Patient privacy in a post-pandemic world
By Pamela J. Gallagher
The Health Insurance Portability and Accountability Act, more commonly referred to as HIPAA, has been in effect for nearly two decades. In that time, no crisis has challenged the fabric of those regulations like the COVID-19 pandemic.
HIPAA exists to “provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers.” It holds these providers and health plans accountable to meet these standards through fines and consequences that can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.
The recent relaxations of such a tight framework of regulations are unprecedented. While the COVID-19 pandemic does not rule HIPAA void, the federal government has provided revised guidelines that allow for some information to be shared by hospitals in order to stop the spread of the disease. While the Department of Health and Human Services has repeated with each announcement that the relaxation of the enforcement of HIPAA regulations will end once the current public health crisis does, I think the privacy and availability of data will change forever.
The cost of data.
As privacy laws evolve in the wake of COVID-19, increased access to certain types of patient data will drive down the cost of data in general. This could be great news for patients’ wallets, because with the decrease in the cost of collecting and sharing data may come a decrease in the cost of receiving care.
EHR costs are in the billions of dollars. Privacy regulations make it difficult to acquire patient data, which drives up the cost of EHRs. But with the advent of Google and Apple’s health data focus, more affordable options to access important patient data are entering the mainstream. According to CB Insights, Google Health Vice President David Feinberg, MD, "is focusing his efforts on Google's core expertise in search, looking to make it easier for doctors to search medical records and improve the quality of health-related search results for consumers across Google and YouTube." I am hopeful that a more permanent relaxing of HIPAA regulations will pave the way for new players in the health technology and data arena, and that that will open doors for patients to access care at a lower cost.
Avenues for treatment.
If you have had an appointment with your healthcare provider over the past several months, it is likely that appointment occurred over a telehealth platform. HIPAA regulations have made it difficult for telehealth technologies to find a foothold in the market and be embraced by patients.
In March 2020, the Office for Civil Right (OCR) within the U.S. Department of Health and Human Services announced that they would not penalize doctors and other health care providers that utilize “non-public facing” video communication for the good faith provision of any telehealth services during the COVID-19 public health emergency. The OCR also relaxed enforcement on the use of “commonly used social media apps” as an avenue to treat patients.
Many platforms that were not previously HIPAA-compliant have been used to provide care for patients during the pandemic. This has required some patient info to be released that previously would have been kept private under HIPAA regulations. That is what has made telehealth possible at this scale during the COVID crisis. While the OCR has made clear that they intend to repeal these changes once the crisis is over, I believe that months of using telehealth options will create a patient demand for the continued use of these technologies that will lead to permanent changes to the regulations that have historically created roadblocks to the use of telehealth as a treatment option.
Public interest vs. personal privacy.
The pandemic has put a spotlight on the tension that has been part of HIPAA since its inception—the right to personal privacy versus what is in the best interest of public health.
COVID has gotten around many of those privacy concerns, not just in hospitals and public health organizations, but in the public mindset. In May 2020, Google and Apple introduced technology that can measure contact tracing with Bluetooth technology in smartphones, according to an article in Becker’s Hospital Review. While Google and Apple maintain that the app won't be able to use GPS data to identify user location, the COVID crisis has introduced technologies that I believe would likely have been seen by the public as a violation of privacy in a pre-pandemic world.
Additionally, the hundreds of thousands of individuals in the U.S. who have been tested for COVID have submitted spit tests and swabs, with little clarity on what will be done with that genetic information. People have had to ask themselves: if I have COVID, does the greater good outweigh my desire for privacy?
Now that patients have had to actively consider their right to privacy alongside the best interest of the public, I think patients will desire a more active role in discerning what information is shared and with what parties. During the pandemic, patients’ COVID-specific data has been shared more widely in the name of public health. I could envision patients in the future desiring to release their “diabetes-specific” health information, for example, in an effort to further research and resources for those with the disease. I believe with the right incentive, even if that incentive is the public good, that patients will be more willing to release info.
Even so, the public still places a high value on personal privacy, and HIPAA will continue to have an important role in protecting it. HIPAA regulations have been temporarily relaxed during the COVID crisis in the name of preserving public health, and to ensure patients can still receive quality care during the pandemic. However, I believe the decreased costs of data resulting in lower cost of care, combined with patient demand for telehealth options and a greater sensitivity in the public conscience to using data for the public good, will create permanent changes to HIPAA regulations in our post-pandemic world.
Resources:
Big Tech In Healthcare: How Tech Giants Are Targeting The $3T Industry, CB Insights
HIPAA Fines Listed by Year, Compliancy Group
Medical Definition of HIPAA, William C. Shiel Jr., MD
Relaxation of HIPAA Restrictions in the COVID-19 Era, Paul Hastings
Relaxing Of HIPAA Laws During COVID-19 Pandemic, National Law Review
Wellness Programs Raise Privacy Concerns over Health Data, SHRM
Where Google could go next in healthcare, Becker’s Hospital Review