Maintaining Trust Through Privacy and Secure Patient Access

Health care data privacy is at the heart of consumer trust in health care. Consumers want to trust that the health care system will not only keep them healthy, but also protect their most sensitive information. The privacy and security of this information is governed by a patchwork of federal and state laws. While the federal Health Insurance Portability and Accountability Act (HIPAA) protects health data maintained by payers, providers, and health care clearinghouses – health and other sensitive data is increasingly generated by or shared with new digital health tools or technologies that fall outside of HIPAA’s protections. Beyond HIPAA, there are no comprehensive data privacy rules in place at the federal level.

Recommendations

Overall

Data privacy needs to be a multisector discussion. Government agencies with jurisdiction in this space should work with and across other agencies, as well as with industry stakeholders to generate solutions that address consumer access to and control of their health data. A primary tenant of any privacy law should be to ensure individuals’ health information is properly protected while allowing for the flow of health information needed to promote high quality health care and protect the public’s health and wellbeing.

Education

Data privacy is complex. The average consumer and/or patient is not and should not be expected to become a HIPAA expert and therefore, is likely unaware of where HIPAA protections for health data start and stop. Commercial app companies generally are not HIPAA-covered entities. Therefore, when information flows from a covered entity’s information system to an app, it may no longer be protected by HIPAA. Third-party apps and digital health tools are here to stay, and consumers and providers need to be informed on how, with whom, and in what ways their data is being shared or stored. Innovative tactics and strategies need to be deployed to increase consumer understanding and awareness. Additionally, there needs to be resources in place for providers to educate themselves on the various privacy laws at play that govern health data sharing.

Consumer-Centric

The onus to understand and ensure privacy policies are being properly followed currently falls on the consumer. This must change. Privacy policies are extremely long, difficult to understand, and not consumer friendly. Instead, there needs to be baseline rules that place limits on how health data is collected, shared, sold, and used. Strong rules will allow the consumer to know their health data will not be used in ways or for purposes that they did not know about, anticipate, and/or want.

Trust

One of the central tenets of health care is maintaining a culture of trust in the physician-patient relationship. It is crucial to provide good quality health care. Patient trust in physicians, a multi-dimensional perception influenced by patient, physician, and situational factors, can either enable, or hinder the accuracy and quality of the information a patient shares with their provider. Numerous reports and surveys have been published that emphasize the need for security and privacy assurances to improve consumer experience. These resources have also shown that transparency is a crucial element of building and maintaining patient trust.

Regulation

Regulation of information in the U.S. takes a sectoral approach. The federal government should have clear responsibilities for enforcing health data privacy protections both within and outside of HIPAA and ensuring that consumers have assurance that their rights are being upheld. Regulations governing the sharing and protection of patient health information must be harmonized to meaningfully improve patients’ access to their health data and advance interoperability while safeguarding patient privacy and security. Any new authority should align fully with HIPAA and not duplicate or create additional burden and complexities for covered entities and consumers.