The American Medical Informatics Association (AMIA), a non-profit organisation dedicated to developing biomedical and health informatics to improve patient care, recently called on the Trump administration to reform data privacy rules in order to better serve the privacy of individuals.
In particular, AMIA called on the administration to examine both HIPAA and the Common Rule with the goal of creating an integrated approach to privacy that includes both the healthcare and consumer sectors. HIPAA Rules cover the protection of data in the healthcare industry, while the Common Rule covers the protection of human subjects in research.
AMIA’s comments are in response to a request for comments (RFC) by the National Telecommunications and Information Administration. The NTIA sought feedback on how consumer privacy can be protected and advanced while also protecting innovation. In a letter to the NTIA, AMIA explained that its comments are informed by extensive experience of dealing with both HIPAA and the Federal Protections for Human Subjects Research (Common Rule).
Many critics cite failures in data protection arise from a medley of federal and state regulations that complicates compliance and creates information sharing challenges which results in ‘perverse outcomes’ due to different interpretations of existing privacy policies.
AMIA illustrated the problem of the current patchwork of privacy policies by comparing the HIV/AIDS data policies of Pennsylvania and New Jersey. Although they are neighbouring states, Pennsylvania and New Jersey have very different policies on how this sensitive data may be handled. If an HIV/AIDS patient from Pennsylvania was to visit a hospital in New Jersey, information on their HIV/AIDS diagnosis would not be accessible by clinicians in New Jersey, even though the information has high importance in treatment decisions. The patient would also be unlikely to receive their data from the New Jersey hospital to take back to their healthcare provider in Pennsylvania.
In their letter, AMIA encouraged the administration “to ensure that federal rules lay a common foundation across jurisdictional and geographic boundaries while also providing a process for jurisdictions to address local needs and norms.”
AMIA also highlights the potential inadequacies of HIPAA regulations. Written in 1996, HIPAA is often criticised for being out-of-date and unable to properly protect patients in a time when technology is becoming an integral part of the healthcare system. When HIPAA was written, most medical records were stored on paper, doctors didn’t have to worry about the risks of sharing data over phone or email, and there was very little chance that medical devices could be hacked and data stolen on a massive scale. AMIA cites the gaps that are present in healthcare data policy as major risks to the integrity of protected health information.
The changes made to HIPAA through the introduction of the Privacy Rule have ensured that patients have access to their health data and greater control over what is done with that information. Many experts now call for similar rights and protections for consumers.
While AMIA does not suggest that either HIPAA or the Common Rule should be applied to the consumer data ecosystem, both “should serve as important and informative inputs to [the] conversation on consumer data privacy.”
AMIA has called for the Federal Trade Commission (FTC) to develop a consumer data strategy that “Supports trust, safety, efficacy, and transparency across the proliferation of commercial and non-proprietary information resources,” and suggests that the time is right to develop an “ethical framework around the collection, use, storage, and disclosure of the personal information consumers may provide to organizations.”
“We applaud the administration for initiating this long overdue conversation. As the lines between consumer and clinical devices continues to blur, the need for harmonized federal policy becomes more pronounced,” said Douglas B. Fridsma, MD, PhD, FACP, FACMI, AMIA President and CEO. “Just as we strive to ensure that patients have access to and control over their data, we must strive to deliver the same for consumers. The administration should learn from the health sector and develop improved privacy policies across all sectors of the economy.”