Editors’ Note: This is the fourth in our fourth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year. Our previous entry discussed the CCPA, energy, and Brexit. Up next: trends in state enforcement.
2020 is likely to be an interesting year for health data privacy legislation, both in the United States and internationally. Discussed below are three potential sources of new legislation, new regulation, or new guidance on existing legislation that will shape health data privacy in the coming year.
Changes to HIPAA?
In early 2019, the Office for Civil Rights within the Department of Health and Human Services issued a widely-publicized Request for Information intended to streamline the HIPAA regulations “that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities […] without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information.”
The RFI is centered around four broad headers. First, OCR asks a series of related questions about the problems that HIPAA may pose for transferring health information between multiple providers and, in some cases, “non-provider entities.” OCR poses the example of non-provider third parties involved with “the coordination or management of treatment,” such as “social service agencies [and] community-based support agencies,” and hypothesizes that HIPAA may serve as a barrier to treatment for management of individuals “experiencing homelessness or suffering from chronic conditions, including serious mental illness.” OCR thus asks whether HIPAA’s rules regarding disclosures of PHI could be safely loosened to permit better and faster coordination of care for such individuals.
Second, OCR hones in on “parental and caregiver involvement and addressing the opioid crisis and serious mental illness.” OCR asks a series of questions that suggest the issue is a priority for OCR, but do not hint at specific changes. For example, OCR simply asks, “What changes can be made to the Privacy Rule to help address the opioid epidemic?” That is not necessarily surprising – after all, the point of a Request for Information is to request ideas – but it offers little hint as to what changing OCR may be considering.
Third, OCR announces that it does not intend to create a right to an “access report” – that is, a report on whom had accessed a patient’s health information held by a covered entity – as it had discussed potentially doing in several past requests for information. But OCR does pose a series of questions regarding whether covered entities should be required to give patients additional information as part of an “accounting of disclosures,” which is already required by HIPAA regulations.
Fourth, OCR asks for input on potential modifications to recordkeeping requirements for notices of privacy practices. OCR predicts – perhaps a bit optimistically – that dispensing with certain recordkeeping requirements, may “free up time and resources to spend on treatment and care coordination, and asks several questions related to the best way to inform patients of their HIPAA rights while minimizing paperwork and similar burdens.”
Taken together, the RFI paints an unclear picture, with many evident priorities – including issues that are cross-cutting with larger Department of Health and Human Services priorities such as the opioid crisis – but little specificity as to what changes may occur. Still, OCR’s effort represents one of the broadest efforts in years to re-think and update HIPAA, and the RFI suggests we are likely to see significant changes in 2020.
Delineating the Scope of Health Information Protection under the CCPA.
California’s new privacy law is not intended primarily to regulate health information, and contains several provisions that carve out significant segments of health information from CCPA regulation. But 2020 will be a year for lawyers and their clients to figure out exactly where those lines are drawn.
The CCPA does not apply to “protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules” of HIPAA. Similarly, it does not apply to “patient information” that is maintained by a “health care provider” or a HIPAA covered entity if that that “patient information” is protected in the same way as protected health information under HIPAA.
What those exemptions mean from a practical perspective is not yet clear. “Protected health information” is defined by HIPAA, and the CCPA utilizes that definition, but the same cannot be said of the CCPA’s formulation of “patient information.” That distinction is important because the CCPA does not grant a blanket exemption to HIPAA covered entities and business associates, but rather a conditional exemption based on what information the covered entity or business associate is processing. It is not clear how far beyond “protected health information” the definition of “patient information” may extend with respect to, for example, marketing information or contact information. Particularly with the rapid increase in mobile apps that involve healthcare – and that, consequently, do things that most mobile apps do, such as collect device information, cookies, and so forth – it is possible that there are categories of information about patients or prospective patients that are not necessarily exempt as “patient information.”
Even where one could confidently identify what information is “patient information,” it is not a foregone conclusion that a covered entity or business associate would have in place the administrative and technical means to extend existing HIPAA protections to patient information also. Thus, even covered entities and business associates will likely need to make adjustments to avail themselves of the exemption.
What Will the EU Make of the Council of Europe’s Guidance?
In March 2019, the Council of Europe issued a recommendation to EU member states urging them to focus on the protection and lawful processing of health-related data. Health information is, of course, already a focus of the General Data Protection Regulation (“GDPR”) that became effective in May 2018. For example, the GDPR defines health information as a sensitive category of information that is subject to heightened requirements for protection and auditing. But the recommendation is distinct in a few key respects:
- Under the EU’s constitutional structure, the recommendation is a suggestion to member states to enact state-level legislation addressing a particular problem, as opposed to the GDPR, which is a binding rule on all actors within the EU.
- The recommendation goes further in calling for specific protections for genetic data. The recommendation is particularly skeptical of the use of genetic data in “a judicial procedure or investigation,” as well as the use of genetic data in employment or insurance-related decisions.
- The recommendation is considerably more specific about the conditions under which health data may be processed for research purposes. It reiterates many of the GDPR’s key principles – such as the preference for anonymization and pseudonymization – in this regard, but also calls for further disclosure and consent requirements in the health research context.
- The recommendation sets forth “rights of the data subject” for health data that are something of a combination of the general rights – the right to an accounting, right to rectification, etc. – that all data subjects possess under the GDPR, rights that individuals would have in the United States under HIPAA, and some new rights as well. For example, the recommendation argues that data subjects should have a right “not to be informed of a diagnosis or prognosis” upon request, except in cases of serious and immediate danger. While something of a novel concept, this concept does make some sense in the face of the proliferation of genetic and other testing intended to inform consumers of a future likelihood of developing a condition, as opposed to diagnosis of an extant condition.
Exactly what the EU member states will make of the recommendation is not entirely clear, but it is clear that changes to many member-state level health information and privacy laws are likely in 2020.