Getty Images/iStockphoto

CCFH Urges Lawmakers, OCR to Uphold Patient Privacy Protections

Arguing HIPAA fails to protect patient privacy given issues with consent, Citizens Council for Health Freedom (CCHF) asks Minnesota to uphold its stringent privacy law and OCR to revisit HIPAA.

Citizens Council for Health Freedom is calling on state legislators to defend the Minnesota Health Records Act (MHRA) following reports of some major healthcare partnerships with large tech companies, such as those between Google and Mayo Clinic, as well as Ascension.

The nonprofit group based in Minnesota is also calling on the Office for Civil Rights to revisit HIPAA for what it calls lax patient consent requirements that put patient privacy at risk.

MHRA is seen as one of the strongest US medical privacy and patient consent rights laws. Under it, a provider or a person who receives health records from a provider, may not release patient health records without a signed and dated consent form from the patient or a legal representative, specific authorization in law, or a provider representation with patient consent authorization.

Exceptions include medical emergencies, treatment needs, and other related circumstances.

However, recent partnerships between health providers and tech companies have raised concerns for CCHF. Most notably, the recently reported Google and Ascension partnership centered around data sharing, cloud infrastructure, and the like.

Under HIPAA, the partnership is in compliance as covered entities are permitted to share data with business partners, as long as it’s used to carry out the provider’s healthcare functions.

Mayo Clinic also recently signed a 10-year partnership with Google on its cloud infrastructure and to create new healthcare insights. Microsoft and Amazon are also working with several large healthcare organizations in similar partnerships.

CCHF argues that major corporations would prefer to conform with HIPAA, which allows data sharing or “at least 65 non-clinical business activities.” As a result, more than 2.2 million entities can potentially access patient data under the rule.

The concern is that under HIPAA, it’s the holder of the data that decides access control not the patient.

“The recent news that the Ascension healthcare system is legally sharing the medical records of 50 million Americans in 21 states with Google clearly shows that HIPAA does not protect patient privacy,” said Twila Brase, president of CCHF, in a statement. “The public is now seeing behind the curtain and learning what HIPAA actually permits.”

“What emerges from this mass collection of data may, or may not be, in the patient’s best interest. But they aren’t being given a choice,” Brase added. “Patients have a human right to privacy, and the dignity that it protects.”

CCHF is urging its state legislators to both prevent these types of partnerships in state to protect patient privacy by upholding the state’s medical record privacy law, in hopes that the law serves as an example for other states “to adopt similar privacy laws to shield their patients from HIPAA’s privacy violations.”

For Brase, it’s imperative these companies first ask for consent from the patient for access. The group recently sent a letter to the Office for Civil Rights Director Roger Severino urging the agency to voluntary patient consent requirements for the use and sharing of patient data.

“This means opt-in (consent), not opt-out (dissent),” Brase wrote. “OCR must also prohibit single-signature, bundled, consolidated (coercive) consent forms that include consent for treatment and consent for data sharing and more in a single form.”

“Patient data has become a valuable commodity -- a 21st century gold mine -- used for the profit seeking or healthcare rationing agendas of others,” she added. “The so-called HIPAA privacy rule is the source of this extraordinary violation of the privacy rights of every American, and we request that OCR take action to end the violation.”

Next Steps

Dig Deeper on Health data access & privacy