rules. HHS defines covered entities as health-care providers, insurers, data clearinghouses, and any business associate that has a written contract with a covered entity and handles medical records. As health-care services and deliverability rapidly change with the emergence of telehealth and the involvement of Big Tech companies, the focus of HIPAA regulation is now on the companies that do not have to comply with HIPAA rules, such as social media companies and large data brokers that collect, sell, and purchase personal information online.
In December 2022, an investigation by STAT and The Markup revealed that telehealth companies are able to avoid HIPAA requirements when patients sign up online, exposing sensitive health information. Not all patient data in an intake or sign-up form is protected health information under HIPAA. Fifty separate direct-to-consumer telehealth companies were sending intimate health details to Facebook, and dozens of the websites had trackers from tech companies such as Twitter, TikTok, Pinterest, and Google. This sharing of health-related data is legal, illustrating one of several of HIPAA’s shortcomings in protecting patients.
Earlier this year, Meta faced widespread criticism (and nearly 50 class-action lawsuits, according to Bloomberg Law) for its Pixel tracking tool that showed people targeted ads based on medical conditions they thought were private. In August 2022, a complaint filed in California alleged that at least 664 providers sent health information to Meta, as reported in Bloomberg Law. These lawsuits raise another often-misunderstood aspect of HIPAA regulation: Protected patient information can still be shared by a provider as long as the provider gives notice. According to Protocol, patients do not have to fully understand where their data are going before signing the notice, similar to the way most people quickly sign the terms and conditions without fully reading them.
Why Is This Important?
Big Tech has been seeking more space in the health-care marketplace for years, particularly Apple, Amazon, Google, and Microsoft, as reported in Insider Intelligence. Amazon most recently acquired One Medical for $4 billion, although the transaction is now under a Federal Trade Commission investigation for antitrust concerns, according to The Wall Street Journal. With the increasing presence of Big Tech in the health-care marketplace, concerns about the security of patient health data will only increase.
The security of individual health data is paramount, as it can expose patients to discrimination from insurers and employers based on certain health conditions. More recently, concerns were raised over the collection of private health data from period-tracking apps that could be used against women who receive abortion services, which resulted in a congressional probe by the House Oversight Committee, TechCrunch reports.
Updating US regulations on health data is complicated and full of potential landmines. For example, Europe’s recent GDPR faced criticism from officials for its lack of clarification on the types of data it protects.
Federal agencies such as the National Institutes of Health (NIH) rely on deidentified patient data to fund critical biomedical research. A recent op-ed in Financial Times by a senior advisor to the NIH points out that GDPR treats publicly funded biomedical research the same way it treats marketing or social media companies. As a result, US agencies are now struggling to find legal pathways to receive data from researchers in the EU. While GDPR provides heightened levels of security for patients, it’s also stifling important data-sharing efforts. Any updated regulation on patient data needs to consider who is using the data and for what purposes and tailor the rules accordingly.
Just as Milken Institute research highlighted in Share the Data: Overcoming Trade-Offs in Tech Regulation in May 2021, data sharing in health technology should also remain a priority amid any updates to patient data regulation. During a panel at the Milken Institute’s Future of Health Summit last month, Arta Bakshandeh, the chief medical informatics officer of Alignment Healthcare, noted how data sharing is critical to the future of health-care deliverability. “We need to, in a HIPAA-compliant way, democratize the data so that it flows between CMS [Centers for Medicare and Medicaid Services] … down to the physician level,” he said. “And we can’t do that without a unified data architecture.”
What Happens Next
A couple of bills to strengthen protections for patient privacy were filed during the 2021–22 session of the United States Congress. The Stop Commercial Use of Health Data Act sought to prevent companies from using health data to target advertisements and The Health Data Use and Privacy Commission Act tried to establish a commission to study potential changes to the regulatory framework, but neither of the bills was passed into law.
Potential changes to HIPAA could include adding social media companies and data brokers, either as covered entities or Business Associates by signing the Business Associate Agreement. To support more data sharing, some legal experts have argued in HealthCare IT News for more clarification on HIPAA’s Organized Health Care Arrangements, which could provide an integrated and secure network of providers that can share patient information.
Going forward, the challenge that faces regulators is crafting rules that are strong enough to protect patients’ online privacy and build consumer trust but also allow providers and researchers the flexibility needed for critical data-sharing efforts.