Governance & Risk Management , Healthcare , HIPAA/HITECH
The 2019 Health Data Privacy Regulatory Outlook
Attorney David Holtzman Highlights Three Issues to TrackWhat are the top regulatory trends to look for in the healthcare sector in 2019? Here are three key issues to watch.
See Also: Live Webinar | Compliance and Cyber Resilience: Empowering Teams to Meet Security Standards
The Impact of the California Consumer Privacy Act
The California Consumer Privacy Act is on track to have a significant impact on healthcare organizations and their business partners when it goes into effect in January 2020.
Although the California legislature quickly passed an amendment and technical correction that rolled back some of the act's provisions to exempt data that is regulated by the HIPAA privacy standards - sparing some healthcare organizations from the state law's requirements - the act will cover many businesses throughout the U.S. that collect the personal information of California residents through their physical or digital presence in the state.
The act gives consumers many new rights over their data and will pose real compliance challenges for companies that are covered by the law.
The California law was poorly drafted and hastily passed, with large parts containing undefined or contradictory terms. We will have to carefully monitor how the California legislature and attorney general resolve the law's conflicts and ambiguities. The business community is lobbying hard to weaken its provisions and narrow what types of businesses will be required to comply.
Action in Other States
While the United States lacks a comprehensive privacy and data security law akin to the European Union and elsewhere, states are filling in gaps with laws that deal with breach notification, data security and data disposal. But most states are not taking a sectorial approach to the type of PII that must be protected.
A number of state attorneys general are bringing enforcement actions under HIPAA and state law requirements to protect consumer information from unauthorized disclosure.
A recent Pennsylvania Supreme Court ruling could alter the landscape even further.
In a sweeping decision involving a cybersecurity incident at UPMC, a major healthcare provider in the Pittsburgh area, the court found that employers have a legal duty founded in Common Law to use reasonable information security safeguards to prevent the theft or unauthorized access to employee PII stored on its information systems. The ruling allows employees who allege to have been harmed by the breach to move forward with a lawsuit seeking compensation for damages.
We'll be watching to see if state legislatures and attorneys general continue the trend toward taking action to protect health information that would not be protected by HIPAA and enforce these requirements for data held by any entity, anywhere.
We'll also be on the lookout for lawsuits seeking to apply the Pennsylvania supreme court's legal reasoning on the duty to safeguard PII.
Modifying the HIPAA Rules
The Department of Health and Human Services' Office for Civil Rights recently issued a request for information on "Modifying the HIPAA Rules to Improve Coordinated Care" that could be the opening salvo in a coordinated effort make some changes to the HIPAA Privacy Rule.
OCR Director Roger Severino has said on many occasions that the department is looking for ways to loosen the HIPAA Privacy Rule's protections regarding when healthcare providers can disclose PHI without the authorization of the patient.
Severino and other HHS officials, including Seema Verma, administrator of the Centers for Medicare and Medicaid Services, and Don Rucker, who heads the Office of the National Coordinator for Health IT, have strongly implied that current HIPAA Privacy Rule standards limiting the breadth of disclosures allowed without patient authorization are impediments to promoting the Trump administration's vision of "transformation to value-based healthcare."
My sense is that HHS is responding to a significant push from the healthcare and tech industries to lighten up on one of the few areas in which consumers have a federally protected right to privacy and control over their personal information.
We'll see if this leads to concrete proposals that could modify the definitions of the types of PHI that can be disclosed without patient authorization to organizations that are not covered by the HIPAA rules. Another possibility is that HHS will seek to roll back or remove the standard for disclosing only the minimum amount of PHI necessary that can be shared under the guise of population-based case management or care coordination.
A Cultural Shift?
I enter 2019 with growing unease that we are witnessing a cultural shift in how the federal government looks at the comprehensive floor of privacy rights the HIPAA Privacy Rule guarantees when patients share intimate personal information with their healthcare providers.
Under the guise of removal of regulatory obstacles and decreasing burdens, weakening current HIPAA protections could have significant unintended consequences that would threaten the foundation of trust between patient and health care provider.
While I am pleased to see increased efforts by the states to fill in the gaps through their increased efforts to protect the confidentiality of personal information, their patchwork approach cannot replace a national standard.