Getty Images

How Do New Patient Right of Access Policies Impact HIPAA?

Recent developments in patient right of access policies have experts uncertain about the future of HIPAA and data sharing practices.

It’s been 25 years since HIPAA was signed into law, but new patient right of access policies have experts questioning the future of HIPAA and third-party data sharing, according to a recent op-ed published in The Regulatory Review, a publication by the University of Pennsylvania Law School.

Mary Anderlik Majumder, a professor with the Center for Medical Ethics and Health Policy at the Baylor College of Medicine, posited two possible outcomes that could result from recent patient right of access policy transformations.

“One possibility is a learning health system, fueled by patient contributed data and sophisticated data science and governed with an eye to advancing population health and equity while protecting privacy and maintaining trust. Another possibility is health-related corporate surveillance on steroids,” she wrote.

HIPAA right of access policies have evolved over the years to ensure that patients have equitable access to their medical records. HIPAA requires covered entities to provide patients with access to their medical records. But concerns arose over the years about the accessibility and data security of patient records.

A section of the 2000 HIPAA Privacy Rule gave patients the right to request and obtain a copy of their medical records. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009, helped right of access policies evolve to reflect the growing use of EHR systems.

“Rights on the books and in practice are, of course, two different things,” Anderlik Majumder explained.

Although access policies were enacted, patients had trouble actually obtaining their records. The problem was so prevalent that the American Civil Liberties Union filed a complaint against Myriad Genetics on behalf of patients who were struggling to obtain their genetic records.

In late 2016, the 21st Century Cures Act was signed into law, mainly with the goal of easing administrative burdens that prolong clinical trials, enabling data sharing among researchers, and improving privacy protections for clinical trial participants. The act also called on the Government Accountability Office to report on access barriers.

In 2019, HHS’s Office for Civil Rights (OCR) launched the HIPAA Right of Access Initiative to advocate for individuals trying to obtain their health records in a timely manner at a reasonable cost, as outlined in the HIPAA Privacy Rule. In June 2021, the initiative settled its nineteenth investigation.

Earlier this year, the article explains, a proposed modification to the HIPAA Privacy Rule gave individuals the right to transmit certain protected health information (PHI) in an electric format to any third party.

“Although examples of possible recipients are provided in the proposed modification, there are no limits on who can be a third-party recipient, and the access right redirect extends to any person or entity the individual chooses,” Anderlik Majumder explained.

“There is request for comment about whether healthcare providers should be required to inform patients about the privacy and security risks of transmitting information to entities that are not covered by HIPAA.”

While the policy does give patients more agency over the transmission of and access to their records, privacy issues could arise, and data could end up in the wrong hands.

However, the policy could also open up research opportunities and bolster health equity efforts by allowing patients to share EHR records with researchers and increase data diversity in clinical trials.

“Combining a vision of patient-driven research progress with commitments to diversity, equity, and inclusion and trust enhancing privacy, security, and governance principles is the promised land for advocates of HIPAA access right facilitated data sharing,” the article suggested.

“But perhaps the HIPAA access right facilitated data sharing could just as easily lead elsewhere. If usual patterns hold, at least initially, patient-driven data sharing may exacerbate the diversity problem affecting genomic and other research databases.”

Critics pointed out many cybersecurity gaps in the latest updates to the HIPAA Privacy Rule. The addition of third-party access makes PHI even more accessible to bad actors. Once the data is handed off to a third-party entity, it is no longer necessarily covered by HIPAA.

“In addition, the individual is no match for entities that skillfully manage attention and manipulate choices that would be contrary to their interests,” Anderlik Majumder concluded. “Laws and regulations that reach beyond HIPAA should impose data use limitations in line with reasonable expectations, spur more robust and inclusive governance structures, and provide better protection from downstream harms such as discrimination.”

Next Steps

Dig Deeper on HIPAA compliance and regulation