Unintended consequences seen in proposed HIPAA privacy rule revision

Andis Robeznieks , Senior News Writer

The Department of Health and Human Services (HHS) has proposed modifying patient privacy rules to remove barriers to coordinated care. The AMA says the proposal is “well-intentioned” but ill-timed and incomplete, having the potential to whittle away protections designed to secure private health information.

Subscribe to AMA Advocacy Update

Stay current on the latest on the issues impacting physicians, patients and the health care environment with the AMA’s Advocacy Update Newsletter. 

The proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) would come at the same time physicians will be working to comply with new regulations on information blocking promulgated by the HHS Office of the National Coordinator for Health Information Technology (ONC).

“Physician practices are already making significant, paradigm-changing adjustments to their information management, patient engagement, and exchange processes,” AMA Executive Vice President and CEO James L. Madara, MD, wrote in a letter to HHS Office for Civil Rights (OCR) acting Director Robinsue Frohboese.

Dr. Madara asked her to take into account the administrative burdens of implementing the information-blocking rules—as well as the strains of the ongoing COVID-19 public health emergency—and reconsider the timing of imposing massive changes to patient-privacy laws.

Learn more about information blocking with the AMA’s Patient Access Playbook.

Related Coverage

How to make peer-to-peer prior authorization talks more effective

In addition to the burdens the changes would place on physician practices, there are other major concerns with the proposal itself.

The AMA is  concerned that patients’ private medical information is growing increasingly vulnerable in a wired society and that a growing range of digital patient data is already being shared beyond the confines of the HIPAA framework without protections of federal privacy laws. 

“OCR has created a proposal full of well-intentioned policies that are poised to ease how patients access their data, increase the amount of information payers can receive from health care providers, expand the scope of entities to which physicians may disclose patient data, and reduce patient and physician burden,” Dr. Madara’s letter says.

But Dr. Madara also criticized the proposal’s timing and content.

It is necessary to “place the patient first” in any privacy framework, he added. This includes requiring that any entity seeking a patient’s confidential medical information must pass a “stringent test showing why its professed need should override individuals’ most basic right in keeping their own information private.”

The AMA appreciates the OCR’s desire to expand existing federal definitions of “electronic health record (EHR),” but noted that its terminology is negating efforts by ONC to clarify what is meant by “electronic health information (EHI)” and “electronic protected health information (ePHI).”

Related Coverage

As COVID-19 peaked, prior authorization’s harmful burdens continued

The loss of balance between access and privacy is a major concern, particularly when it comes to smartphone applications.

“The AMA strongly opposes the finalization of any policies expanding the current ability of covered entities—or any other type of entity, including smartphone apps and third parties—to override an individual’s privacy preferences,” the letter says.

In its 45 pages of comments, the AMA touches on the trend of referring patients to social service agencies or community-based organizations (CBOs).

While patients may benefit from the services these organizations provide, permitting covered entities to disclose personal health information to a non-health care provider without a patient’s authorization presents challenges.

These include CBOs lacking the resources to protect the information from outsiders or access controls to prevent patients’ information from being seen by anyone within the organization who does not need to see it.

Understanding HIPAA has been historically challenging, but there are other ways to address this.

“Physicians need and want guidance that helps them navigate the ‘grey areas’ of privacy law, rather than revision of laws that protect patient privacy interests,” Dr. Madara wrote.