February 26, 2021

Inside this Issue:

COVID-19 Vaccination Eligibility
Save the Date!
Be Sure to “Like” Us on Facebook
Save the Date: AHIMA21 Virtual Conference
Biden Reopens ACA Enrollment for Three Months in Opening Bid to Extend Health Coverage
Health Records Challenge Biden Push for COVID Data Sharing
Health Experts Misjudged EHR Clinician Burnout at HITECH Act Passage
Health Information Privacy Laws in the Digital Age: HIPAA Doesn’t Apply
MSHIMA Job Board
MSHIMA Legal Manual Now Available

COVID-19 Vaccination Eligibility

Starting Monday, March 1st, COVID-19 vaccination eligibility will be expanded to include teachers, staff and employees in K-12, preschool or childcare settings as well as to first responders and public safety personnel (including law enforcement, public safety, fire services and emergency management officials). Beginning Wednesday, February 24, persons in these groups can make appointments for vaccinations taking place on or after March 1st. To find an appointment, visit the online scheduler, or call (877) 978-6453, 7 AM to 7 PM.

Save the Date!

Save the Date:
2021 MSHIMA Annual Convention
June 23-25 | Virtual

Be Sure to “Like” Us on Facebook

If you have not already had the opportunity to ‘Like’ the MSHIMA Facebook page, we encourage you to do

so. We often post engaging content and links to articles and events that may be of interest to you.

Save the Date: AHIMA21 Virtual Conference

I’m pleased to share that after a successful virtual annual conference last year, AHIMA21 will be virtual this year, taking place Monday, September 20, through Wednesday, September 22, 2021. The benefits of a virtual meeting are numerous, and we feel this is a prudent decision, given the uncertain state of the pandemic. As you might expect, all organizations have to make decisions months in advance about in-person meetings this year, and we are striving to make the best choices possible with the information available.

We hope to gather in person soon. In the meantime, we are excited our members can attend dynamic education sessions and earn CEUs from the comfort and safety of their home. We also heard from members last year who said they are typically unable to travel to conferences and were thankful to have the opportunity to participate virtually.

We are posting a call for AHIMA21 presentations later this week. If you or someone you know is interested in hosting an education session, please share the information with them.

Thank you for all you do. We look forward to bringing health information professionals together for another great virtual meeting in September!

Biden Reopens ACA Enrollment for Three Months in Opening Bid to Extend Health Coverage

By Amy Goldstein

President Biden ordered Thursday the reopening of the Affordable Care Act’s federal insurance marketplaces for three months to give millions of Americans who need coverage during the coronavirus pandemic an extended chance to buy health plans.

The directive, part of a series of executive actions the president is taking during his first days in office, is a down payment on his pledge to make health care more accessible and affordable and a sign of his determination to rehabilitate the landmark law after four years of Republican battering. Those goals have taken on more urgency as 25 million people have been infected with the coronavirus and millions of others have lost jobs.

Biden also instructed officials to remove barriers to Medicaid erected under President Donald Trump. These are concrete steps, but health experts said their importance lies primarily in indicating the direction he wants to take the nation’s health-care system. Since his campaign, the president has made clear that he believes the perennially divisive ACA should be further anchored in American life — and used as a springboard for expanding access to affordable coverage.

During a brief signing ceremony, Biden described the action in unusually direct terms, as a way to “to undo the damage Trump has done,” saying his predecessor had made the ACA plans “more inaccessible, more expensive, and more difficult for people to qualify for.”

The president also began Thursday to rewrite federal policy surrounding reproductive rights. He rescinded one federal rule Trump had reinstated that forbid family-planning aid to international organizations that refer women for abortions. And he instructed federal health officials to review another Trump-era rule that has been financially damaging to Planned Parenthood.

Later in the day, the Department of Health and Human Services announced a special enrollment period from Feb. 15 to May 15 through HealthCare.gov, the online marketplace for people who cannot get affordable health benefits through a job.

The order affects people in three dozen states that rely on the federal marketplaces, allowing those consumers to buy a health plan or to update a previous application for coverage. The action does not directly affect residents of states that run their own ACA insurance exchanges, but a White House official predicted that those states — many of which reopened their marketplaces early in the pandemic — will follow suit.

For the past few years, Americans who qualify for ACA health plans have been required to sign up during six weeks late each year, except if they could prove they had a major life change, including the loss of a job. The new enrollment period will not require such proof, the White House official said, speaking on the condition of anonymity before the president’s remarks.

In a ceremony lasting less than five minutes, Biden said that his actions were moored in the law that he and President Barack Obama championed. “There’s nothing new that we’re doing here,” he said, “other than restoring the Affordable Care Act and restoring Medicaid.”

“As we continue to battle covid-19, it’s even more critical that Americans have meaningful access to health care,” he added.

The White House indicated that the administration planned to boost federal aid for advertising, outreach and contracts with community groups that help people figure out how to sign up. The Trump administration, during its first two years, slashed most of the funding for such efforts, saying there was no evidence they were effective.

The White House official declined to say how money will be spent. But the Centers for Medicare and Medicaid Services, which oversees ACA enrollment, said the agency plans to spend $50 million on increasing public awareness of the sign-up period. That sum approximates what the Obama administration spent in the first years of HealthCare.gov, which debuted the fall of 2013, but it is about half the $101 million for outreach in the final year of Obama’s tenure.

An estimated 15 million uninsured people in the United States could qualify for the ACA health plans, according to the Kaiser Family Foundation, a health-policy research organization. Nearly 9 million of them would be eligible for a federal financial subsidy for their monthly premiums, the estimates show.

Biden “is moving fast to do what he can to invigorate the ACA,” said Larry Levitt, Kaiser’s executive vice president, but he called the actions “a very partial step.”

Levitt noted that Biden’s broader health-care goals — which would require the consent of Congress — include making ACA plans more affordable by expanding premium subsidies to people well into the middle class and increasing financial help to those already receiving subsidies.

“There’s a risk in reopening enrollment without increasing subsidies,” Levitt said. “It will be hard to get more people to sign up without the coverage being any more affordable.”

Jennifer M. Haley, an Urban Institute research associate, concurred, pointing to research suggesting that cost is the most common barrier people cite for not exploring or buying a marketplace health plan.

Even some federal health officials questioned the practical effect of Biden’s actions on enrollment in the ACA’s private plans, though they said they regard it as a symbolic statement of faith in the law. Two HHS officials said analyses of Biden’s order, such as projections of health-insurance enrollment changes, had not been circulated to the relevant teams — a change from the Obama and Trump administrations, when the White House often laid groundwork for its actions involving the ACA days or weeks in advance.

“I think it’s more of a gesture [by Biden] to look like they’re doing something immediately,” said one health official, speaking on the condition of anonymity because they weren’t authorized to discuss the president’s actions.

The officials noted that sign-ups that ended last month for marketplace coverage — about 8.3 million in the states using HealthCare.gov — did not grow from the previous year, despite the economic and insurance losses from the pandemic.

But they predicted that the additional sign-up opportunity could produce a spike in Medicaid enrollment, because low-income Americans who visit the ACA marketplace are often steered to the safety-net health program.

The directive was welcomed by America’s Health Insurance Plans, the industry’s main trade group, which has been pressing since early in the pandemic for the government to give people more time to enroll through the federal marketplaces. The American Medical Association also praised the actions, as did the Federation for American Hospitals, which represents for-profit hospitals and health systems.

Predictably, congressional Democrats supported the moves, while some Republicans accused the president of overreaching.

As expected, other parts of the president’s order will direct federal agencies to review federal rules to ensure they promote access to health care.

The one Trump administration policy mentioned in the order involves Medicaid work requirements — a rule inviting states to ask for federal permission to compel some people to work or prepare for jobs to join the safety-net insurance program. Federal courts have ruled against such requirements, but a case trying to reinstate the idea is before the Supreme Court.

Asked during a briefing whether federal health officials will withdraw permission the last administration gave several states for work requirements, perhaps before the high court rules, the White House official did not answer directly but said, “HHS is expected to take a very close look at those waivers.”

Biden also issued a presidential memorandum that the White House is characterizing as “protecting women’s health at home and abroad.” A major feature of the order will rescind the “Mexico City policy,” which forbids nonprofit groups in other countries from receiving U.S. federal family planning aid if they provide abortion counseling or referrals.

Another part of that memorandum instructs HHS to “take immediate action to consider” whether to remove regulations under the Title X program that supports family planning. The White House official said that directive is focused on a 2019 Trump administration rule, hostile to Planned Parenthood, that blocks organizations that provide abortions or referrals from receiving funds through Title X; the action has been challenged in courts.

Health Records Challenge Biden Push for COVID Data Sharing

Getting information collected on Covid outbreaks and responses from state and local health authorities to the federal government could pose a challenge to the Biden administration’s push to share data across agencies.

The data-sharing initiative is outlined in an executive order President Joe Biden issued Jan. 21. The order directs the Secretary of Health and Human Services to review the interoperability of public health data systems nationwide.

Communication between records systems used by doctors or hospitals is often an issue in health care, since information may be maintained differently in different jurisdictions.

“We don’t have a national health records system among health care providers, let alone public health authorities,” said Elizabeth Litten, partner and chief privacy and HIPAA compliance officer at Fox Rothschild LLP. “So it’s very spotty and piecemeal.”

The White House didn’t respond to a request for comment on what it envisions for the Covid data pipeline. The administration’s Covid-19 task force held its first briefing Wednesday.

For Covid testing data, the Centers for Disease Control and Prevention has access to information submitted by state health departments as well as other sources, including commercial, public health, and in-house hospital laboratories. Other Covid data resources such as the Covid Tracking Project rely on manual collection of state-level information, while some trackers use county-level records instead.

Sharing Covid data across the government would help direct vaccines and other resources to communities with the greatest need. It’s also meant to further public understanding of the pandemic and limit the spread of misinformation or disinformation, according to the executive order.

Further guidance is coming from the White House on how to de-identify Covid-related data, which would be necessary to comply with the Health Insurance Portability and Accountability Act. HIPAA is a federal privacy law that outlines rules for sharing personal health information.

De-Identifying Data

The order directs the head of the White House Office of Management and Budget to work with other federal officials to review the government’s current data approach and issue guidance on how to de-identify Covid information and make it open to the public as quickly as possible.

De-identification under HIPAA typically involves stripping information such as names, Social Security numbers, and other data that could be used to pinpoint individuals. The executive order doesn’t specify what kind of Covid data it covers, though it could include information on test results, treatments, and vaccines, as well as demographic data used to measure the impact of the pandemic on different populations.

“There’s an inherent tension between the privacy needs of an individual and the public health needs of society,” said Jo-Ellyn Sakowitz Klein, senior counsel at Akin Gump Strauss Hauer & Feld LLP focusing on privacy and data protection. “Here the stakes are really high.”

Litten said even data that’s de-identified can be traced back to individuals in some cases. Individuals identified in news reports, for example, could be matched back to anonymized records from hospitals.

In taking steps to protect privacy, the government could audit the data to make sure it’s not re-identifiable, she said.

System Sharing

Without interoperability, it could be difficult to understand the scope of the pandemic or identify areas of the U.S. that are struggling or having more success in their response to Covid, according to Jon Knight, a privacy and security-focused senior associate at Alston & Bird LLP.

“Making sure those systems are able to talk with each other” will be important, Knight said.

HHS issued new interoperability rules last year meant to give individual patients more control over their health data and how it’s shared. Applying the same concept on a larger scale during a pandemic could be more challenging, said Dianne Bourque, a health care attorney at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C.

“There’s been a lot of time and effort and expertise expended over the years to facilitate interoperability in the normal care system,” Bourque said. “If it’s a challenge in regular health care, it’s a much bigger challenge as a larger public health effort.”

Any interoperability or privacy issues that could arise from broader scale data sharing by public health agencies may be less of a concern because of how aggregated the records are, according to Kirk Nahra, a privacy-focused partner at Wilmer Cutler Pickering Hale and Dorr LLP.

“Sending numbers is a question of sending a spreadsheet. It’s easy,” Nahra said. “Sending medical records is hard.”

Health Experts Misjudged EHR Clinician Burnout at HITECH Act Passage

Clinicians and healthcare experts did not fully grasp the high potential of EHR clinician burnout at the time of the HITECH Act passing in 2009.

By Christopher Jason

Following the passage of the HITECH Act in 2009 and the subsequent increase in EHR adoption, clinicians and healthcare experts significantly underestimated the degree of clinician burnout and its contributing factors, according to a study published in the Journal of the American Medical Informatics Association (JAMIA).

On the contrary, healthcare professionals overestimated the concern over patient privacy and fraud.

After the HITECH Act passed, clinician burnout has run rampant across the country amidst poor EHR usability, unintuitive EHR design, and high clinician workload.

Healthcare professionals, including individuals from the American College of Medical Informatics (ACMI), met at the 2009 AMIA Policy Meeting to dissect the potential unintended consequences associated with the EHR adoption increase following the HITECH Act. Participants established 17 possible consequences and 15 recommendations to address the consequences.

Twelve years later, 40 ACMI fellows attended a symposium to discuss the EHR impact of clinician burnout and dissect the 2009 AMIA Policy Meeting predictions and recommendations.

The individuals found none of the 2009 predictions directly addressed clinician burnout. However, several predictions addressed burnout components, such as increased documentation, increased cognitive load, data overload, and clinicians retiring early.

The study authors said the most underestimated EHR impact was, “behaviors like cut/paste will result in decreased data quality.” On the other hand, the most overrated effect was, “false positives from abuse and fraud detection algorithms will harm clinicians and/or patients.”

“The collective opinion of the ACMI fellows participating in this session was that, while many consequences of the HITECH act were foreseen in 2009, the magnitude of the current burnout crisis largely was not,” wrote researchers. “On a brighter note, the problems of rampant identity theft or ‘false positives from abuse and fraud detection algorithms’ have not been as severe as was feared, perhaps owing to advancements in EHR security and regulations.”

The study group credited the 2009 healthcare experts because of their initial concerns about EHR documentation burden and the potential harm of EHR system interfaces. Furthermore, informatics researchers at the time also attempted to enhance EHR efficiency to prevent clinician burnout from becoming as widespread as it is now.

But research and workshops are not enough to address current clinician burnout issues, the study authors said. For example, individuals at the 2009 AMIA Policy Meeting recommended further research and regulatory tools to mitigate EHR-related problems. However, legislation, such as gag clauses and other patient data-sharing practices, stymied those efforts.

“Another observation is that, even though scores of informatics research projects have developed potential approaches to mitigate these problems, too few of those have been translated into real-world solutions,” wrote the study authors. “In hindsight, we suggest that implementing more of the 2009 recommendations, such as research on the cognitive burden of commercial EHRs and incentives to share best practices, may have been able to mitigate some of the clinician burnout currently being experienced.”

Researchers did note study participants strictly identified specific EHR-related causes of clinician burnout. For example, the group did not differentiate intrinsic EHR software impact or the different optimizations or functions that contribute to burnout.

“While informatics experts did accurately predict a number of the issues that now contribute to clinician burnout, we did not accurately foresee the magnitude of the current crisis,” concluded the study authors. “Perhaps equally important, the Policy Meeting included a number of recommendations that may have reduced the severity of HIT-related unintended consequences, including physician burnout. Unfortunately, few of these recommendations were enacted.”

Health Information Privacy Laws in the Digital Age: HIPAA Doesn’t Apply

By Kim Theodos, JD, MS, RHIA, and Scott Sittig, PhD, MHI, RHIA

Abstract

The notion of health information privacy has evolved over time as the healthcare industry has embraced technology. Where once individuals were concerned about the privacy of their conversations and financial information, the digitization of health data has created new challenges for those responsible for ensuring that patient information remains secure and private. Coupled with the lack of updated, overarching legislation, a critical gap exists between advancements in technology, consumer informatics tools and privacy regulations.

Almost twenty years after the HIPAA (Health Insurance Portability and Accountability Act) compliance date, the healthcare industry continues to seek solutions to privacy challenges absent formal contemporary law. Since HIPAA, a few attempts have been made to control specific aspects of health information including genetic information and use of technology however none were visionary enough to address issues seen in today’s digital data focused healthcare environment. The proliferation of digital health data, trends in data use, increased use of telehealth applications due to COVID-19 pandemic and the consumer’s participatory role in healthcare all create new challenges not covered by the existing legal framework. Modern efforts to address this dilemma have emerged in state and international law though the United States healthcare industry continues to operate under a law written two decades ago. As technology continues to advance at a rapid pace along with consumers playing a greater role in the management of their healthcare through digital health the privacy guidance provided by federal law must also shift to reflect the new reality.

Introduction

Throughout history, ethics rather than regulation governed the privacy of patient information.   Originally, individuals were concerned primarily with invasion of their homes, financial records and personal conversations yet with the proliferation of digital health tools individuals are becoming more aware of the vulnerability of their health data.1 The digitization of healthcare coupled with consumers taking a more active role in their healthcare management has created an abundance of health data that falls between the cracks of current privacy regulations.2 Current regulations have emerged over time; initially rooted in ethical principles and often loosely interpreted and applied to health information.

One of the first attempts to regulate privacy of health information was the Privacy Act of 1974.  It focused on protection of health records collected and maintained by the Federal Government.  Most notably, only federal agencies were required to comply, although it did give best practices for use and disclosure of patient information. Healthcare providers were predominantly unaffected and continued to practice privacy based on ethics until more comprehensive legislation was passed.3

Previous attempts at privacy regulations were insufficient; therefore, the Health Insurance Portability and Accountability Act of 1996 was written and included the privacy and security rules creating comprehensive yet general restrictions for health information privacy. HIPAA remains the most critical law related to healthcare privacy because it provided a direct and unavoidable right to privacy for all patients.4–6

Compliance with the original HIPAA regulations took significant time and effort by healthcare facilities, and more changes were on the horizon as the focus on patient rights grew. As the challenges and risks of healthcare privacy took center stage, legislators became increasingly eager to draft privacy legislation with a narrower scope.

In the late 1990s, discrimination based on genetic information became a major concern for patients and physicians. Genetic data is more sensitive than clinical patient data as it involves identification of not only the individual patient but also his/her family members. Modern courts recognized the sensitive nature of genetic information, and their decisions reflected a perceived need for additional protection of this type of information beyond what HIPAA offered.7,8 Congress passed the Genetic Information Nondiscrimination Act (GINA) in May of 2008.  GINA became the legal standard for the collection, use, and disclosure of genetic information.7,8 Although only focused on genetic information, GINA served as a further step in the evolution of health information privacy laws.

The American Recovery and Reinvestment Act (ARRA) passed in 2009 intended to provide economic stimulus to the sluggish American economy.9 The healthcare industry was front and center in many parts of the Act, but mostly in the Heath Information Technology for Clinical Health Act (HITECH) portion.9 While spotlighting and investing in electronic health records and healthcare information technology, HITECH also amended some privacy provisions of HIPAA.  It redefined some key terms found in HIPAA as well as creating an official structure for governance of policy and standards relating to healthcare privacy and security.

HITECH’s Meaningful Use program successfully incentivized adoption of Electronic Health Records with substantial increases in use of IT throughout the healthcare industry.10,11 This moved much of the traditional patient data from a paper record to a digitized format which was encouraged by HITECH. Meaningful Use created new channels of health data access (i.e., patient portals) for patients to access their health information, but it also introduced new concerns for health data privacy.12 Although HITECH made great advancements in health information technology, it failed to address the new privacy and security challenges presented by the digitization of health information.13

Up to this point, the aforementioned privacy and security laws did not address the transition of healthcare into the digital age. With the implementation of digital heath tools such as patient portals, health information exchanges, genomic registries, wearables, and mobile health (mHealth) applications, a void in the protection of health data emerged.

Modern Privacy Laws

Recent attempts have been made at the federal and state level to acknowledge digital health data however privacy and security guidance has been limited. For instance, the 21st Century Cures Act was signed into law (2016) reflecting a major push in the pharmaceutical industry to modernize drug development and create innovative pathways and clinical trials.14 This legislation did address interoperability issues associated with data exchange and emphasized a patient’s right to access their own information, yet it did not go far enough to change or reclassify patient privacy or further define the data that is covered by privacy regulations.15,16

Where no federal law or less restrictive federal law exists, states are allowed to pass legislation at their discretion. Given the lack of comprehensive privacy law updates as well as modern advancements in how healthcare data is managed, stored and transmitted, many states have individually passed privacy laws that are stricter than HIPAA, GINA and ARRA. Many of these state laws also deal with digital health data as well as reinforcing patient rights.

For instance, the state of California recently passed a unique privacy law focused on protecting residents’ data privacy rights.17 The California Consumer Privacy Act was signed into law in 2018 with a 2020 compliance date. This legislation addresses modern challenges associated with consumer privacy such as opt-out options for consumers who do not wish for their information to be sold to third parties as well as more detailed disclosure of how consumer data is used to promote transparency and understanding by consumers. The main limitation of CCPA is the narrow scope of businesses that must comply. Primarily this law focuses on large corporations with substantial revenues and/or customer volume.17

In 2018, Colorado passed an innovative law requiring the most stringent measures in the United States to protect consumer data privacy. The Colorado Consumer Privacy Act defines a covered entity as any organization or person who “maintains, owns, or licenses personal identifying information of an individual residing in Colorado.”18 This is a much broader definition than HIPAA provided and includes many of the corporations not covered by the HIPAA definition of a covered entity. The Colorado law’s breach notification terms include a more stringent timeframe (30 days compared to 60 days in ARRA) as well as requiring notification of Colorado government officials of any breach affecting more than 500 residents.18 Finally, the data included in this law includes both healthcare as well as financial data.18

Similar to the Colorado Consumer Privacy Act, the European Union (EU) implemented new regulations of digital data privacy to include healthcare data. The EU General Data Protection Regulation passed in 2016 with a compliance date of May 2018, is a notable international law aimed at protecting privacy of individuals in the European Union.19,20 The legislation mimics HIPAA in some areas with breach notification rules, penalties, and patient rights however it focuses on data, technology, cloud-based applications and third-party access to data.19,20 Many see this law as an upgrade to the outdated version of HIPAA still used in the United States.19,20

Even with these notable changes there are still health data privacy concerns as many digital health tools are not covered by current HIPAA privacy laws. For instance, recent research has shown that some mobile health (mHealth) applications leave residual protected health information data on the hardware of the device utilized.21,22 This leaves the consumer’s health data vulnerable to be utilized or accessed for purposes other than which the consumer agreed upon.23,24

Current Challenges with Digital Data and Privacy

Emerging technologies such as genealogical databases (i.e. 23andme and Ancestry) as well as wearable devices and mHealth apps have created a new risk for data privacy that is not covered by HIPAA. These digital health tools are not covered entities therefore they are not required to protect the data they collect under HIPAA. The Department of Health and Human Services nor the Office of Civil Rights have purview over this data or any breach of the consumer’s information. Any complaint regarding a breach of consumer’s health data is rejected, as there is no controlling law currently for this type of data. Complaints of this type go to the Federal Trade Commission; however, many consumers are never aware that their information is breached, shared or sold to a third party because there is no breach notification requirement in place.

The novel Coronavirus (COVID-19) pandemic has further highlighted the need for the modernization of HIPAA. Although HIPAA disclosure laws found in the Privacy Rule remained applicable for sharing of patient data for patient care and public health purposes, the considerable increase in use of telehealth as a result of COVID-19 poses challenges for HHS. In March 2020, HHS released a notification of enforcement discretion surrounding use of remote communication applications, software and technology such that the use of those technologies is in good faith.25 This included use of video chat and communication platforms supporting telehealth visits which did not require Business Associate Agreements for these third-party vendors as normally required under HIPAA. The mechanisms of delivery of healthcare have been completely altered, use of technology is now undeniable and applicable laws such as HIPAA must be revised.

Consumer Health Informatics

The field of consumer informatics continues to grow rapidly as consumers (i.e. patients) take a more active role in their healthcare utilizing technology such as: patient portals, online forums, personal health records, wearables, medical Internet of Things (IoT) and mobile health applications (mHealth).

Medical internet of things (mIoT) is a system that connects devices such sensors, smartphones (mobile health apps), wearables, smart TVs and intelligent virtual assistants (i.e. Amazon Echo, Google Home) to facilitate the healthcare delivery process.26 The assimilation of mIoT and mobile health apps into the healthcare ecosystem has vastly changed the manner in which healthcare is delivered and has the potential to improve the quality, safety and efficiency of healthcare services.27–29 Medical internet of things (mIoT) is driven by the monitoring of personal health information by sensors and the analyzation of the data received from these sensors. mIoT and mobile health applications have emerged as revolutionizing technologies that are redefining the way patient data is accessed, stored and delivered.

While accessing and utilizing these consumer informatics tools helps consumers make more informed health decisions it also presents a privacy challenge since most of the consumer health informatics tools are not governed under the HIPAA Privacy Rule.30 This is especially true in the wearables and mHealth app markets where these tools/applications seem to fall between FDA regulation and the HIPAA Privacy Rule.31 Many wearables and mHealth solutions store consumer health data on the cloud of which the consumer may be unaware.30 As long as the consumer health informatics tool is not integrated as part of a healthcare system then the consumer health informatics tool vendor does not have to meet HIPAA or HITECH guidelines.30,32 This leads to a critical gap in privacy protection where consumers have very little understanding and control of how their health data is stored, accessed and utilized.

Genomic Data

With reductions in the cost of genomic sequencing there has been an increase in the utilization of genomic data for clinical research and healthcare delivery.33 In addition, there are new options such as direct-to-consumer genetic testing which allows consumers to initiate genetic testing for specific mutation risks. For instance, the FDA allowed 23andMe a direct-to-consumer BRCA1 or BRCA2 mutations testing for women to help identify breast cancer risks.34 Due to the gaps in health data privacy across the digital health ecosystem there has been an increase in the sophistication of attacks on stored genomic data.33 These sophisticated attacks utilize public information (e.g. demographic data and genealogical data), genomic-sharing websites (e.g. PatientsLikeMe), online forums and online social networks to triangulate the data in an effort to identify the consumer (i.e. patient).33 Genomic data is another segment of digital health data that that lacks appropriate protection under GINA and HIPAA.

Conclusion

In 1963, Justice Earl Warren was quoted as saying “The fantastic advances in the field of electronic communication constitute a greater danger to the privacy of the individual.”35 This prophetic statement speaks to the challenges faced in health information privacy today.

With no major updates in the last 20 years, HIPAA remains the preeminent comprehensive health information privacy law. HIPAA was written and passed in the late 20th century when the health information environment was primarily paper based and before the explosion of digital health tools. Two decades later, the health information industry has transformed leaving substantial gaps between advancements in digital health and privacy laws. Individual states as well as the European Union have taken more modern approaches to creating privacy laws reflecting contemporary practices thus demonstrating an awareness of the challenges that exist in management of digital data. These modern approaches to legislation could serve as guides for necessary changes to federal law. Although the benefits of digital data and the opportunities associated with electronic data are “fantastic” as proclaimed by Warren, he was also accurate in his prediction of the dangers now challenging the patient’s right to privacy.35 In order to protect consumer health data so that consumers and health professionals can leverage the power of data in the digital age, revisions to the current privacy laws are vital.

References

Xu Z. An empirical study of patients’ privacy concerns for health informatics as a service. Technological Forecasting and Social Change. 2019 Jun 1;143:297–306.
Glenn T, Monteith S. Privacy in the digital world: medical and health data outside of HIPAA protections. Curr Psychiatry Rep. 2014 Nov;16(11):494.
Solove DJ. A Brief History of Information Privacy Law. GW Law Scholarly Commons. 2006;47.
Goldstein MM, Pewen WF. The HIPAA Omnibus Rule: Implications for Public Health Policy and Practice. Public Health Rep. 2013;128(6):554–8.
Majumder MA, Guerrini CJ. Federal Privacy Protections: Ethical Foundations, Sources of Confusion in Clinical Medicine, and Controversies in Biomedical Research. AMA Journal of Ethics. 2016 Mar 1;18(3):288–98.
Cohen IG, Mello MM. HIPAA and Protecting Health Information in the 21st Century. JAMA. 2018 Jul 17;320(3):231–2.
Feldman EA. The Genetic Information Nondiscrimination Act (GINA): Public Policy and Medical Practice in the Age of Personalized Medicine. J Gen Intern Med. 2012 Jun;27(6):743-6.
Erwin C. Legal update: living with the Genetic Information Nondiscrimination Act. Genet Med. 2008 Dec;10(12):869–73.
Carley S, Hyman M. The American Recovery and Reinvestment Act: Lessons from Energy Program Implementation Efforts. State and Local Government Review. 2014 Jun 1;46(2):130-7.
Jha AK. Meaningful Use of Electronic Health Records: The Road Ahead. JAMA. 2010 Oct 20;304(15):1709–10.
Slight SP, Berner ES, Galanter W, Huff S, Lambert BL, Lannon C, et al. Meaningful Use of Electronic Health Records: Experiences From the Field and Future Opportunities. JMIR Med Inform [Internet]. 2015 Sep 18 [cited 2019 Dec 31];3(3). Available from: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4704893/
Kruse CS, Bolton K, Freriks G. The Effect of Patient Portals on Quality Outcomes and Its Implications to Meaningful Use: A Systematic Review. Journal of Medical Internet Research. 2015;17(2):e44.
GOLD M, McLAUGHLIN C. Assessing HITECH Implementation and Lessons: 5 Years Later. Milbank Q. 2016 Sep;94(3):654–87.
Gabay M. 21st Century Cures Act. Hosp Pharm. 2017 Apr;52(4):264–5.
Kesselheim AS, Avorn J. New “21st Century Cures” Legislation: Speed and Ease vs Science. JAMA. 2017 Feb 14;317(6):581–2.
Avorn J, Kesselheim AS. The 21st Century Cures Act — Will It Take Us Back in Time? New England Journal of Medicine. 2015 Jun 25;372(26):2473–5.
Stephens J. California Consumer Privacy Act [Internet]. 2019 [cited 2019 Dec 31]. Available from: https://www.americanbar.org/groups/business_law/publications/committee_newsletters/bcl/2019/201902/fa_9/
Peters I. HIPAA-Covered Entities: It’s Time to Cover Yourself [Internet]. The National Law Review. 2018 [cited 2019 Dec 31]. Available from: https://www.natlawreview.com/article/hipaa-covered-entities-it-s-time-to-cover-yourself
Phillips M. International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR). Hum Genet. 2018 Aug 1;137(8):575–82.
Dove ES. The EU General Data Protection Regulation: Implications for International Scientific Research in the Digital Era. J Law Med Ethics. 2018 Dec 1;46(4):1013–30.
Miller S, Glisson W, Campbell M, Sittig S. Risk Analysis of Residual Protected Health Information of Android Telehealth Apps. AMCIS 2019 Proceedings [Internet]. 2019 Jul 8; Available from: https://aisel.aisnet.org/amcis2019/healthcare_it/healthcare_it/28
McGowan A, Sittig S, Menard P. mHealth Cross-Contamination of User Health Data: Android Platform Analysis. AMCIS 2019 Proceedings [Internet]. 2019 Jul 8; Available from: https://aisel.aisnet.org/amcis2019/healthcare_it/healthcare_it/12
Cilliers L. Wearable devices in healthcare: Privacy and information security issues. Health Inf Manag. 2019 May 30;1833358319851684.
Hewitt B, Dolezel D, McLeod A. Mobile Device Security: Perspectives of Future Healthcare Workers [Internet]. [cited 2019 Dec 31]. Available from: https://perspectives.ahima.org/mobiledevicesecurityperspectives/
Rights (OCR) O for C. Notification of Enforcement Discretion for Telehealth [Internet]. HHS.gov. 2020 [cited 2020 Oct 16]. Available from: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
Sadoughi F, Behmanesh A, Sayfouri N. Internet of things in medicine: A systematic mapping study. J Biomed Inform. 2020 Mar;103:103383.
Kadhim KT, Alsahlany AM, Wadi SM, Kadhum HT. An Overview of Patient’s Health Status Monitoring System Based on Internet of Things (IoT). Wireless Pers Commun. 2020 Oct 1;114(3):2235–62.
Shehabat IM, Al-Hussein N. Deploying Internet of Things in Healthcare: Benefits, Requirements, Challenges and Applications. J Commun. 2018;
Proceedings of the 5th EAI International Conference on Smart Objects and Technologies for Social Good | ACM Other conferences [Internet]. [cited 2020 Oct 16]. Available from: https://dl.acm.org/doi/proceedings/10.1145/3342428?tocHeading=heading6
Perez AJ, Zeadally S. Privacy Issues and Solutions for Consumer Wearables. IT Professional. 2018 Jul;20(4):46–56.
Shuren J, Patel B, Gottlieb S. FDA Regulation of Mobile Medical Apps. JAMA. 2018 Jul 24;320(4):337–8.
Mitchell M, Kan L. Digital Technology and the Future of Health Systems. Health Systems & Reform. 2019 Apr 3;5(2):113–20.
Mohammed Yakubu A, Chen Y-PP. Ensuring privacy and security of genomic data and functionalities. Brief Bioinformatics. 2019 Feb 12;
Gill J, Obley AJ, Prasad V. Direct-to-Consumer Genetic Testing: The Implications of the US FDA’s First Marketing Authorization for BRCA Mutation Testing. JAMA. 2018 Jun 19;319(23):2377–8.
Stone GR. The Scope of the Fourth Amendment: Privacy and the Police Use of Spies, Secret Agents, and Informers. American Bar Foundation Research Journal. 1976;1(4):1193–271.

MSHIMA Job Board

The MSHIMA website contains a job board available for those seeking employment and those looking to hire qualified HIM professionals in Mississippi. The job board is free to use for all MSHIMA members. Click here to access this great membership tool.

MSHIMA Legal Manual Now Available

Don't forget that the MSHIMA Legal Manual is available for purchase and download. This manual includes state and federal guidelines and policies for health information management. Stay up-to-date on the latest updates on policy and download your copy today!