Giving patients greater access to and more control over their health information could improve privacy protection, a former federal policy official concludes in a Bloomberg opinion piece.
The private sector needs to fill the gaps in health information privacy protection left by the Health Insurance Portability and Accountability Act and exacerbated by new, consumer-oriented health and wellness computer applications, they say.
The comments come in the wake of a long-delayed joint report by HHS' Office for Civil Rights and the Office of the National Coordinator for Health Information Technology on weaknesses in federal healthcare information privacy regulations.
The report, however, was six years late and failed to provide any solutions.
Jodi Daniel, former policy director of the ONC and former counsel at HHS, co-wrote the Bloomberg article. She's now a partner at the Washington, D.C, office of Crowell & Moring. Her co-authors, Elliot Golding and Jennifer Williams, are also lawyers with the firm.
Daniel and her co-authors say HIPAA provides strong protections, even with a 2002 gutting of the patient consent requirement, which remains a point of contention for privacy rights supporters.
That said, Daniel and her colleagues wrote that the rapid increase in consumer-facing health tools over the past decade, which are generally not subject to HIPAA or other state and federal laws governing health information, "has reached a tipping point where such gaps can no longer be ignored.”
A consumer association, they note, produced some guidelines for health data protection, but the measures, have not been adopted by any company to date.
So, what to do?
They favor a private-sector approach, but one built on existing frameworks for privacy and security protections.
The authors suggest asking stakeholders to help work through knotty privacy issues while being mindful that rules may “impact business models in such a way that innovation is stifled.”
It is also important to consider new technological capabilities to protect data or to provide consumers more control, they wrote.
Finally, there must be a way to hold health data holders' feet to the fire.
That can be done through a “private sector ... accreditation program or seal of approval,” that data holders could use to demonstrate compliance with the industry's home-brewed privacy protections.
Violators would risk a whacking by the Federal Trade Commission under its broad authority to regulate unfair business practices; specifically in this case, making promises to consumer that they'll abide by industry privacy guidelines but then not living up to those pledges.
