Public Health Emergency Leads to the Need for Privacy Legislation
By CHHS Extern Nicole Fullem
Due to the COVID-19 pandemic healthcare systems were forced to move to a more remote environment and required to adopt telehealth services to bring care to patients. The Department of Health and Human Services (HHS) defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient professional health-related education, public health and health administration.” At the beginning of the public health emergency, HHS relaxed the Health Insurance Portability and Accountability Act (HIPAA) rules in response to the increase in telehealth services. HHS’s guidance recognized that some of the technologies may not fully comply with the requirements of HIPAA Rules, however, HHS explained that it would not impose penalties for noncompliance with the regulatory requirements under HIPAA. These relaxed requirements are for the duration of the national emergency, however, it is likely that telehealth services are likely here to stay. In December 2020, HHS saw a need to deliver better care and provide patients more access to their protected health information and therefore, proposed modifications to the HIPAA Privacy Rule. The proposed rule looks to improve information sharing, create greater family involvement in the care of individuals who are experiencing emergencies, and gives greater flexibility for disclosures in emergency or threatening circumstances, such as a public health emergency. However, there remains concerns surrounding the privacy of health information.
The remote environment and increased use of telehealth services creates privacy concerns for many people. Although the new Privacy Rule may provide for better access to patient protected health information, some individuals have expressed concerns—the disclosure of medical records without requiring patient’s authorization may lead to an unintended release of an individual’s sensitive information to a third party. In addition, patients would be allowed to verbally request their health information, and there are concerns that information may be released to the wrong party or more information is released than a patient would like to a third party. More broadly, the telehealth services led to a greater increase around email exchanges between physicians and patients and an increase of sharing protected health information between patients, providers, and third-party organizations. Inevitably, questions remain how to further protect patient privacy while allowing new and evolving technology to help deliver better care. Importantly though, the public health emergency has demonstrated gaps that exist in privacy legislation, specifically in the area of healthcare and health information.
Medical records remain one of the most valuable types of information, and especially during the public health emergency protected health information has been at a higher risk than it typically is. In 2020, about 26 million patients records were exposed to unauthorized parties in the United States. The rise in healthcare cyber-attacks stems from the poor handling of patient records and moving these records to cloud services. When HIPAA was designed in 1996 it did not account for cybersecurity and more importantly, it has not been modified to keep up with the conditions that lead to modern healthcare cyber-attacks. HIPAA only applies to direct patient care providers and it does not account for other third-party platforms such as fitness and personal health applications that may also collect personal data.
Conversations regarding previous callings for HIPAA to be modified are coming up again. There may need to be more changes to HIPAA, so that technology can be used in a way that enhances privacy protection and improves information sharing. Congress and HHS are urging that now is the time for privacy gaps to be addressed either through federal privacy legislation, or through modification to the HIPAA rule. As HHS awaits feedback on the new proposed privacy rule, at least 15 states have introduced privacy legislation, and a House Democrat introduced the first comprehensive federal privacy bill of the year—Information Transparency and Personal Data Control Act. It is likely that states will continue to move forward with privacy legislation, but there continues to be a need for a broad federal standard