Tech Firms Ask Congress to Redefine Medical Privacy Rules

Posted September 8, 2014 at 5:04pm

Tech firms, including Inc., are asking Congress to redefine the rules on medical privacy, saying the risks of potential disclosure should be weighed again against the anticipated benefits of wider sharing and easier access to crucial health data.

Executives of tech companies and health organizations have told the House Energy and Commerce Committee in recent months that what they consider an excessively conservative stance on health data privacy is hindering development of new medical technologies and approaches to treatment, and also adding costs to already burdened state and federal budgets.

“We, in our effort to protect the patients, are constructing a health care system that they and we cannot afford, and we’re putting the balance in the wrong spot,” Joseph M. Smith, a former Johnson & Johnson medical technology executive who has been involved with venture capital projects, told the committee in June. “In Congress’ view of trying to protect everyone from that information, we may be protecting them to death.”

Much of what health researchers and executives seek involves more clear guidance on what are known as HIPAA privacy regulations. The name reflects their genesis as an add-on provision to the Health Insurance Portability and Accountability Act of 1996 (PL 104-191).

Yet, these calls for a new look at HIPAA are coming at a time of marked concern about the sanctity of consumers’ online accounts — health and otherwise. House Republicans responded with great concern when the Department of Health and Human Services this month announced that common malware had been detected on the website for the federal medical insurance exchange. No personal information was comprised as a result of this intrusion on a test server, HHS has said.

June brought a furor over the revelation of an experiment seeking to alter the emotional state of about 690,000 of Facebook users. That’s likely to heighten people’s concern about how data in general is shared online, especially medical records, said Justin Brookman, director for consumer privacy at the Center for Democracy & Technology.

“By and large, they don’t expect that they are going to be guinea pigs,” he said. “When we are talking about health information, people feel even more strongly about it.”

In May, HHS reported a record HIPAA settlement of $4.8 million in a case involving New York Presbyterian Hospital and Columbia University and medical records for about 6,800 people, including laboratory results. The hospital and Columbia learned of the security lapse when the partner of a deceased patient found that person’s health information on the Internet. New York Presbyterian and the university notified HHS of the security lapse, and there’s been no indication any of that information was ever accessed or used inappropriately. Still, HHS found their “approach to guarding data” lacking and levied the record fine.

The complexity of HIPAA regulations and the threat of inadvertently triggering fines keep many small companies from venturing into projects that would involve using medical data, Smith said at the Energy and Commerce meeting in June.

“Once they understand the HIPAA penalties and the machinery involved and the limitations that imposes on the value that they could create, they demure,” said Smith, now the chief medical and science officer at the nonprofit West Health Institute, noting this has an effect on the United States health system at large. The “innovative spirit” falters when “it encounters that immovable object that we currently call HIPAA,” he said.

Large companies also are looking for changes in HIPAA. Paul Misener, Amazon’s vice president for global public policy, in July told Energy and Commerce that current rules make it difficult to negotiate contracts for cloud computing services. Congress should direct HHS to provide more clear guidance on the HIPAA requirements for cloud computing when the host firm has no way of accessing the encrypted data that would be stored, he said.

The current interpretation “impedes health-care delivery entities from leveraging cloud services by causing the parties to negotiate a ‘business associate agreement’ in which virtually all of the terms are inapplicable because the cloud services provider does not have access to health information,” Misener said

These complaints about HIPAA have caught the attention of a powerful lawmaker who is intent on putting forth broad bipartisan health legislation in the next session of Congress.

“We have heard on numerous occasions that there is a wealth of health data available, but there are barriers to using it,” House Energy and Commerce Chairman Fred Upton, R-Mich., told CQ Roll Call in an email last week. “We are exploring opportunities to break down those barriers, allowing for greater innovation and advancement, all the while protecting the privacy of our patients.

A look at HIPAA has been part of what Upton calls his 21st Century Cures Initiative, which has drawn federal officials, including top Food and Drug Administration regulators, to sit and publicly hash out ideas with company executives and patient advocates.

Upton’s lead partner in the project is Diana DeGette, D-Colo., and the backers so far include two Democrats competing for their party’s top spot on Energy and Commerce, Frank Pallone Jr. of New Jersey and Anna G. Eshoo of California.

At the June roundtable, DeGette spoke of the potential need for a new look at HIPAA. She is also among the lawmakers who have said HIPAA rules may need to be spelled out more clearly for cases where parents want to help children suffering from mental illness. Pressure from such communities, tech firms and mental health advocates almost certainly will put HIPAA on the agenda for the next Congress.

The challenge with HIPAA is weighing the desire for researchers and patients to get easier access to medical data, while maintaining proper safeguards, DeGette told the health officials and tech executives at the June Energy and Commerce meeting.

“That’s the balance we’ve always been trying to achieve,” DeGette told the officials of medical firms serving on the roundtable. “It’s sounding like you all don’t think we really have done that.”