By David Pittman | Politico.com | 6/12/14 5:00 AM EDT
Everyone from legal scholars to patient privacy advocates — and even the White House — are saying the country’s landmark health privacy law is antiquated and needs to be updated.
But Congress doesn’t appear to be moving any legislation on the issue.
Backers of tougher health data privacy rules argue that much has changed in how people’s health information is collected and handled since the law governing patient records was passed in 1996. Protections added in 2009 don’t fully address the problem, they say.
The Health Insurance Portability and Accountability Act — commonly called HIPAA — largely applies to use of data by health care providers and insurance companies. But they are a smaller and smaller slice of who deals with patient information today.
For example, employee wellness programs, which are increasingly popular and hold potentially private information such as pregnancy status, don’t fall under the HIPAA umbrella. Hospital discharge data is sold by 33 states, according to the Federal Trade Commission, but only three do so in a HIPAA-compliant fashion.
“I think HIPAA does a really good job where it’s relevant,” said Kirk Nahra, a privacy and information security lawyer at Wiley Rein. “What’s happened in the last 15 years is that the space where it’s not relevant has been what’s growing.”
HIPAA governs the doctor-patient and doctor-payer relationships, but it didn’t envision the rest of the universe, and that’s where there is a need for new privacy protections, Nahra said.
Health and fitness apps — of which there are nearly 100,000 available today — are probably the biggest concern. They fall outside HIPAA and are free to collect and share information on their users.
The FTC mapped where data was being sent from 14 free health and fitness apps. One transmitted data to 18 different third parties with diet, workout, personal identifiers and other information. Fourteen third parties received consumers’ names and email addresses, and 22 received gender, location and symptom-search information.
The free use of consumer information by app makers is one reason privacy advocates are concerned that Apple is entering the game. The tech giant announced last week it would make its HealthKit part of its iOS 8 operating system, set to be released later this year.
The FTC sees all of this as a problem and is looking to Congress for help.
In a recent report on data brokers, the commission recommended Congress consider legislation to force tech companies to obtain express consent from consumers before information is collected or shared.
A White House report on big data and privacy last month noted that current policy “may not be well-suited” in the future. While health data exchanges will help realize technology’s potential, the information often is shared “in ways that might not accord with consumer expectations of the privacy of their medical data.”
“Health care leaders have voiced the need for a broader trust framework to grant all health information, regardless of its source, some level of privacy protection,” the report said.
Despite the pleas for new rules on use of consumer health information, Congress appears to be sitting on its hands. Little legislation exists, and the issue has yet to gain traction.
“The only thing that is likely to get congressional interest is for there to be a major data tragedy,” said Nicolas Terry, health law professor at Indiana University law school. “It’s very hard at the moment to see much consensus out there. Everyone says they believe in privacy. Privacy is very important. Privacy is a right. But actually moving the ball forward to protect consumers, given the massive weight of the information lobby, seems very hard.”
Congress has been working on data security and breach notification issues — especially in light of recent high-profile cases involving Target and others — with a decent chance of passing something by the end of the year.
Privacy is another issue. “There’s no consensus on broader privacy issues,” Nahra said.
Lawmakers on Capitol Hill have taken some steps to improve consumer privacy protections since HIPAA was passed. Seeing the dawn of the advent of electronic medical records, they included several provisions in the 2009 HITECH Act, including a ban on the sale of personal health information, breach notification requirements and penalties for privacy violators.
One possible source of inaction is the seemingly immovable lobbying force. Companies such as Microsoft, Google, Siemens, the Mayo Clinic, WebMD, IMS Health and IBM all spent money lobbying Congress last year on health privacy issues, according to disclosure forms.
Even Nike — maker of the popular fitness app Nike+ that’s implanted on all iPhones — disclosed lobbying on privacy issues in 2013.
Terry said consumers could incite change if they demanded it. Automobile makers lobbied hard against safety regulations in the 1960s and 1970s, but car safety is ubiquitous today because of pressure from car buyers, he said.
The FTC has the authority to halt companies’ deceptive practices if they fail to disclose certain data uses to consumers, notes Justin Brookman, director of consumer privacy at the Center for Democracy & Technology, which advocates stronger protections.
As long as the FTC and Congress remain inactive, and consumers remain passive, it’s up to Washington power brokers to point out HIPAA’s inadequacies.
“I do believe it’s time that we look beyond [HIPAA],” Karen DeSalvo, national coordinator for health IT, said at the recent Health Privacy Summit. “As this field rapidly evolves, we need to think about what additional protections might need to be in place.”
To view online: