Published on December 21, 2020

Initially put into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is likely to be revamped. In fact, earlier this month, the group responsible for regulating HIPAA—the Health and Human Services’ Office for Civil Rights (OCR)—issued a notice of proposed rule-making (NPRM). This NPRM focuses on HIPAA’s Privacy Rule, and the general goal is to expand individuals’ access to their personal health information (PHI).

The privacy of our electronic health records (EHRs) is top of mind for many of us these days, especially as tech companies enter the healthcare space. Last week, EU antitrust regulators approved Google’s $2.1b acquisition of FitBit, with the caveat that all of FitBit’s data must be stored separately from Google data, and that the FitBit data is never to be used for advertising purposes in Europe. As an aside, the deal still faces regulatory hurdles from regulatory agencies in the U.S. and Australia. By no means is Google an anomaly. Amazon also seeks to enter the healthcare space with its nascent telehealth endeavor, Amazon Health. Given Big Tech’s imperfect record on user privacy and the rapidly changing landscape, many are calling for a revamp of HIPAA’s Privacy Rule.

Just last week, Amy Klobuchar (D-Minn) wrote a letter to HHS Secretary Alex Azar with privacy concerns related to Amazon’s wearable health apparatus, the Amazon Halo. This isn’t the first time Klobuchar has called for an expansion of HIPAA. In 2019, she co-sponsored legislation with Lisa Murkoswki (R-Alaska) to address at-home DNA testing kits, wearables, and health apps. As it stands today,  HIPAA doesn’t apply to consumer tech at all—not unless the data in question is affiliated with a doctor or another covered entity.

Rethinking “health information” in our current digital age
According to the current Privacy Rule, PHI is defined as” individually identifiable health information maintained or transmitted by or on behalf of HIPAA covered entities” (i.e., health plans, health care providers who conduct covered health care transactions electronically, and health care clearinghouses). However, with technology companies tracking our behavior and storing our data, it is time to rethink exactly what data should be covered under HIPAA.

As Dr. Mona Sobhani and Dr. Leslie Saxon have pointed out, tech companies have access to variables that are “social determinants of health,” such as our zip codes, our sleep schedules, and our medical search history. These variables do not fall under HIPAA, although an argument can be made that they should and that it is time to reevaluate what falls under the umbrella of PHI.

HIPAA and recent changes under NPRM
Although HIPAA has been around since 1996, the Privacy Rule and the Security Rule did not come into practice until 2003. In a nutshell, the Privacy Rule mandates that anyone who creates, stores, transmits, or uses PHI must protect that data, while the Security Rule spells out administrative, physical, and technical safeguards to ensure that EHRs and PHI are kept safe and confidential.

The recent NPRM from the HHS’ Office for Civil Rights focuses primarily on HIPAA’s Privacy Rule. Some of the changes are relatively minor, such as adding definitions for certain terms, such as “electronic health record” and “personal health application,” and other changes are more significant. Under the NPRM, health care providers will now be mandated to respond to individuals’ access requests in 15 days, as opposed to 30 days (although there is a one-time extension).

Additionally, the NPRM creates some new access rights. If an individual requests that their PHI be shared with a third party, covered health care providers now must do so. Also, the NPRM provides individuals with the legal right to inspect their PHI in a designated setting. After arranging a mutually convenient time with a covered health entity, individuals are allowed to use their own personal resources to capture their PHI; for example, they can take notes, photographs, and videos of their PHI.

Slowly, but surely, the OCR is making attempts to adjust HIPAA to account for new technologies. After all, mobile phones with cameras were not around in 1996, and in all likelihood, many patients may want to take pictures of their health records in an office setting. As a quick caveat, these are only a few of the proposed changes to HIPAA under the NPRM.

Our current health data landscape
We are in a bit of a predicament. One the one hand, many of us are clamoring for more stringent privacy protection of our personal data, especially our health data. On the other hand, never before has our PHI been shared so widely and through so many different channels.

Deven McGraw, who used to work as deputy director of health information privacy at the HHS’ Office for Civil Rights, calls this theGoldilocks Health Data Dillema,” and McGraw is right when she says that the only way it can be solved is through legislation. Now, perhaps more alterations to HIPAA, such as the recent NPRM, will do the trick; or conversely, to adequately address the changing technological landscape, legislators may have to totally reassess what, exactly,  personal health information entails. To be sure, our PHI looks different in 2021 than it did in 1996, and our laws need to reflect this.

Conclusion
As we know, health data is extremely valuable on the black market, making PHI and EHRs a lucrative target for hackers. Additionally, as our health data is spread increasingly far and wide, in part due to emerging technologies, it is important that our laws keep up. With Amazon, Google, and others entering the healthcare data space, it will be interesting to see if legislators begin to rethink exactly what qualifies as PHI. HIPAA is ripe for a refresh, and as this recent NPRM shows, it is starting to happen on the privacy side of the coin. Lastly, an argument can be made that there should be adjustments made on the security side of HIPAA as well, and we’ll be sure to track any and all developments as they occur.

John Donegan

John Donegan

Enterprise Analyst, ManageEngine

John is an Enterprise Analyst at ManageEngine. He covers infosec, cybersecurity, and public policy, addressing technology-related issues and their impact on business. Over the past fifteen years, John has worked at tech start-ups, as well as B2B and B2C enterprises. He has presented his research at five international conferences, and he has publications from Indiana University Press, Intellect Books, and dozens of other outlets. John holds a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

 Learn more about John Donegan
x