In January of 2021, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (Notice) to modify the HIPAA Privacy Rule. HHS has proposed to modify the Privacy Rule right of access provision by (among other measures) requiring providers, at an individual’s request, to mail or electronically transmit PHI to or through the individual’s personal health application (PHA). HHS seeks to define PHAs as “electronic applications used by an individual to access health information about that individual, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity.” Examples of PHAs include FitBit and WebMd apps. The period for public comment on the Notice closed on May 6. Numerous healthcare groups have expressed opposition to the proposed requirement to electronically transmit PHI to or through a PHA. Details about why the healthcare groups are opposed to the proposed requirement are discussed below.
Proposal to Modify HIPAA Privacy Rule: No Oversight
HHS, in seeking to justify addition of a “PHA provision” has noted that individual use of personal health applications to access and manage personal health information, is growing. Individuals (or their personal representatives) use a personal health application for the individuals’ own purposes, such as to monitor their own health status and access their own PHI using the PHA application.
Currently, HIPAA does not require that providers accommodate requests by patients to transmit information such as weight, vital signs, and or other health information.
Providers are worried that this requirement may be imposed. PHA developers are not regulated by HIPAA as either covered entities or business associates. The proposed new Privacy Rule does not regulate these entities, either. Healthcare groups, including providers and advocacy organizations, have submitted public comments voicing concerns about the privacy and security risks associated with sending protected health information (PHI) to these unregulated apps. These groups expressed concern that, since PHAs and those who develop, manufacture, or sell them, are not regulated by HIPAA, PHI that a provider sends to a PHA at a patient’s request may be accessed or used by third parties. These third parties could use the PHI for illegal financial gain or another illegal purpose.
Healthcare groups have commented that, since PHAs would not be regulated under the HIPAA Security Rule, PHAs may lack adequate privacy and security controls. In addition, healthcare groups have voiced concern that, since PHA vendors are not subject to HIPAA, these vendors need not enter into business associate agreements with providers. In the absence of a business associate agreement, a PHA vendor could lawfully make secondary disclosures of PHI, for purposes of marketing, sales, advertising, or other purposes not related to individual patient health.
The American Hospital Association, reflecting the concerns of other healthcare organizations, has stated, “Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records.”
Proposal to Modify HIPAA Privacy Rule: Next Steps
The initial deadline to submit public comment on the proposed rule was March 22, 2021. Due to the importance of the issue of the HHS Privacy Rule modification, the deadline was extended to May 6. To date, approximately 1,200 comments have been submitted. OCR is now reviewing the comments, which have been made by:
- Patients and family members;
- Covered entities and business associates;
- PHA developers and vendors;
- Healthcare professional associations;
- Health information management professionals;
- Health information technology vendors; and
- Government entities.
Once HHS has reviewed the comments, it can take one of several courses of action. HHS may decide to finalize the entire proposed rule, or to finalize or modify parts of it. HHS’ decision will take the form of a Final Rule that will be published online. In the Final Rule, HHS will explain its reasoning for the course of action it decided to take. Alternatively, HHS may conclude that additional information is required for a decision to be made. In that case, HHS may once again extend the public comment period.