Legal, Health IT, Policy

Some proposed HIPAA changes could inadvertently expose the data it’s supposed to protect

The government’s proposed changes to HIPAA aim to provide guardrails against data breaches and misuse, but some of the modifications may not work as intended. Three healthcare experts delved into the ways in which certain proposals could provide inappropriate access to health data during a recent panel discussion.


While the government’s proposed modifications to HIPAA primarily aim to make it easier for patients to access their health data, there are may be some unintended consequences.

That’s according to Laura Hoffman, assistant director of federal affairs at the American Medical Association, who spoke on a panel organized by healthcare consultancy Sirona Strategies about the proposed changes to HIPAA Privacy Rule.

One of the changes involves allowing patients to receive their medical information via personal health applications — smartphone apps, for example — which are often developed and operated by third-party technology companies. But these companies are generally not governed by HIPAA, opening up patient health data to potential misuse, Hoffman said.

“The patient isn’t the only one getting the information in that situation, and so you wind up exposing information to tech platforms, app developers and others,” she said.

That exposed information can then be shared with data brokers who create profiles on individuals, which can be used for potentially nefarious purposes. For example, it creates a gating opportunity where some people may get certain opportunities based on those profiles, and others are barred from those same opportunities, Hoffman said.

This has already happened in housing where the government sued Facebook for alleged housing discrimination. The suit claims that the tech giant used data-mining practices to only allow certain users to see housing advertisements based on demographic data, like race, religion and national origin.

“So, individually, we may not care if these kinds of profiles are created, but when you think systemically, and when you think about the opportunities that are afforded certain people based on data versus those that are not, it becomes a bigger conversation,” she said.

To combat this potential issue, there needs to be federal legislation, said Deven McGraw, co-founder and chief regulatory officer of Ciitizen, during the panel discussion. Though companies may put up privacy notices and have patients click through their terms and conditions, it is pretty clear that few, if any, consumers actually read through it.

“The ability to get a consumer to check a box is pretty easy, it’s alarmingly easy,” she said. “You could have essentially…an app that’s merely just a conduit for data that’s really serving a third party’s business interests.”

Another proposed change that could leave private health information exposed is requiring covered entities to respond to oral requests for health information. Currently, patients have to make those requests to providers in writing and signed by the individual, said Peg Schmidt, chief privacy officer at Advocate Aurora Health, during the discussion.

“My concern about oral requests is the potential for them to lead to impermissible disclosures,” she said.

The Milwaukee and Downers Grove, Illinois-based health system uses signatures to verify that a patient is in fact making that request, even if it is being delivered by another person. Without that, it becomes harder for the provider to ensure that the request is legitimate, she said.

Further, there is a higher risk of the request being misunderstood or not recorded accurately.

“I see so many things that could go wrong,” Schmidt said.

It would be preferable to give covered entities the option of responding to oral requests, rather than requiring it, she said.

The Office for Civil Rights at the Department of Health and Human Services announced the proposed changes in December, which one healthcare lawyer described as the biggest modifications to HIPAA in the past seven years. The public comment period for the proposals ends May 6.

Photo: Dzmitry Skazau, Getty Images