News

The HIPAA Rules generally do not protect the privacy or security of your health information when it is accessed through or stored on your personal cell phones or tablets. The HIPAA Rules apply only when PHI is created, received, maintained, or transmitted by covered entities and business associates. For example, the HIPAA Rules do not protect the privacy of your Internet search history, information you voluntarily share online, or your geographic location information. In most cases, unless the app is provided to you by a covered entity or its business associate - PDF, the HIPAA Rules also do not protect the privacy of data youve downloaded or entered into mobile apps for your personal use, regardless of where the information came from.The information that your device or apps collect about you may be viewed or collected by other entities or used by the device or app vendors to send you specific ads. It may also be sold to a data broker, someone who obtains and shares consumer information without their knowledge, often selling it for marketing or other purposes. Although the HIPAA Rules do not protect this information, there are steps that you can take to increase the privacy of your information when using your personal mobile device.

The AMA has warned (PDF) regulators that the lack of digital privacy can damage the patient-physician relationship – and the urgency of this threat is much greater with the downfall of reproductive rights. We are grateful that the Biden Administration immediately recognized that these issues have moved from theoretical to frighteningly real. The new guidance makes it clear that physicians are not required to disclose private medical information to third parties and provides patients with tips on the use of personal cell phones and tablets. The AMA has identified and recommended (PDF) additional actions to increase transparency on what apps are doing with medical information.

The wild west of health data has led to numerous smaller-scale scandals over the years: Googles effort to build up its health care business with millions of patient records from Ascension drew criticism. Flo, which makes a period-tracking app once again in the spotlight, settled with the Federal Trade Commision last year over allegations it misled users about the privacy of their data. And just weeks ago, an investigation revealed major hospital systems were sending health information to Facebook, which experts said could be in violation of HIPAA.

A national strategy for patient identification is essential for connecting the fragmented health care system, while making it safer and more efficient for patients and health providers.

Along with banning the sale of location and health data by data brokers, the act would require the Federal Trade Commission (FTC) to promulgate rules for implementing the law within 180 days. The FTC would make certain exceptions for HIPAA-compliant activities, authorized disclosures, and protected First Amendment speech.

If we frame consent not as a bureaucratic speed bump, but as the first step in a trusted relationship between patients and researchers, the goal shifts. Instead of thinking about how to build an assembly line of consent forms, we start thinking about how to enrich relationships.

I reached out to Kaiser Permanente and received an email from Ken Robinson, MD, the physician lead for Systems Solutions & Deployment at Kaiser Permanente Southern California. He explained how they improved their system after asking the hard questions.“We learned that not all organizations require password authorization,” he said, a fact that was met with initial skepticism and even alarm by many in the organization. But they investigated the regulatory situation and found no compelling reason to keep password authorization for most order entry needs.

In January 2022, ONC issued a Request for Information (RFI) that sought public input on the ONC Health IT Certification Program and how it could incorporate standards, implementation specifications, and certification criteria related to electronic prior authorization. Shortly thereafter, ONC charged the Health Information Technology Advisory Committee (HITAC) with providing input and recommendations in response to this RFI. The Electronic Prior Authorization (ePA) RFI Task Force of the HITAC led consideration of the charge and developed a report and recommendations that were recently approved by the full HITAC.

Common phrases like “presenting complaint” or “the patient denies” can sound judgmental or doubtful of patients.

Among them arewhat he referred to as the Cures Act penalty enforcement gap. Namely, as Becerra explained, civil monetary penalties for not complying with information-sharing requirements have only been established for technology developers and health information networks. “It left the provider penalty up to me: the secretary of the Department of Health and Human Services,” he said. This is an issue, he noted, because more than 75% of the complaints submitted to ONC have been about providers and most have come from patients. Information blocking, he said, leads to stress for patients and families, along with frustration for staff.