Privacy in Healthcare: A State of Confusion
By Matt Fisher, Esq
With the start of a new year, it seems like a good time to take stock of privacy of healthcare information, which is currently a very hot topic. As was discussed in great detail, 2015 saw a continuing explosion of breaches concerning healthcare information, which put both privacy and security in the limelight. While security is easy to put front and center, discussions of privacy are more nuanced and not as easy to quantify or define a solution.
A recent series of articles by Charles Ornstein for ProPublica explored in a detail many of the privacy deficiencies that currently exist in healthcare. Mr. Ornstein rightly focuses upon the Health Insurance Portability and Accountability Act (HIPAA) as both an aid and a hindrance in the privacy realm. As will be summarized, HIPAA provides a privacy framework for healthcare information, but does not necessarily go far enough or include an enforcement mechanism for individuals.
HIPAA, which has become the Miranda of healthcare, establishes a framework for the use and disclosure of “protected health information” or “PHI.” PHI generally relates to the past, present or future healthcare condition, services or payment for an individual. At first blush, PHI would seem to sweep in all healthcare information about an individual, but HIPAA is all about context. HIPAA does not apply in every circumstance and sometimes information that looks like, sounds like and arguably should be PHI is not because it was created or handled in the “wrong” context. Once HIPAA applies, two key components are the privacy rule and the security rule. The security rule, without doing it full justice, relates to how PHI is secured on an administrative, physical and technical level.
The privacy rule governs how PHI may be used and disclosed. Without a full appreciation for what HIPAA does, an individual may assume that because HIPAA addresses privacy that PHI will be kept private. However, the privacy rule does not prohibit the use and disclosure of PHI, it just sets forth the terms and conditions by which PHI may be used. For example, covered entities (health plans, health care providers, and health care clearinghouses) can almost freely use and disclose PHI for payment, treatment and healthcare operations purposes. Then there is a list of twelve categories of uses and disclosures, which include many subclauses, that may occur without providing an individual the opportunity to agree or object. As such, the HIPAA privacy rule, within its own terms, does not guarantee or even attempt promise absolute privacy of PHI. Instead, the rule itself contemplates many uses and disclosures of PHI that will occur behind the curtain or otherwise without the immediate and full knowledge of the impacted individual.
From the operational viewpoint of the healthcare industry, the ability to use and disclose PHI as currently permitted under HIPAA may be necessary. Further, in many instances it is unlikely that such uses and disclosures are contrary to popular expectations or causing harm to the individuals about whom the PHI relates. However, it is not the ordinary course uses and disclosures that generate headlines or cause debate. Instead, it is the uses and disclosures that occur in violation of HIPAA’s requirements that result in debate about HIPAA’s effectiveness.
With so many touch-points, it is unsurprising that issues may arise relating to privacy. Just because issues may occur and no one, whether an organization or an individual, is perfect, does not mean that violations acceptable. If a violation were appropriately (fi that can be defined) punished and those violating privacy held accountable, concerns could be alleviated to a degree. A major issue though is that violations are not dealt with in a manner viewed as commensurate with the harm of violating an individual’s trust and expectation of privacy. Violations, both big and small, seem to happen on an almost daily basis. This level of frequency could reasonably lead some to believe that privacy issues would be reviewed and addressed, but that is not really the case.
As reported by Mr. Ornstein and others, privacy violations occur, with many examples being so-called small breaches, that do not readily appear to result in any response. Instead, a report may be made to the government, usually the Office for Civil Rights (COR) at the federal Department of Health and Human Services or a state attorney general, and then nothing happens. Since HIPAA can only be enforced by the federal or state government, it is up to one of these public institutions to do something. Unfortunately, the desired response may not be forthcoming. Additionally, HIPAA does not include a private right of action. As such, an individual cannot sue or bring any form of court action against an organization or individual that breaches their privacy in violation of HIPAA.
With this state of affairs, where is privacy in healthcare going? As discussed in another recent blog post, really about ownership but also applicable here, one aspect is what is actually meant by privacy and what real expectations can exist? To a large degree, an absolute right of privacy is not necessarily a concept that exist under American law. Carve outs or exceptions from absolute privacy always seem to exist, usually for some public good. This is certainly the case under HIPAA, which, as explained above, includes a substantial number of uses and disclosures that can occur without an individual’s permission.
Another consideration is whether individuals should have an ability to enforce what protections are included in HIPAA. Currently, HIPAA does not allow private enforcement, though state law claims may be premised upon HIPAA or refer back to HIPAA to obtain a standard of care. These referrals back to HIPAA do not result in the same outcome as enforcement of HIPAA though. A private right of action is certainly attractive as it may provide a means of imposing consequences following a so-called minor breach. Yet, private enforcement is not a cure all because not all breaches would necessarily result in a form of harm that could be remedied by court action. If the harm cannot be quantified down to a monetary damage, then a satisfactory outcome from the individual’s perspective may not be attainable in court. Additionally, a private right of action could also result in a flood of claims that overwhelm the healthcare industry and potentially force covered entities out of business. Such a result would clearly not be in the general interest.
If private enforcement is not the answer, to some degree more consistent and regular enforcement by the levels of government that can do something would be beneficial. Currently, few states actively bring HIPAA based actions and the OCR does not have the resources to fully enforce or punish HIPAA violations. Despite the increasing number of settlements and penalties announced by OCR in the past few years, such settlements represent a very small fraction of the overall number of violations that are reported. A more transparent and consistent enforcement process arguably would produce consequences that can be tracked and understood.
It is easy to blame the government for not doing enough to enforce HIPAA and punish privacy violations. However, there is also a need for private employers to step up as well. Covered entities and business associates are obligated to comply with HIPAA and its regulatory requirements, but this is not necessarily happening if so many violations occur so frequently. From this perspective, covered entities and business associates should do more to ensure that their applicable workforces take HIPAA seriously and comply with the requirements of the privacy rule. Compliance requires an active role by the applicable entity, which may include monitoring and auditing activities to catch violations when they occur. Additionally, when an issue is found, appropriate punitive action needs to occur. While it may be difficult to publicly announce, even internally, the reason for a punitive measure, doing so could help deter future bad acts. For example, if a HIPAA violation, even an arguably small one, consistently results in termination of employment, this could be enough to change behavior.
From a different perspective, would a more comprehensive and all-encompassing privacy scheme help matters? For example, many other countries such as the European Union have broad privacy regulations and laws that apply to all personal information, not just health information. From this perspective, while health information may enjoy special protections within the broader privacy scheme, there is a broad privacy scheme that seeks to put more of an emphasis on privacy. The EU framework is to some degree a result of prior experiences in the member countries of the EU that experienced what could happen with unchecked use of personal data. However, there are still concerns about how information can be used even in this comprehensive scheme.
The discussion naturally leads to asking whether it is time to update HIPAA. The law was originally based in 1996 with some modifications through the HITECH Act in 2009. The implementing regulations, even with the 2013 omnibus rule, are also dated. Technological and informational developments have easily surpassed the data scheme in existence when the law and regulations came into being. Crafting a more adaptive and malleable system could help alleviate concerns and recognize the myriad number of new ways in which privacy may be compromised. It is time for clearer expectations, which can help drive future efforts. It is unlikely that the majority are out there trying to find ways to expose sensitive information or otherwise breach privacy. Instead, many try to do the right thing, but it is hard to apply rules to systems that were not even contemplated when those rules were created. It is the case of trying to for a square peg into a round hole.
There is no easy answer to solving the building privacy crisis as it relates to healthcare information. Everyone wants such information to remain private and everyone also wants to be able to trust those in the healthcare industry. Some steps may include:
- Modifying HIPAA by implementing creating a system that reflects the current state of information and technology systems;
- Crafting a comprehensive personal data protection scheme that unifies a currently fractured set of rules and regulations; and
- More consistently penalizing privacy violations from both the government and private perspectives.
HIPAA is an easy target that does not always deserve the barbs that are thrown its way. On the whole, HIPAA does what it is supposed to do. It creates a scheme where health information can flow among participants in the healthcare industry and also go into individual hands about whom the data relates. Yes, deficiencies exist, but HIPAA has helped bring some measure privacy and security standards to he industry. Nothing lasts forever though and the time is ripe to implement updates before trust is completely destroyed that maintaining privacy is not possible. Which leads to a broader question (beyond the bounds of this article) of whether it is possible to actually maintain the privacy of any data or information in this age of connectivity.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.