2013 has already proved to be a big year for patient privacy. HHS released the long-awaited HIPAA final rule. Legislation that would regulate how mHealth app developers collect data was drafted. And the Office for Civil Rights (OCR) started the year off with stricter enforcement relating to privacy breaches.
Still, privacy advocates say there's no rest for the weary in the realm of healthcare privacy and security.
2013 has already proved to be a big year for patient privacy. HHS released the long-awaited HIPAA final rule. Legislation that would regulate how mHealth app developers collect data was drafted. And the Office for Civil Rights (OCR) started the year off with stricter enforcement relating to privacy breaches.
Still, privacy advocates say there's no rest for the weary in the realm of healthcare privacy and security.
For Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, one of the most critical issues left to be resolved pertains to a patient's right to easily access his or her own data. "There's more work to be done to assure patient access to data in a timely way," she said.
She was pleased with several provisions set forth in the HIPAA final rule, but she remained disappointed that patients have to wait up to 60 days for their personal health information (PHI) - earlier law granted covered entities as many as 90 days to provide patients with requested PHI.
Although McGraw understands that many covered entities could have patient records stored in an off-site facilitiy, she nevertheless considers it a "failure to crunch the timelines" on patient access to electronic data.
The issue, McGraw said, stems from the fundamental nature of the U.S. healthcare system, in which, historically, only the physician has access to patient data. "It's not part of typical healthcare workflow to have the patient be part of the data stream," she said. "Patients know more about what's going on in their lives and their health than just about anybody, but they don't typically have access to the same data that might help them make the right decisions."
Farzad Mostashari, MD, national coordinator for health information technology, says what's really needed for privacy and security is a paradigm shift within the industry.
"The game changer is going to be healthcare waking up to the importance of meeting the expectation that our patients have of us that we're going to do everything we can to keep their information private and secure," he said.
The final HIPAA rule released in January represents "sweeping changes," according to Leon Rodriguez, director of the HHS Officer for Civil Rights, who said the rule makes business associates accountable for HIPAA breaches. Mostashari said these changes are a step in the right direction, but there still exists the matter of moving away from old habits healthcare has often stubbornly refused to abandon.
For others, mission critical comes down to ethics and constitutional rights. James Pyles, principal at Powers Pyles Sutter & Verville lawfirm in Washington, D.C., said one of the most important pieces left to tackle in the realm of privacy is patient consent, which is firmly rooted in one's fundamental, constitutional right to privacy.
In his view, a patient should have every right to his or her PHI - who sees it, what it's used for, which data is shared - all of it. And any attempt by business associates, outside providers or research companies to access the data should require, by law, patient consent. "We need [the right of patient consent] now more in a digital age than we have ever had before because these digital records are much more vulnerable to massive privacy breaches than the paper records have ever been," Pyles said in an earlier interview with Healthcare IT News.
For him, it should be up to the patient to decide. "The mere fact that we can move health information around very efficiently these days with electronic systems shouldn't make any difference," he added. "The technology should not drive the ethics; the ethics should drive the technology."
mHealth security
McGraw also pointed to a second serious issue that needs fixing in the privacy arena: mHealth security.
According to a recent Pew Research report, some 75 million adults in the U.S. use their mobile phones for health information - up from 61 milion in 2011. Moreover, one-fifth of all mobile phone users download a health application.
This explosion within the mHealth sector, McGraw said, has necessitated a review and subsequent implementation of proper privacy policies. "We have all this health data out there that is being collected on consumer apps and personal health records that aren't being protected by any comprehensive privacy protection, and that's something that Congress is going to have to fix," she said. "When you have health data protected in some settings but not protected in others, it doesn't create the ecosystem of data-sharing with protections that we ultimately want to see."
However, due to the polarizing political climate in Congress together with subjective notions of privacy among members, McGraw doesn't anticipate any comprehensive reform in the near future. "You don't have a whole lot of instances where Congress has successfully been able to take on privacy."
There was the case of the privacy provisions included in HITECH, but she averred those were enacted because it was part of a much larger bill that needed to pass for other reasons to stimulate the economy, and because legislators had bigger issues to squabble over than the privacy provisions.
"It was able to pass for a whole set of circumstances that had less to do with the content of the provisions than the politics that were present at the time," McGraw said.
Despite the varying opinions on what should be tackled next on the privacy and security agenda, most privacy advocates agree the road ahead is long, winding and often uphill. However, it's a path that needs to be taken, and the only way to go, in their eyes, is onward. n
