Privacy in healthcare has been a key discussion in healthcare policy in the United States. As a result, this brief conducts an in-depth analysis of the current state of US healthcare privacy, and legislative actions which have the potential to help US citizens' privacy. Privacy is a large question in the context of healthcare, because healthcare data could be used to compromise citizen’s health and their well-being. As a result, one of the most important healthcare policies passed in recent years is associated with healthcare protection, and we can still see issues with the current system including large data breaches and issues regarding the protection of this data. Thus, some policies are analyzed with their unique ability to help the health of citizens in the United States.

History

A. Current Stances

The growing spotlight on health policy in the United States has led to increased scrutiny of patient data restrictions. While many companies use personal information to improve health outcomes, over 75% of Americans remain concerned about how much such actions impede “guaranteed” confidentiality.  Ultimately, many challenges are embedded in the current healthcare system undermining patients’ privacy. 

Information is often inappropriately shared by an organization, both incidentally and intentionally. Principally, cybersecurity gaps are prominent in healthcare infrastructure. With motives ranging from impersonation to locking data for financial reimbursement, there have been an estimated 295 data breaches from January to June of this year. Attackers target addresses, medical histories, social security numbers, and other sensitive, personal information that detract from patient safety. Headlined by the Managed Care of North America infraction, such breaches have affected upwards of 39 million Americans. This greatly affects both the companies and consumers. Beginning with the former, locked data causes companies to lose revenue as they cannot perform their services and must pay to retrieve patients’ files. Moreover, such breaches drastically reduce the reliability and reputation of an organization, likely shrinking its long-term customer base. For patients, locked or stolen data can increase wait times and even prevent access to healthcare. 

Furthermore, health companies and hospitals can give and sell lucrative patient data. Under the Health Insurance Portability and Accountability Act (HIPAA), information can be sold so long as it does not carry identifiers even without the permission of the patients themselves. The private groups receiving data are largely unrestricted, as they often are not subject to HIPAA requirements. Critically, it is an opt-out, not an opt-in system. Nonetheless, such dataflow does have benefits: it can be extremely helpful for researchers to identify trends in health outcomes and further medicinal science. Prominent groups, including the Mayo Clinic and HCA Healthcare, are among those who utilize these measures. However, because of the relatively simple nature of re-identifying patient records, the threat of identity theft, shared financial information, and the publicization of one’s medical status exists. Overall, such data transfer sacrifices entrusted confidentiality for research and money.

B. Legal Framework

The mandate of privacy standards in healthcare is under the Health Insurance Portability and Accountability Act (HIPAA) ruling. The statewide federal law attests to the protection, confidentiality, privacy, and security of patients’ health information (PHI). The Privacy and Security Rule ensures policies and procedures are implemented throughout hospital facilities.

The Department of Health institution and the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) input the terms and conditions to solidify any patient data gathering, whether electronically or on paper. 

As of today, HIPAA’s regular updates are now showing the completion of its principles and have been in effect to assist organizations, hospitals, and doctors’ offices with collecting and managing patient data. In place are the requirements of compliance in healthcare facilities to construct an act of confidential appreciation to patients.

The Privacy rule’s primary incentive is to ensure the protection of PHI, whilst the Security Rule protects a patient’s electronic health information. Patient data, whether sensitive or insensitive, requires authorized access. Considerable data that could potentially lead to violation of HIPPA rights consists of genetic and demographic details. This involves information on a patient’s health status, healthcare, health insurance, payments, medical records, etc. Those who have access to information and provide support in treatment must comply with the laws under HIPAA’s framework. Guidelines are set to supply individuals with the right to access and prohibit PHI. 

Violations can either result in civil monetary penalties or criminal penalties. Depending on the culpability—‘No Knowledge, Reasonable cause, Willful neglect, timely corrected, Willful neglect, not corrected,’ will be issued a maximum fine of $1.5 million or up to ten years imprisonment. Upon signing a breach notification exposure to the public, documentation of proof of reports must follow up.

Policy Problem

A. Current Measures

With almost 6 in 10 Americans in today’s world expressing their concern with daily government surveillance on personal information flows, the relation of healthcare to the issue of privacy is answered by one major law: the Kassebaum-Kennedy Act, also known as the Health Insurance Portability and Accountability Act (HIPAA) is a 1996 federal law that establishes the illegality of disclosing patient health information without their consent or knowledge. While HIPAA is a major and precedent law in place for American healthcare by creating privacy standards, it ultimately faces shortcomings in ensuring medical efficiency, accounting for all medical healthcare providers and receivers, and effectively enforcing the penalization of health data surveillance.

The primary feature of HIPAA is that it sets boundaries for healthcare-providing entities in terms of using and collecting covered individuals’ health data and records, also known as Protected Health Information (PHI). Additionally, a secondary feature of HIPAA aims to ensure thorough privacy to patients as it provides rights to individuals to receive and control their health data. However, this secondary goal of HIPAA often slows down the medical care process. The 2019 case of a West Virginian healthcare provider ignoring a parent’s request for their child’s medical data to receive treatment serves as a point of contention for how inefficient HIPAA can cause the medical system to be. It eventually took a federal investigation to determine the validity of a parent seeking their child’s records, suggesting clearer demarcations of accessibility.

Another core issue with HIPAA is its failure to account for all medical institutions to ensure patients’ privacy. The HIPAA currently states that the law covers all healthcare providers and must comply with the requirements of guaranteeing data privacy, including care providers for various medical plans such as dental care, medicare, and health maintenance. In reality, many organizations were revealed since 2009 to have sold health data through methods unregulated by HIPAA such as health devices. Such loopholes and instability in the system, paired with the deceleration of medical efficiency, have caused perspectives that see HIPAA as a fiscally costly and socially futile legislation to arise.

Finally, the core issue of HIPAA is complemented by the two aforementioned problems of inefficiency and loopholes, in which the legislation is not strongly enforced. As with many other data surveillance controversies, the handling of PHI is still a sensitive issue to many American citizens and an important marketing and service-providing tool for health service organizations. The inclusion of all healthcare-related institutions and individuals under the HIPAA law, however, makes it extremely difficult for effective and continuous enforcement to happen in the United States. Much of the complaints about HIPAA regulations from both the citizens and the service providers go unanswered, which ultimately points to the fact that the HIPAA requires specificity in its operation.

B. Recent Developments

This year, Washington, Connecticut, and Nevada have passed laws regarding healthcare privacy, following in the footsteps of California, which, in 2022, expanded its CMIA healthcare privacy plan. In April, Washington signed the My Health, My Data Act, which protects all state residents whose health data is collected in Washington, setting the groundwork for Connecticut and Nevada to follow suit in the months after. The acts restrict how entities collect, use, and process consumer data. Covered entities — businesses in the states, businesses that target citizens of the states, and small businesses (those who collect data of fewer than 100,000 consumers a year or derive less than 50% of their gross revenue from consumer data) —  must be transparent to consumers. This implies a consumer health data privacy policy on their homepage and disclosing how one’s data will be collected, stored, and used. It is critical to note that to sell an individual’s data, entities must obtain valid authorization and, importantly, approval from the consumer, ensuring the confidentiality and integrity of those who do not want their information sold. 

However, the acts will likely have unintended consequences. Given its breadth, the plans may impact several industries that are not typically considered processors of consumer health data. As a result, entities must review the law to confirm they are compliant; otherwise, violations could lead to class action lawsuits and significant fines. Unlike the My Health, My Data Act, Connecticut’s CTDPA and Nevada’s Senate Bill 370 do not include a private right of action entitling individuals to take legal action against entities to receive compensation. In effect, violations will likely be minimal fines for larger entities, damaging the acts’ efficacy. Considering the consequences of healthcare privacy laws and violations, it will be essential to follow developments in the states where these acts exist, as restrictions will likely be altered depending on the extent of the repercussions.

Policy Options

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) act served as an exhaustively detailed framework to safeguard this privacy and ensure data security to its citizens however, due to constant shifts in the healthcare industry, changes in technology, the Covid-19 pandemic and several other factors, constant updates are needed in this kind of legislation.

HIPPA was not meant to be a stagnant form of legislation, and continuous improvements have been made over the years to this 25-year-old bill. In a new White House briefing this year, several potential policy actions concerning HIPAA have been considered. 

Firstly, the Department of Health and Human Services issued a Notice of Proposed Rulemaking to enhance privacy protections under HIPAA, focusing on reproductive health information. The rule aims to prevent disclosure of such information for legal action and safeguard patient-provider confidentiality. This initiative promotes complete and accurate reproductive health information for patients. In particular, the rule would bar sharing an individual’s data for investigation, legal action, or prosecution based on seeking or providing legal reproductive healthcare, like abortion.

The second core issue the briefing discussed was the Protect Students’ Health Information. The Department of Education (ED) is releasing guidance to more than 20,000 school officials, reminding them of their duty to uphold student privacy according to the Family Educational Rights and Privacy Act (FERPA). This guidance emphasizes the requirement for written consent from eligible students or parents before sharing personally identifiable information, encompassing student health data, with certain exceptions. Additionally, ED provides a "know-your-rights" resource to educate students about their privacy rights concerning health records within the school environment.

Officials also discussed the importance of consumer privacy and safeguarding electronic health information in particular, given that these issues tend to be overlooked in the entire HIPAA legislation. The Federal Communications Commission (FCC) is introducing a fresh guide aimed at consumers, offering advice on optimal strategies to safeguard their personal data on mobile devices.The guide also explains how existing FCC requirements protect against disclosing consumers’ sensitive information, including geolocation data, which can be especially important in the context of reproductive health.

Most of the new policy actions the federal government is considering focused particularly on the issue of women’s health in the country. They announced several related efforts to provide access to more accurate health information and promote data related to women’s health more broadly. The mentioned two main avenues to achieve this: Firstly, leveraging maternal health data to address disparities and, secondly, promoting accurate information about reproductive health. 

For example,  FCC commits to the swift implementation of the Data Mapping to Save Moms’ Lives Act, integrating maternal health data into its Mapping Broadband Health in America platform. This effort aims to enhance women’s health, expand broadband access for telehealth, and address disparities in maternal health outcomes. Additionally, HHS plans a new funding opportunity for a national hotline providing accurate reproductive health care information and referrals, especially for Title X program patients.

Overall, a detailed description of the issues regarding the current healthcare system and privacy issues have been provided. Some of the analysis is able to detail how we can see current systems may be conducive to compromising sensitive patient data, but there are some key methods to help combat these problems for the future.

Acknowledgement

The Institute for Youth in Policy wishes to acknowledge Michelle Liou, Nolan Ezzet and other contributors for developing and maintaining the Policy Department within the Institute.

Works Cited

1. “HIPAA Rules and Regulations.” Compliancy Group, 18 July 2023, compliancy-group.com/hipaa-rules-and-regulations/. 
2. “Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Centers for Disease Control and Prevention, Centers for Disease Control and Prevention, 27 June 2022, www.cdc.gov/phlp/publications/topic/hipaa.html#:~:text=Health%20Insurance%20Portability%20and%20Accountability%20Act%20of%201996%20(HIPAA),-Print&text=The%20Health%20Insurance%20Portability%20and,the%20patient%27s%20consent%20or%20knowledge. 
3. “45 CFR § 160.408 - Factors Considered in Determining the Amount of a Civil Money Penalty.” Legal Information Institute, Legal Information Institute, www.law.cornell.edu/cfr/text/45/160.408. Accessed 27 Sept. 2023. 
4. HIPAA Rules and Regulations - Compliancy Group, compliancy-group.com/hipaa-rules-and-regulations/. Accessed 27 Sept. 2023. 
5. (OCR), Office for Civil Rights. “Your Rights under HIPAA.” HHS.Gov, 19 Jan. 2022, www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html.
6. Angle, Kevin, and Matthew Cin. n.d. “Data Collection & Management, Professional Perspective - Key Requirements of Connecticut & Colorado Privacy Laws.” Bloomberg Law. Accessed September 23, 2023. https://www.bloomberglaw.com/external/document/X8K8VUN4000000/data-collection-management-professional-perspective-key-requirem.
7. “The Broad Reach of Washington State's My Health My Data Act.” 2023. Morgan Lewis. https://www.morganlewis.com/pubs/2023/07/the-broad-reach-of-washington-states-my-health-my-data-act.
8. Engfeldt, Helena. 2023. “Washington state My Health, My Data Act signed into law - some provisions operative in less than 3 months.” Connect On Tech. https://www.connectontech.com/washington-state-my-health-my-data-act-signed-into-law-some-provisions-operative-in-less-than-3-months/.
9. Engfeldt, Helena. 2023. “New Health Data Protections in the Connecticut Data Privacy Act Operative Just Days After Revisions Signed Into Law.” Connect On Tech. https://www.connectontech.com/new-health-data-protections-in-the-connecticut-data-privacy-act-operative-just-days-after-revisions-signed-into-law/.
10. Engfeldt, Helena. 2023. “How the New Nevada Consumer Health Law Differs from the Washington State My Health, My Data Act.” Connect On Tech. https://www.connectontech.com/how-the-new-nevada-consumer-health-law-differs-from-the-washington-state-my-health-my-data-act/.
11. "The Long-Term Damage of a Healthcare Data Breach." Healthcare Resolution Services, healthcareresolutionservices.com/blog/the-long-term-damage-of-a-healthcare-data-breach/. Accessed 26 Sept. 2023.
12. McKeon, Jill, editor. "Biggest Healthcare Data Breaches Reported This Year, so Far." Health IT Security, 26 June 2023, healthitsecurity.com/features/biggest-healthcare-data-breaches-reported-this-year-so-far. Accessed 26 Sept. 2023.
13. "Patient Perspectives around Data Privacy." American Medical Association, 2022, www.ama-assn.org/system/files/ama-patient-data-privacy-survey-results.pdf. Accessed 26 Sept. 2023.
14. "Privacy and Security Concerns Regarding Electronic Health Information." National Library of Medicine, National Institutes of Health, 1997, www.google.com/url?q=https://www.ncbi.nlm.nih.gov/books/NBK233428/%23:~:text%3DConcerns%2520over%2520the%2520privacy%2520and,health%2520care%2520and%2520related%2520industries&sa=D&source=docs&ust=1695780044449838&usg=AOvVaw3VPagwidytYst17U7FvwId. Accessed 26 Sept. 2023.
15. Wetsman, Nicole. "Hospitals Are Selling Treasure Troves of Medical Data — What Could Go Wrong?" The Verge, Vox Media, 23 June 2021, www.theverge.com/2021/6/23/22547397/medical-records-health-data-hospitals-research. Accessed 26 Sept. 2023.