True or False: Your Patients’ Health Data Is Protected by Privacy Rights?

The following is a guest article by Deborah Hsieh, Chief Policy & Strategy Officer at Ciox.

When most of your patients hear “health data rights,” they likely think of HIPAA, or the long forms they rarely read in their doctors’ offices. What they may take for granted is the protections for health data that covered entities must provide.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and is the framework on which health data protection has been constructed. The initial intent of the Act was to support the continuation of health insurance coverage and to ensure the security and confidentiality of patient information/data. The regulation fundamentally acknowledged the value of health data and the need for protections.

Where do health privacy rights start and end?

Despite the almost quarter-century that has passed since HIPAA was first enacted, there is relatively limited awareness of health privacy rights beyond compliance and legal experts. News of Google and Ascension’s partnership in November surprised the general public, including legislators, and perhaps exposed that limited awareness. One element many individuals are unfamiliar with is that the same health data that is protected when held by a covered entity – a healthcare provider, healthcare payer or business associate of one of those parties – is not protected if it is held by anyone else.

Many of the new companies bringing innovations in digital health are not covered entities or business associates, which means patients have no privacy protections for health data obtained by, shared with and/or created with those companies. As digital health companies and applications become more prevalent and consumers share more of their health data through the applications, consumers must understand their health data rights and how their data is being used so they can make informed choices. In addition to that, without defined protections, someone who is not a covered entity or business associate may also not be held accountable for any breaches of privacy in health data. Based on who holds the data, your patients may not have any recourse.

The Washington Post recently warned about privacy concerns in an article focused on mental health apps and college students. Despite the potential health benefits of the apps, there is concern that students may be required to effectively give up their privacy rights, given the apps’ lax protection for consumer data. The article noted an example where an app was thorough in its capture and use of students’ contacts for marketing purposes but didn’t activate those contacts for the therapeutic service delivered.

The issue is broader than mental health applications. The article cites an Institute for Science, Law and Technology analysis of the privacy policies and permissions of hundreds of mobile medical apps that found the following:

Only 38 percent had privacy policies pre-downloaded, so consumers couldn’t determine what was going to happen with their information. The available policies were often challenging to locate and understand. Many terms of service stated that the policy could change without notice to the user or included a catchall provision that said the company would make every attempt to be compliant with Health Information Portability and Accountability Act (HIPAA) but didn’t guarantee information privacy.

Consumers shouldn’t feel that they must make a tradeoff between having tools to support health improvements and having protections for their health data privacy and security.

What about the 50 states?

The already complex components of HIPAA are further complicated by varying state protections for health data. As an example, Florida laws outline a patient’s right to keep sensitive medical records confidential, including records related to abortions, sexually transmitted diseases and HIV/AIDS. However, just one state over in Georgia, the protection for HIV/AIDS status is not as stringent. Someone living on the border of Georgia and Florida who seeks care in both states would experience different protections for his/her health data.

Who is responsible for managing health data privacy and security?

Given the complexity of health data privacy and security protections, consumers may think that it is the government’s or companies’ responsibility to manage these protections. At the National Institute of Standards and Technology and Office of Civil Rights sponsored “Safeguarding Health Information: Building Assurance through HIPAA Security 2019” conference, the head of the Office of Civil Rights declared, “Buyer beware when it comes to the patient… the individual is the one to worry about what happens to their information when it goes to the third party… All questions are shifted to the consumer.” In this environment, patients must be their own advocates and navigate evaluating privacy and security as they select providers and partners.

As one example, when sharing health data with external parties, consumers can choose between granting a “right of access” or granting a third party a right to obtain their health data using a “HIPAA authorization.” A key distinction is that a HIPAA authorization has required elements and notices that inform the patient/consumer of specific HIPAA rights to privacy (see the Graphic below for a synopsis of some differences).  Many consumers don’t understand the difference between these options and follow the wishes of the external party, which may have detrimental consequences for health data protections.

Protections for health data security are just as critical as those for privacy. In December, the Centers for Medicare and Medicaid Services (CMS) closed access to Blue Button 2.0, as a bug in the code “may be causing certain beneficiary protected health information to be inadvertently shared with another beneficiary or the wrong BB2.0 application.” CMS’s Blue Button 2.0 has been a prime example of the potential of application programming interfaces (API) and increased access to and exchange of health data. That an application created and run by the federal government still suffers from security issues should increase attention to and scrutiny of the security capabilities of other applications accessing health data.

Given this complex landscape, what should you do?

Providers, payers and their business associates should ensure they are abreast of current discussions about healthcare data privacy and security. Administrative actions include a proposed regulation by the Office of the National Coordinator for Health Information Technology related to healthcare data interoperability and exchange and plans to revisit HIPAA. The legislature is also increasing its attention to privacy generally, including for healthcare data. There is great potential for increased access and exchange of health data to improve healthcare delivery; however, there should be recognition and mitigation of the potential challenges to privacy and security, as well as thorough patient understanding.

Finally, healthcare stakeholders should be proactive in helping consumers understand the protections, or lack thereof, for their healthcare data. You can create a more positive consumer experience by educating your patients about their rights and the potential consequences of healthcare data sharing choices.

About Ciox
Ciox Health, a leading health technology company and proud sponsor of Healthcare IT Today, is improving patient health by transforming clinical data into actionable insights. Combined with an unmatched network offering ubiquitous access to healthcare data, Ciox’s expertise, relationships, technology and scale make a difference for healthcare stakeholders and empower greater health for patients. Through its HealthSource technology platform, which includes solutions for data acquisition, release of information, clinical coding, data abstraction, and analytics, Ciox helps clients securely and consistently solve the last mile challenges in clinical interoperability. Learn more about Ciox’s technology and solutions by visiting or Twitter and LinkedIn.