Opinion: It’s time for Congress to change health privacy rules
Carol Robinson is founder and CEO of CedarBridge Group. This article was co-authored with Frank Baitman, who has served as chief information officer of the Social Security Administration and the U.S. Department of Health and Human Services.
Congress must take quick action to strengthen health privacy laws, as the reversal of Roe v. Wade stands to turn electronic health record systems into tools for harassment and prosecution of women and their healthcare providers.
The same information technology systems supporting individualized cancer treatments and providing the evidence that identified a community poisoned by its water supply could be used to create a dystopia for women in over half the U.S. states where reproductive healthcare in the form of abortion is expected to be criminalized.
As health information exchange facilitates data movement between EHRs, advances in healthcare quality, safety, research and critical public health are being demonstrated daily. However, the imminent threat to women’s reproductive health privacy also threatens the progress made.
Both the threats and the progress need to be recognized and addressed with changes to the HIPAA Omnibus Privacy Rule.
How will evidence against women and healthcare providers be gathered for future civil and criminal cases? One way could be through re-identification of anonymized data, when a previously de-identified dataset is combined with additional data elements from public sources to provide enough information to positively identify individuals and the medical care they’ve received.
But such efforts wouldn’t be necessary, depending on a state’s prosecutorial stance; HIPAA allows law enforcement to access individuals’ medical records without a warrant and also allows healthcare organizations to monetize de-identified medical records for research and marketing purposes without the knowledge or consent of their patients.
In recent weeks, investigative journalists have reported that dozens of hospitals and nearly 300 crisis pregnancy centers have allegedly been sending Facebook ultra-sensitive information regarding medical conditions, appointments, prescriptions, allergic reactions, and, yes, requests for emergency contraception and abortion services.
Privacy experts suspect some hospitals are violating HIPAA regulations. “The fact that this (Meta Pixel) is out there in the wild on the websites of hospitals is evidence of how broken the rules are,” said Alan Butler, executive director of the Electronic Privacy Information Center. It shouldn’t be a surprise to anyone that public trust in data privacy is low.
For 49 years, reproductive privacy rights have been guaranteed, during which time the information age was born. With reproductive healthcare choices of American women now conferred to the political whims of state lawmakers, the door has been opened for medical data to be weaponized.
While necessary, the initial efforts by Congress to regulate websites, apps and mobile device activities are insufficient. Protections for women’s reproductive healthcare information should mirror Substance Abuse and Mental Health Services Administration, or SAMHSA, regulations for addiction-related treatment; more stringent requirements should be set for law enforcement to access medical records; and, guardrails should be added around using health data for various commercial endeavors without consent.
HIPAA’s definition of covered entities should be expanded to include organizations providing medical advice, even when they do not provide medical services. With trust in America’s health IT advancements in the balance, this is a fiduciary responsibility of Congress as well.
Healthcare organizations can immediately do a better job by embracing the principles of patient empowerment and autonomy. Asking and honoring patient choices about the use of their data builds trust. Whether their data is used to find a cure through clinical research or to seek a second opinion, individuals need to be in the driver’s seat – without fear that their health information could be used against them, or against their will.