What major challenges exist with accessing and using data during COVID-19?

COVID-19 has underscored some of the major challenges faced by stakeholders and health professionals looking to leverage personal health information to stop the spread of COVID-19. These challenges have been heightened by the need to integrate the social determinants of health data (SDOH) into patient EHRs. This section highlights some of those major challenges. 

Privacy and trust concerns are in conflict with the fluid exchange of information. Existing privacy rules – via HIPPA and other federal, state, and local laws and regulations may hinder data collection and sharing. Additionally, individuals may be hesitant to share personal data or data about their community, regardless of privacy rules because of a reticence to share sensitive health issues or not feeling comfortable with government monitoring key movements or actions. This may lead to existing processes resulting in incomplete data collection. For example, if data is collected only in clinical settings patients may be less willing to share information – particularly if they are dealing with new providers or those that they have not built trusting relationships with. Community groups may be more comfortable sharing data, but often lack the technological know-how or infrastructure to do so. 

Data on immediate social needs should be considered independently from broader, long-term SDOH indicators. Public health data collection during the COVID-19 pandemic is more dynamic than SDOH data collection, making it more complicated – and at the same time vital – to understand how the situation is evolving. Meanwhile, social needs are likely to evolve during a crisis in ways that may not be reflected in more static SDOH data. It is important for policymakers and practitioners to respond rapidly to immediate social needs. SDOH data can be used to gain a baseline understanding of social needs, while public health data collected during the pandemic can help understand how those needs may be changing. 

Data interoperability is limited by legacy system disparities across geographic levels. There are challenges associated with data interoperability, file formatting, and structure due to the variety of legacy systems at play across the federal, state, and local levels. For example, many states maintain different platforms to collect, clean, aggregate, and share key health data metrics during a disaster that are not standardized across systems. As a result, data must be reformatted once submitted to the federal government, which can be a cumbersome process requiring time and money. Outside of government, it is also difficult for community-based organizations and other entities to seamlessly share data, especially on the social determinants of health. 

Data flows and situational awareness. The Federal Government needs to improve its situational awareness through improved data systems that can aggregate systems for data applicability in local communities. Given the range of data systems that currently exist across the United States and the changing requirements of data reporting, many state governments do not successfully gather information from local clinics and public health authorities. This creates difficulties in maintaining robust surveillance systems across the United States and only highlights disparities between states with different COVID infection rates. 

How can we use data to help healthcare systems survive and recover from the pandemic?

The COVID-19 Pandemic has been a stress test that has stretched the boundaries of the U.S. Healthcare system and revealed large gaps in both data collection and healthcare delivery. This shock to the healthcare system sparked conversations about the value of healthcare resilience, from the Well Being Trust’s recently launched Thriving Together initiative, which acts as a springboard for healthcare equity and resilience, to renewed conversations in the private sector about planning, healthcare survival, and recovery.

What is health system resilience and how can we measure it?

COVID-19 is one of a number of external challenges such as antimicrobial resistance, financial burdens, extreme climate events, and larger disease outbreaks that have put pressure on the healthcare system. The term “health system resilience” has been used to understand the capacity in which health systems across the United States and in global settings respond to COVID-19 surges or effectively share information that would help combat the pandemic. For example, the United States Agency for International Development (USAID) aims to promote health resilience in international settings by distributing commodities to areas in need, redeploying key human and financial resources for vulnerable populations, and working across government sectors to engage community leaders and other key stakeholders.

The Office of the Assistant Secretary for Health (OASH) is currently gathering information to help understand how key stakeholders have defined resilience through “their use of data, analytic approaches, and proven indicators.” MIT professor David Simchi-Levi has noted that, like other industries, health system resilience may be reflected in two major metrics:

  • The Time to Survive: This metric seeks to better understand how long an enterprise can survive when there is a shortage of some critical good. How long can a clinic, hospital, or healthcare network survive without access to ICU beds, PPE, or ventilators when intaking patients? 
  • The Time to Recover: This metric seeks to understand how long it will take for a system to properly restore a shortage of some critical good.

Health system resilience indicates the ability of a health system to respond to extreme changes or shocks without the possibility of collapse or lack of function. An NIH paper points out that the overall definition of resilience is “the capacity of an individual, population or system to absorb a shock, while still retaining the fundamental functions or characteristics of the original state.” This definition, however, has been critiqued for not incorporating possible changes in capacity or the ability to adapt to a new state. Other definitions of resilience, especially for healthcare, have claimed that resilience should incorporate adaptive and transformative capabilities that adjust capacity to anticipate future shocks.

How can data be used to measure resilience?

The NIH have adopted key resilience metrics from the World Health Organization’s (WHO) framework that summarize the health system’s six major functions: leadership and governance, information, health workforce, financing, medical products, and service delivery. Practitioners have sometimes incorporated specific dimensions and metrics for these six attributes.

Information may be one of the most important attributes of healthcare resilience. A variety of studies that have sought to understand healthcare resilience have emphasized the need for timely surveillance data in order to enact relevant and effective mitigation measures and policies. Moreover, the WHO framework highlights service delivery as a critical factor that is dependent on the other five functions.

Researchers have been attempting to develop models for some time to understand how healthcare systems are able to respond to major crises. In the current COVID-19 pandemic, researchers and policymakers must consider a wide array of measures, from personnel and hospital staff levels to the volume of equipment a hospital may have to respond to the crisis.

Some researchers have sought to understand and use hospital capacity and demand to model resilience. For example, a model developed by researchers at Colorado State University aimed to predict resilience in the event of an earthquake. Their model incorporated a number of key factors such as the number of staffed beds, hospital staff availability, housing functionality, patient waiting time for treatment, and the probability of patient X going to healthcare facility Y. They also tried to factor in some of the environmental and physical conditions that could impact a healthcare system from electric power to the strength of their telecommunications system.  

In the private sector, Facebook AI has partnered with New York University’s Courant Institute of Mathematical Sciences to create localized forecasting models of the spread of COVID-19. The researchers used testing data published by the State of New Jersey and State of New York, and applied sophisticated analytic models to account for relationships among counties. To build hospital-level COVID-19 forecasts for medical resource allocation, Facebook is also collaborating with NYU Langone Health’s Predictive Analytics Unit and Department of Radiology to develop models that can learn from de-identified clinical data, and then share open-source predictive algorithms so that hospitals can train models on their own data. Facebook’s models are helpful since they make local predictions on a county and hospital level. The detailed AI algorithms have not yet been made public, as the research team continues evaluating other sources of data, such as Mobility Data Network Map from Facebook’s Data for Good team, to see whether they help improve the model’s performance.

While these and other models used to predict health system resilience are promising, they need to be fed with reliable data. Some data is in short supply currently, especially without widespread US testing for the novel coronavirus that causes COVID-19. For example, it is unknown how many people have been infected without symptoms. Other inputs, such as incubation periods and death rates, change by the day as we learn more about the virus. Human factors also make the modeling challenging. Individual behaviors, health care infrastructure and political response can all affect the outcome of an epidemic.

What SDOH factors can measure resilience?

Apart from the basic medical components of healthcare systems, SDOH factors like transportation, access to food, and economic stability all impact healthcare system resilience. Models of healthcare resilience show that SDOH factors are critical to understanding how healthcare systems can survive and recover from pandemics. Researchers have noted that planners should incorporate key socioeconomic data into disease surveillance systems to measure how certain communities will be affected both by COVID-19 and by potential future pandemics and disease outbreaks. Some key factors include the following:

Transportation and National Infrastructure. Transportation ensures that HHS and other federal actors can rapidly distribute PPEs, vaccines, and other equipment to hospitals and healthcare institutions around the country. Factoring in transportation systems also can pinpoint how different communities will respond to a shock like COVID-19, from urban transportation systems that might function as vectors of transmission to rural communities that may have little access to transportation in the event they need to visit a healthcare facility. 

Climate Data and the Built Environment. A recent report from the Natural Resources Defense Council noted that climate data and planning can support healthcare resilience planning in two respects. First, climate scientists have long attempted to model how a variety of institutions and supply chains would respond to a sudden climate event such as a natural disaster. These models may provide guidance to healthcare planners. Secondly, there is a growing connection between climate events and how they impact public health, from heat waves that could impact COVID-19 transmission to how air pollution has functioned as a potential comorbid factor for COVID-19. The CDC currently has a Climate-Ready States and Cities Initiative that provides “public health expertise to help state and city health departments prepare for and respond to the health effects that a changing climate may bring to their communities.”

Access to Food and Food Distribution. The food distribution system of the United States is an important part of the infrastructure needed to ensure the ongoing health of communities. During the pandemic, it is also essential to distribute food to communities that are impacted by virus mitigation measures.

What other kinds of specific data do we need to fight COVID-19?

Although the Kaiser Family Foundation outlines a number of key SDOH data sources, CODE also worked with stakeholders to identify a variety of other data sources are considered to be high-value for policymakers. 

Transportation and Infrastructure Data

Having data on access to transportation and mode of transportation is essential for mitigating the effects of COVID-19. Those who rely on public transportation and use it to commute to work face higher risks of exposure to the virus. Also, those who don’t have access to reliable transportation will have greater difficulty receiving proper healthcare for COVID-19 or other conditions during the pandemic. 

The distribution of a vaccine and other key materials is also vital during a pandemic. Transportation and infrastructure data enables planners and policymakers to effectively distribute the vaccine to those populations most in need. 

Sources:

Housing data (housing insecurity, homelessness, urban housing units) 

Racial and ethnic minorities are more likely to live in densely populated areas, and to experience homelessness. Data collection efforts for housing data should be significantly ramped up in order to mitigate disparities in the most severely affected neighborhoods, and better predict COVID-19 impact.

A June survey from Pew said that 3% of Americans have moved since the pandemic, and 6% have a new person/people in their house since the virus. Government data on household density and stability would be highly valuable. The private sector should also be explored for more granular housing and neighborhood data, including homelessness. 

Sources:

Employment/workforce 

The U.S. is facing record levels of unemployment, and unemployment is a major factor in how people are being affected by the pandemic.11 The economic stress of unemployment can increase an individual’s overall risk of illness, due to factors like the loss of one’s insurance through a previous employer, and inability to afford quality healthcare. Although basic employment status data is being collected, there needs to be a push for better collection of data on paid sick leave, employee insurance, and essential worker status.

Sources: 

Racial, ethnic, and language data

Data collection on language is sparse, but essential if the medical community wants to administer better care. Many Americans who don’t speak English as their first language can be deterred from seeking care and getting tested for COVID-19 when they face difficulties understanding English or lack information available in their own languages. Data on race and ethnicity is also not collected in a standard manner and is missing from many key datasets dealing with COVID-19. Data standards should be developed according to OMB guidelines for the collection of race and ethnicity data, and should be a mandatory field in COVID-19 case data. 

Sources: 

  • Race and ethnicity — U.S. Census Bureau
  • Language spoken at home — U.S. Census Bureau

Health Insurance status 

Most workers receive health insurance through their jobs, but due to increasing rates of unemployment, many people are losing their coverage. In addition, even those who have insurance may have difficulty meeting their deductibles, covering their copays, or accessing quality health care. Better data on individuals’ insurance status would support efforts to reduce healthcare disparities and improve access to high-quality healthcare. Greater measures should be taken to collect data on individuals’ insurance status in order to better mitigate disparities. 

Sources:

Internet access

Internet access affects whether individuals are able to access important information regarding COVID-19, including testing facility locations, proximity to health care, and any updates on the state of the pandemic, as well as their ability to utilize telemedicine. Vulnerable communities have lower rates of internet access, and in turn, are bearing more of the consequences of the pandemic. 

Sources: 

County and urban density and hospital bed occupancy

Government data on household density and stability, and urban density at a granular geographic level would be of extreme value. Hospital resource use including hospital and ICU bed capacity, and invasive ventilator availability is also vital information to have. This data can help predict hotspots for the pandemic. This data can help predict hotspots for the pandemic, and hospitals at risk of being over capacity.  Proximity and population density are key. Sources of this sort of data may include the U.S. Census and the U.S. Department of Housing and Urban Development.

Sources: 

Food insecurity data 

The number of people facing food insecurity in the U.S. is rising due to the pandemic, particularly in already vulnerable communities. Improving data collection efforts for food insecurity, SNAP/WIC enrollment, and food access is needed to combat this issue. 

The New York Times reported that nearly 1 in 8 households don’t have enough food to eat during the ongoing pandemic. Food insecurity data is an important piece of understanding this landscape and responding in kind. This data could be aggregated by regional food banks or other community organizations.

Sources: 

Air quality

Air pollution has been linked to more severe cases and higher mortality rates for COVID-19, making air quality a critical factor to analyze during the pandemic. Studies have concluded that increased long-term exposure to air pollution have resulted in larger increases in COVID death rates, and low income and minority communities are more likely to experience poor air quality. 

Sources:

  • Air quality —  U.S. Environmental Protection Agency, AirNow API

Up to date Medicaid claims data and health status

Medicaid claims data helps identify at-risk populations and understand what comorbidities might exist among poor and at-risk communities. Data on individuals’ health status is also critical to identifying and assessing at-risk populations. With this data, people like county health officials can identify their Medicaid populations with a snapshot of what procedures and conditions they have, and use this information to allocate greater resources, care, and recovery support efforts.

Sources:

COVID-19 tests, cases, and deaths 

Geographically granular testing and case data is essential in managing all aspects of this pandemic. For instance, this data serves as the foundation for most COVID-19 forecasting models, which predict future case surges and demand for emergency room services, hospital beds, ventilator equipment, and other forms of care. Without adequate testing data, forecasters are forced to rely on flawed data and their own assumptions. 

Sources: 

Access to care and testing facilities and basic health data (including deaths) from states and localities. 

Data on access to healthcare, COVID-19 testing facilities, and other basic health data is essential to determine the constraints, challenges, and needs of different communities during COVID-19. Standard data on access to healthcare is scarce, as the meaning of access has yet to be clearly defined. The same can be said for access to testing facilities, since very few entities are collecting this data.  The National Committee on Vital and Health Statistics (NCVHS) works with the states to collect this sort of data, but acquiring timely and accurate data has been a challenge. 

How does HIPAA currently govern telemedicine?

The U.S. Department of Health and Human Services defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration.” Telehealth technologies can include videoconferencing services such as Skype and Zoom, internet and chat-related applications, *store-and-forward imaging*, streaming media, and other communications. Telehealth is an increasingly important area for patients, especially in the wake of the COVID-19 pandemic. 

Telehealth is currently governed by the HIPAA Security rule, which states that only authorized users may have access to a patient’s ePHI through a system of secure communication. When medical information created by a medical professional or a specific organization is stored by a third party, that third party must have a *Business Associate Agreement* (BAA) with that organization. *Business associates* that are specifically responsible for storing *ePHI* must comply with HIPAA standards that allow for external auditing and secure communications. For example, if a patient were to communicate with a healthcare provider through a Skype Call, barring a formal agreement with Skype, that information falls outside of the purview of HIPAA. In the case that any third party company, like Google or Skype, experiences a security breach, that company and the healthcare provider may be liable for the breach. 

Several companies, like Microsoft, have certified select portions of their business, like Skype for Business, as proper telehealth vendors. Moreover, many healthcare providers have incorporated virtual messaging applications into their workflows and into AI chatbots that can quickly communicate with patients. 

What changes have been implemented to HIPAA’s oversight of telehealth in light of COVID-19?

The Coronavirus Preparedness and Response Supplemental Appropriations Act (CARES) has allowed the Centers for Medicare and Medicaid Services (CMS) to change their interim rules to ensure that members can receive the services they need. The “Telehealth Services During Certain Emergency Periods Act of 2020” grants the HHS Secretary authority to waive or modify certain provisions of telehealth requirements during the COVID-19 pandemic. 

To help guide the implementation of specific actions, the HHS Office of Civil Rights (OCR) recently issued a set of frequently asked questions that seek to address the major changes in Telehealth during this period. As the HIPAA-enforcement arm of the HHS, OCR announced that it will exercise “enforcement discretion” and would not impose penalties for noncompliance with regulatory requirements during the “good faith provision of telehealth” services during the COVID-19 national public health emergency. 

As a result, HHS is allowing health providers and their associated BAAs to use HIPAA-compliant platforms such as Zoom, Skype for Business, Google G Suite, Cisco Webex, and GoToMeeting. All communications platforms must be non-public facing which means that they employ end-to-end encryption that allows the individual and the party with whom the individual is communicating to see that communication. As a result, public-facing communications platforms like Tik Tok, Facebook, and Twitch are not acceptable websites for communication. The FAQ sheet points out that if PHI is intercepted during transmission of a telehealth appointment, the OCR will not impose a penalty on the provider as it normally does through the HIPAA Security Rule. 

How has Medicare adjusted its telehealth policy?

Prior to COVID-19, there were five key components that governed telehealth visits under Medicare. Those included geographic restraint, location of a specific site, eligible providers, the modality of the visit, and a restricted list of eligible services. Based on COVID-19, Medicare has relaxed those policies substantially with the following updates:

  • All locations allowed: CMS has waived the rural geographic restraint, which originally restricted most telehealth visits to patients located in rural areas. With Stay at Home orders across the United States, Medicare is now allowing patients from a variety of geographic contexts to use telehealth services. 
  • More Site Locations Permitted: Medicare has expanded the available range of sites that patients and providers can be located in during telehealth appointments.
  • Expanded Eligible Providers: CMS has waived restrictions for federally qualified health centers (FQHCs) and rural health clinics (RHCs) which can now serve as fully qualified telehealth providers. 
  • Modalities Are the Same: CMS has maintained that modalities of audio-visual capabilities as dictated by the CMS Interim Final Rule for COVID-19 planning.
  • Expanded List of Services: CMS has increased the volume of services that it now permits and allows for additional services ranging from virtual home visits to emergency consultations under the new final rule. 

CMS has also expanded the range of telehealth services provided during the pandemic through the 1135 waiver and currently offers three types of services:

  • Medicare Telehealth Visits: Medicare patients may use telecommunication technology for office, hospital visits and other services that generally occur in-person.
  • Virtual Check-ins: Medicare patients may have the opportunity to check-in with their provider through a standard communication service or by sending images or videos to a provider. These forms of communication are typically initiated by the patient and are paid for by Medicare so patients can avoid the doctor’s office except for necessary visits.
  • E-Visits: These are established non-face to face communications with doctors through an online patient portal.

Specific Use Case: The AMA Guide to Telemedicine in Practice

This helpful resource from the American Medical Association provides a range of tools and resources for helping practices arrange their telemedicine protocols with patients. “The AMA Digital Health Implementation Playbook series offers comprehensive step-by-step guides to implementing digital health solutions, specifically telemedicine, in practice based on insights from across the medical community. Each Playbook offers key steps, best practices and resources to support an efficient and clear path to implementation and scale.” These playbooks include the Implementation of Telehealth toolkit, Telehealth Workflow Best Practices, examples of workflows, and other key materials. 

For Health Providers, the AMA recommends the following steps:

  • Scope Out Your Telehealth Practice: Create a team that can help guide you through the telehealth practice and ensure that you’re meeting HIPAA guidelines.
  • Evaluate Possible Vendors and Contracts: After confirming that you can streamline telehealth practice through your EHR vendor, ensure that your practice comprehends the parameters of HIPAA compliance and data ownership. 
  • Build Your Workflow: Create a space in your practice for telehealth and train providers and physicians on how to best implement these practices. 
  • Inform Patients: Let patients know that your practice is now accommodating telehealth visits and explain the consent procedures to patients. This will ensure they’re aware of how these visits work and how their health data is protected.

Policymakers should consult the AMA’s latest updates on telehealth policies and procedures, especially for Medicare providers. 

Key resources to use for telehealth research:

https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/

https://itsecurity.org/telehealth-and-coronavirus-privacy-security-concerns/

How does HIPAA cover patient data?

HIPAA is the primary governance framework for managing health data privacy in the United States and continues to be the legal standard for safeguarding sharing and use of sensitive patient data. This section describes some of the basics of HIPAA.

  • Covered Entities include qualified healthcare providers, healthcare clearinghouses, and health plans. Covered entities may include employer sponsored health plans, health maintenance organizations (HMOs), or government sponsored health plans like Medicare and Medicaid.
  • Business associates include persons or businesses that perform certain functions on behalf of a covered entity, or provide services to a covered entity that involves the use or disclosure of a patient’s PHI. Business associates may include third party claims processors, attorneys for a healthcare provider, or consultants.

While HIPAA and a patchwork of other laws seek to safeguard the privacy of personal health information, they only protect data collected by healthcare providers, healthcare plans, and healthcare clearinghouses. As a result they are not well designed to handle the many other kinds of health data produced and collected today including data collected by fitness trackers, genetic analyses, or other commercial processes and devices.

Depending on the entity, HIPAA may not cover:

  • Genomic Data: The rapid rise of genomic data in personalized healthcare decision-making has been enabled by companies like 23andme, Ancestry.com, and MyHeritage. More widespread clinical genomics testing has also increased the availability of genetic data and the NIH now allows for researchers to share de-identified clinical genomic data through secure databases and carefully regulates that data. However, privately held genetic data remains an issue. The largest four genomics companies alone had received DNA samples from more than 26 million consumers as of January 2019. Much of this data falls outside of the purview of HIPAA and is not regulated by research-driven data use arrangements that place limits on how clinical data is used and disclosed. The NIH has advanced several new measures to protect the privacy of patients in research instances, such as Certificates of Confidentiality. Despite that, there are specific risks with disclosure and confusion over the value of genomic data use and value.
  • Consumer-Generated Data: Consumer-generated data is health-related data collected from products and devices used by consumers, including data from the Internet of Things, and social media data. Consumer-generated data may fall outside of the purview of HIPAA if it is collected by technology companies that are not covered entities, are not “business associates” of covered entities, and are not subject to clear guidelines from the FTC. Consumer-Generated data often lacks data minimization, may include location data, and may be managed by technology companies that are not HIPAA-certified.
  • Social Determinants of Health Data: The social determinants of health (SDOH), including income, education, and housing, are a promising area of population data attracting increased interest from researchers, providers, and patients. For example, some research suggests that a person’s ZIP code is actually more predictive of adverse health outcomes than that person’s genetic code. Despite their value, the social determinants of health represent data points that are indirectly related to a person’s health and therefore fall outside of HIPAA. For example, while a person’s access to credit may be a major indicator of their ability to receive healthcare, this piece of information does not contain PII as defined by HIPAA. SDOH data may be used to redline or profile communities that are high risk.

See the “Data in Need of Special Protection” section of this website for more information about the specific risks posed by specific types of data. 

On January 31, 2020, HHS Secretary Alex Azar declared a public health emergency under Section 319 of the Public Health Service Act which granted him permissions to adjust select HIPAA requirements. Although HIPAA’s Privacy Rule cannot be suspended during this public health emergency, certain provisions within HIPAA may be temporarily waived. This is part of the Project Bioshield Act of 2004, which establishes HHS authority during public health threats, and section 1135(b)(7) of the Social Security Act, which allows for provisions, like program preapproval or participation requirements, to be waived. In a March 2020 memo, HHS Secretary Azar waived the following provisions:

  • Families Can Now Make Decisions About Loved Ones. HHS has granted a patient’s family members the option of reviewing that patient’s PHI or other relevant healthcare information from a physician or caregiver directly without that patient’s explicit consent.
  • Hospital Patient Directories.In order to improve data sharing and information about patients who may have COVID-19, patients may no longer exclude themselves from hospital directories. This ensures that all hospitals are reporting up to date directories of patient data to the authorities.
  • Suspending the Right to Notice of Privacy Practices. HHS has temporarily suspended  individual’s Right to Notice of Privacy Practices that requires patients to receive “adequate notice of the uses and disclosures of protected health information that may be made by the covered entity” according to HIPAA’s 45 CFR 164.520. Covered entities no longer have the legal obligation to inform the patient of these practices.
  • Patient Right to Request Privacy Restrictions. Provisions exist that allow patients to restrict the “uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations”, among other restrictions. This waiver enables covered entities to use patient data for purposes granted in HIPAA.
  • Patient Right to Request Confidential Communications. Under HIPAA, patients are able to make requests to receive communications of their PHI in alternative locations or through alternative means. This waiver restricts that option so patients may not make special requests of their PHI.

HIPAA outlines strategies to manage de-identification of sensitive PHI and sets technical requirements for covered entities that manage PHI. To ensure proper de-identification of data, HIPAA mandates that all entities that share PHI either utilize “Safe Harbor” guidelines or follow “expert determination” to remove Personally Identifiable Information (PII) from a patient’s PHI. HIPAA’s Safe Harbor outlines a comprehensive list of variables that must be removed from a person’s PHI including address, medical record numbers, email addresses, and other PII. Expert determination involves convening a panel of experts with statistical and scientific knowledge to evaluate the risks of re-identification from a person’s PHI. Moreover, HIPAA’s technical requirements ensure that covered entities institute protective measures and safeguards for their data management systems to prevent security breaches and other possible threats.

What can be improved?

  • High Costs and Challenges with HITECH Compliance. The Health Information Technology for Economic and Clinical Health Act (HITECH), passed in 2009, enforces the HIPAA Privacy Rule by mandating compliance audits of covered healthcare providers, clearinghouses, and plans. These audits evaluate a covered entity’s compliance with HIPAA, focusing on security risks, assets and devices, physical environment, and policies and practices that ensure patients can access their own data safely. These organizational-focused policies can cost thousands of dollars to implement and create barriers to entry for small companies working to manage sensitive PHI.
  • Lack of Oversight for Non-Covered Entities. The lack of oversight for non-HIPAA entities leaves many organizations and companies that manage and use health data outside of the rules for de-identification and technical protections. For example, many workplace wellness programs (on-site employee focused fitness and nutrition programs) offered outside of health plans may not fall into the covered entities category for HIPAA. For more information on how HIPAA governs workplace wellness programs, visit the HIPAA website.

HIPAA’s Right of Access ensures that patients may access their PHI from covered entities at any time. The Right of Access specifically states that a patient has the right to inspect or obtain a copy of their PHI in a designated record set. A designated record set is a group of health records that includes the medical and billing records about a patient, the enrollment, payment, claims adjudication, case or medical management record systems maintained by or for a health plan, and a set of records used to make decisions about a patient. The Right of Access is critical to patient advocacy groups and healthcare companies that rely on the right of access to ensure effective treatment plans for patients and members of healthcare plans.

What can be improved?

  • Patients Can’t Always Access Their Data from Covered Entities. Although the Right of Access provides legal access to a patient’s PHI, this rule is not always followed by covered entities. A 2018 assessment of US Hospital compliance with regulations for patients’ access to their PHI found that nearly half of the 83 hospitals in the study did not comply with the patient’s request to obtain their medical records.
  • Patients lack access to data created through their smartphone and other devices. Health data is increasingly generated from an individual’s smartphone, wearable, or voice assistant. These devices are manufactured by companies that do not fall under FDA or HIPAA guidelines. Patients may face difficulties in accessing this data since company privacy policies do not need to comply with HIPAA’s Right of Access.
  • Researchers and patients alike face challenges with merging data. As the volume and variety of health data increases, consumers, companies, and providers are increasingly seeking to merge and aggregate data from different sources. This data may come from HIPAA-covered entities in the form of EHRs or claims data as well as from entities that are not covered by HIPAA in the form of social determinants or genomics data from home kits. The Security Rule dictates that data outside of HIPAA, such as housing or nutrition data, becomes subject to HIPAA rules when a HIPAA covered entity obtains it. But this rule is often unclear to patients, especially when social determinant data is gathered at the population rather than clinical level. This same issue applies to researchers that gather data from companies like Facebook or Google.

Covered entities are allowed to release data for routine reasons like treatment, payment, and healthcare operations. Under the Right to an Accounting of Disclosures section of HIPAA, patients are entitled to request information about when and why their healthcare records were shared for permitted purposes. Patients have more control over how their data is used for marketing communications, research, and other purposes. In these cases, covered entities must  receive written consent from patients before sharing data. Additionally, HIPAA aims to ensure that research subjects must grant informed consent for use of their data and be aware of how their health data will be used. Programs like the HHS All of Us Research program and the Million Veteran Program of the Department of Veterans Affairs are precision medicine initiatives that rely strongly on a patient’s willingness to provide their data for research purposes.

What can be improved?

  • Patients are limited in what they can disclose. The HITECH requirement to include Treatment, Payment, and Healthcare Operations (TPO) in the Accounting of Disclosures section of HIPAA has not been implemented yet by the OCR. As a result, patients are not able to see when covered entities may have used sensitive patient PHI for one of these specific uses.
  • Current definitions of Research are unclear. HIPAA defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” Federal regulation 45 CFR Part 46 provides the framework for informed consent as an ethical principle of human subjects research. However, research is being increasingly carried out in settings that generate data outside the rules required of HIPAA-covered entities. Pharmaceutical clinical trials data, for example, falls outside of HIPAA and may not be appropriately regulated.
  • Lack of consistent opt-in rules for patients. Varying types of sensitive health data, such as mental health or drug addiction information, has created a fragmented approach to what data is shareable and what data is protected. Moreover, patient opt-in and opt-out rules vary widely by state and across healthcare providers for health information exchange. For example, Florida, Nevada, California, New York, Vermont, Rhode Island, and Massachusetts maintain opt-in policies that require patient consent to share data with a qualified Health Information Exchange, but many other states have no such policies.
  • Patients can be confused by Terms of Service Agreements. Health-related data that is managed by an entity not covered by HIPAA is often subject to that company’s privacy policy and terms of service agreements. These agreements can be overly complex or obscure how the company plans to use a patient’s data. Many companies continue to use complex or misleading provisions in their End User License Agreements (EULAs) such as changing the terms of conditions without notification or failing to describe how their product will monitor individuals

As written and implemented, HIPAA aims to reduce discrimination where possible and minimize the amount of data collected by covered entities. This “Privacy by Design” approach encourages organizations to think about the possible adverse effects of using sensitive data during the initial design phases of a health-related application or program. HIPAA has effective non-discrimination measures, minimizes the amount of patient data gathered, and requires regular privacy impact assessments. These three measures are critical to encouraging the appropriate use of data.

What can be improved?

  • HIPAA should regulate how de-identified data can be used and disclosed.There is the growing possibility that deidentified data, when combined with other big data (such as retail purchases or location information), could be employed by insurance companies to restrict coverage or raise premiums for certain communities. Additionally, the risk of re-identification suggests that de-identified data shared with third parties could be used to discriminate against individuals.
  • HIPAA does not govern entities that gather and share consumer-generated data. An exercise tracker handed out by your doctor or health insurance company is governed by HIPAA, but when you buy it in a department store, HIPAA does not apply. The FTC has taken a more active role in safeguarding consumer-generated health data through its health breach notification rule. Despite this advancement, the rule applies only during breaches and primarily to vendors of personal health records or related entities rather than companies that manage health-related mobile applications and wearables.
  • HIPAA has unclear definitions of incidental and secondary use. HIPAA permits certain incidental uses and disclosures that may occur as a by-product of another, permissible use of data. They are allowed as long as the covered entity has instituted a reasonable set of technical, administrative, and physical safeguards. However, poor definitions of incidental and secondary use can create confusion and hinder accountability for inappropriate uses of health data.