With the COVID-19 pandemic upending the normal routines of millions, commotion and confusion unfortunately rule the day. Much of the country is severely curtailing travel and abstaining from visiting healthcare providers unless a severe emergency arises, leading providers to adopt telehealth and remote patient monitoring solutions to handle more routine cases. However, the embrace of these virtual technologies brings to the fore longstanding uncertainties about data that leaves the auspices of traditional medical providers.
As we have long pointed out, the current privacy architecture for health data is suboptimal. While the personal information of patients that is generated or resides within traditional healthcare institutions is subject to privacy protections under the Health Insurance Portability and Accountability Act (HIPAA), that protection typically lapses as soon as it leaves the institution. That means that data generated when a patient and provider use a third-party company to virtually connect for a check-up might not be covered by any particular privacy law – which not only degrades a patient’s privacy rights, but it also might prevent providers from fully embracing these technologies to provide important, potentially even life-saving, services.
Thankfully, the Office for Civil Rights (OCR) at the Department for Health and Human Services (HHS) recently announced that it would institute “discretionary enforcement,” meaning it will not impose penalties on providers for using certain kinds of communication technologies that are not covered by Business Associate Agreements (BAAs) to virtually connect with patients during the crisis. The announcement specified that the communications technologies to which the discretion applies are those that enable truly private video conferencing, including FaceTime and Skype—but do not include public-facing platforms like TikTok. The announcement is helpful because it removes a bit of uncertainty for providers who have always balked at talking to their patients using the communications methods patients are accustomed to using in their daily lives.
But while this is a welcome, if temporary, development, it underscores the confusing nature of the status quo. With all the commotion surrounding this crisis, should patients and providers really be expected to be aware of minor rule changes or enforcement reprieves? We need a federal law that provides a clear, fair, and permanent set of expectations for health data — which currently traverses a range of differing regulatory jurisdictions depending on the kind of company processing it.
Unfortunately, Congress is mired in a seemingly intractable fight over a handful of key issues that have so far resisted fruitful negotiation. In a recent bit of news you may have missed, Senate Commerce Committee Subcommittee on Manufacturing, Trade, and Consumer Protection Chairman Jerry Moran (R-KS) added his own federal privacy bill, the Consumer Data Privacy and Security Act, to the logjam of similar measures, unfortunately failing to meaningfully bridge the gap between the two parties on any of the issues that continue to divide them. Chairman Moran had long been expected to introduce the measure in tandem with Senator Blumenthal (D-CT), which could’ve carved a bipartisan path forward.
While states could step in while Congress works on a comprehensive fix, their involvement layers on an additional level of complication. The California Consumer Privacy Act (CCPA) is setting the de-facto national standard for now, but that arrangement is unlikely to last. Indeed, Washington state recently came within a whisker of passing its own comprehensive privacy law that would’ve conflicted with CCPA in numerous ways. On one hand, a Washington bill could’ve represented a positive development if Washington lawmakers were able to craft a balanced measure that provided a tenable blueprint for states across the country and Congress to eventually take up. On the other, the conflicts with CCPA might’ve hamstrung compliance efforts for an untold amount of time. In the end, the same issues that have prevented Congress from acting bogged down the Washington effort.
In this moment of turmoil, healthcare providers and patients are leveraging telehealth, remote patient monitoring, and condition management technologies to practice safe public health that benefits us all. It is unacceptable that unclear data privacy rules may undermine these efforts. For the small businesses and app developers that comprise the connected health ecosystem, it’s clear that the best path forward is for Congress to step up to provide certainty for all.