The HIPAA Right of Access and Data Sharing

Twenty-five years in, the Health Insurance Portability and Accountability Act (HIPAA) and its related privacy and security regulations have been both celebrated and criticized. Recent developments are transforming patient right of access into a gateway for third parties. Where this transformation ultimately leads is uncertain. One possibility is a learning health system, fueled by patient contributed data and sophisticated data science and governed with an eye to advancing population health and equity while protecting privacy and maintaining trust. Another possibility is health related corporate surveillance on steroids. The 1973 report, Records, Computers and the Rights of Citizens, credited with originating the term “fair information practice,” included an access right, which made data about individuals fully available to them, upon request, in a comprehensible form. Section 164.524 of the 2000 HIPAA Privacy Rule gave patients a right to inspect and obtain a copy of their information, with only a few exceptions. The Health Information Technology for Economic and Clinical Health (HITECH) Act updated the access right for the era of electronic health records (EHRs). Rights on the books and in practice are, of course, two different things. Problems soon surfaced when patients tried to exercise their access right. For example, the American Civil Liberties Union filed a complaint on behalf of patients seeking their full genetic records from Myriad Genetics. Subsequently, Congress enacted the 21st Century Cures Act, which mandated a Government Accountability Office report on barriers to access. In addition, the U.S. Department of Health and Human Services Office for Civil Rights launched a HIPAA Right of Access Initiative. Ciitizen, a consumer health technology company, published a scorecard that suggests compliance with the HIPAA right of access is finally improving. Announced earlier this year, a proposed modification to the HIPAA Privacy Rule added the “right to direct the transmission of certain protected health information in an electronic format to a third party,” which provides that “an individual has a right of access to direct a covered health care provider to transmit an electronic copy of protected health information in an electronic health record directly to another person designated by the individual.” The individual’s request would need to be “clear, conspicuous, and specific.” There is, however, no point-by-point specification of required elements for the request, as would be the case with an authorization. Although examples of possible recipients are provided in the proposed modification, there are no limits on who can be a third-party recipient, and the access right redirect extends to any person or entity the individual chooses. There is request for comment about whether health care providers should be required to inform patients about the privacy and security risks of transmitting information to entities that are not covered by HIPAA. Efforts to develop a pathway for patients to share data with researchers have also been supercharged by the Precision Medicine Initiative’s (PMI) All of Us research program, which aims to enroll over one million Americans. Diversity is a priority, and so is bringing together many different types of data, including EHR data. The technology to transmit EHR data to All of Us, and potentially to other research studies, is being developed through a public–private partnership known as Sync for Science (S4S). A pilot involving four EHR vendors resulted in a successful launch of connectivity at six provider sites. Given the challenges, widespread adoption may take time, but this effort is proof of principle for patient EHR sharing with researchers through application programming interfaces (APIs). An important part of the story, in addition to technical feasibility, is the ethical and policy framework for implementation. In 2017, the Office of the National Coordinator for Health Information Technology published a report on privacy and security considerations for health care APIs. Linked to S4S, it cites the Precision Medicine Initiative Privacy and Trust Principles and Data Security Policy Principles and Framework as important guides. The report advises that, in accordance with the principle of transparency, individuals approving data transfers should be warned that the health care provider’s responsibility stops once data are transmitted to the third party. As a “tip” for implementers, it suggests that EHR patient portals give patients a way to view and manage all third-party apps that have access to information about them, including revoking HIPAA access requests. Interestingly, the PMI Privacy and Trust Principles begin with governance, and the first principle under governance is “substantive participant representation at all levels of program oversight, design, implementation, and evaluation.” The All of Us Research Program has invested in an ambassador program that integrates participant representatives in governance in line with this principle. Justifications for the All of Us ambassador program include respect for persons, relationship to trust, and the recognition that more ethical weight has been placed on transparency and individual consent than they can bear. Combining a vision of patient driven research progress with commitments to diversity, equity, and inclusion and trust enhancing privacy, security, and governance principles is the promised land for advocates of HIPAA access right facilitated data sharing. But perhaps the HIPAA access right facilitated data sharing could just as easily lead elsewhere. If usual patterns hold, at least initially, patient-driven data sharing may exacerbate the diversity problem affecting genomic and other research databases. Early adopters will likely come from the most privileged tier of society. This is especially true in the United States, where inequality is increasing and many less privileged groups have limited access to technology and experience social and economic insecurity that makes them justifiably averse to privacy risks. Furthermore, critics have already raised the alarm about the flow of de-identified information permitted under HIPAA. The addition of a process that may be easy to manipulate to gain relatively unrestricted access to identifiable patient information, including sensitive genomic data, may take data privacy from leaky to hemorrhaging. In response, the CARIN Alliance developed a voluntary code that incorporates many important protections. Unfortunately, the history of technology companies such as Facebook does not foster faith in the power of wisdom and benevolence to mitigate a “move fast and break things” mindset. Tips and codes are great, but the health care sector also needs requirements. For example, an easy-to-find and easy-to-navigate dashboard within patient portals should be a “must have” rather than a “nice to have” feature for access requests directing EHR data to third parties. In addition, the individual is no match for entities that skillfully manage attention and manipulate choices that would be contrary to their interests. Laws and regulations that reach beyond HIPAA should impose data use limitations in line with reasonable expectations, spur more robust and inclusive governance structures, and provide better protection from downstream harms such as discrimination