This is a big week for those who care (or should care!) about health data tech regulation. The day before the biggest health IT conference of the year, HIMSS, the U.S. Department for Health and Human Services (HHS) dropped two highly anticipated draft rules—one outlining the seven exceptions to information blocking (i.e. when does not sharing data not count as information blocking) and the other requiring health plans to release Medicare and Medicaid claims data through openly published Health Level Seven (HL7®) Fast Healthcare Interoperability Resources (FHIR®)–based Application Programing Interfaces (APIs). These draft rules along with anticipated changes to HIPAA suggested in the 2018 HIPAA Request for Information (RFI) signal a landmark period of immense change to the domestic regulatory landscape regarding collecting, using, and exchanging health data. Without a strong working knowledge of new health data privacy laws being released here and abroad in 2019, your business could be jeopardized by missteps on the regulatory landscape. For the first blog of this series, we will set the stage with some important facts you need to know about the 2018 HIPAA RFI and the European Union’s (EU) General Data Protection Regulations (GDPR)—arguably the first chapters of this new data-sharing story.
Three Facts About the Current HIPAA Regulations
Most people don’t realize that the “P” in HIPAA stands for portability. HIPAA was intended to help data liquidity, not hamper it. But the rules are often misinterpreted, and in some cases, ignored. Here are a few things that should be on your radar:
1. If you’re selling your application to a patient via a healthcare organization or healthcare provider, you are considered a business associate and are subject to HIPAA regulations. The HHS Office of Civil Right (OCR) has some great guidance on figuring this out. That means you have to safeguard the health data coming through your technology according to HIPAA privacy and security rules.
2. Business associates and covered entities are equally liable for a data breach. Protecting patient data must be paramount to any organization who is handling personal health information (PHI).
3. If you fall under the business associate category, resale of health data for revenue generation is illegal without explicit authorization from the patient (and allowance in your contract with the covered entity to resell data). If you’re not in the business associate category, for example, you are providing a freestanding app directly to patients, you should still consider transparency and patient data privacy as fundamental guiding principles to establish trust with your clients to ensure the longevity of your applications I’ll talk about this more as we discuss what’s happening in the EU.
Changes to Anticipate in HIPAA
HHS is focused on making it easier for individuals to get access to their data. The OCR RFI has a strong focus on shortening the time period it takes to make that happen (e.g. less than the current thirty day allowance). Though some may argue with HHS on the level of patient data that’s easily available in a certified EHR via a C-CDA or FHIR API, folks can expect HHS to continue to push for quicker access to larger amounts of data for patients.
In addition, OCR is revisiting accounting for disclosure requirements and trying to determine whether more can be done to provide transparency to patients regarding who their data is being shared with for treatment, payment, and operations. OCR seems to be signaling that transparency into what is shared and with whom will be pivotal for building and maintaining patient trust as larger amounts of patient data are shared across a growing number of entities.
Why You Should Care About the EU’s GDPR
The GDPR was passed by the EU to bring data privacy rules into the twenty-first century. Unlike HIPAA, the GDPR covers all data about an individual, not just their health data, though health data is specifically highlighted. In addition, unlike HIPAA, the GDPR specifically states that an individual’s data is owned by that individual. The GDPR gives individuals the “right to be forgotten,” meaning they can ask companies who hold their data to delete it and, in essence, forget the individual. Here are a few reasons why the GDPR is something to be watched and understood by the U.S. tech industry:
1. The success of the GDPR in the EU has been noticed by U.S. lawmakers. Already in the current congress, at least two privacy framework bills have been floated around. Although it may still take a few more years to see similar U.S. laws passed at the federal level, California has passed a law similar to GDPR for their state and New Hampshire has had a longstanding law that explicitly gives patients ownership of their data. So, if you are selling to the California, New Hampshire, or EU markets, you have more than HIPAA regulations to consider.
2. It’s always difficult to balance data sharing with privacy. Developing revenue-generating health tech that enhances data liquidity while giving the individual choices on how and where their data moves is the holy grail. Two ways to weave this into the fabric of your company’s data principles are:
a. Be transparent and consistent in your data use policies. Building trust with your customers is key to long term success. In addition, remember that national and state data-sharing policies are moving in the direction of stricter controls on how you can use data not loser ones. Being ahead of this curve can help establish your leadership and dominance in an ever-growing consumer-driven health ecosystem.
b. Consider building paid options within your business model that allows individuals to pay to use your services with dollars instead of their data. Though some individuals may be more open to allowing the sale of certain types of their data for access to free or discounted technology, many people are more protective about their health data and may prefer to pay for your services in exchange for their data privacy.
Addition note – Though not specifically linked to GDPR, this week Germany’s Federal Cartel Office ruled that Facebook’s practices of mashing user data with other data sources and using it to customize and sell ads is an unfair practice that the social media giant must discontinue. They noted that most individuals did not understand how their data was being used by Facebook and that forcing users to agree to these practices in order to use the platform was exploitation. While Facebook will most certainly appeal this decision, it signals a growing trend towards more data protections, not less.
Moving Forward
The OCR HIPAA RFI is just one lever regulators are using to push the industry towards sharing larger amounts of health data electronically. The OCR HIPAA RFI, the HHS Office of the National Coordinator for Health IT’s (ONC) 21st Century Act proposed rule on Information Blocking, and the Centers for Medicare and Medicaid Service’s (CMS) Interoperability proposed rule are all interrelated, and any company that is focused on sharing or using health data must pay close attention to each of these rules or risk running up against various scalability issues including possible government fines. Our next blog will focus on ONC’s Information Blocking proposed rule, so stay tuned.
