As connected health adoption grows, privacy rules like HIPAA are still broadly misunderstood

At a HIMSS Digital presentation, former ONC Chief Privacy Officer Joy Pritts and Connected Health Initiative Senior Counsel Brian Scarpelli discussed some common misconceptions about the law.
By Jonah Comstock
Share
 

Even before the current crisis, connected technology and the Internet of Health Things were growing in prominence and adoption. Now, spurred on by people’s efforts to stay at home as much as possible, this technology is even more important.

But as health information and health data move into the homes and into consumers’ personal devices, concerns about privacy and security are giving pause to some providers and consumers.

“It’s probably fair to say that the healthcare industry is a little bit lagging in some respects compared to other industries that have picked up and used the internet connectivity and sensors for real-time data analytics,” Brian Scarpelli, senior global policy counsel at the Connected Health Initiative, said during a recent HIMSS Digital event. “There’s a very legitimate reason for that, and I don’t mean this as a knock, because in the healthcare sector, safety and life is so paramount in so much of what is done.”

Scarpelli joined Joy Pritts, a consultant and former ONC chief privacy officer, to discuss patient data privacy in the world of connected health and what HIPAA does and doesn’t cover. (Take the quiz on this page to test your knowledge of the 1996 law’s scope).

What people often don’t realize, Pritts said, is that HIPAA was created to keep data safe as it moves between health insurers and providers, so data that doesn’t interact with that ecosystem is often not protected at all. On the other hand, information that does fall under the law’s purview is often more protected than people realize.

“You’ll hear people say, ‘We only collect their name, phone number and the fact that they were a client of this particular doctor,’” Pritts said. “Guess what? You have already made something protected health information with just those three pieces of information.”

And when HIPAA doesn’t apply, it can be confusing to figure out what does. Scarpelli and Pritts described a “patchwork” of regulations including GDPR, the California Consumer Privacy Act, and FTC guidelines. And Congress is working on a cross-sectoral data-privacy framework that could affect health data in interesting ways.

Other laws to protect patient privacy can also conflict with HIPAA – for instance, laws that include a right for people to delete data about them can conflict with guidelines that require doctors to maintain complete and accurate records.

Pritts and Scarpelli advised that organizations concerned about their use of health information follow some best practices.

The “Get out of Jail Free” card that’s common to almost all privacy laws is that if you have the user’s explicit permission you can use and share their data in any way they’ve agreed to. So when in doubt, get permission.

Additionally, companies large and small need to confront privacy questions early and head-on.

“If, at the top of your organization, privacy is just another box to check, then all of your employees will have that attitude and you should not be surprised if there’s poor compliance,” Pritts said. “Rather, if you set up a pro-privacy culture up front that this is something you do, you expect everyone else to do, and you take it into account up front, and aim for the future so you can build into this, you’ll be much better off.”

HIMSS20 Digital

Experience the education, innovation and collaboration of the HIMSS Global Health Conference & Exhibition… virtually.