Resources

Do you process health data? If so, the proposed Health Information Privacy Reform Act (“HIPRA”) may impact you. Most people recognize the standards under the Health Insurance Portability and Accountability Act (“HIPAA”) as providing adequate protections to individuals’ personal health information. However, HIPAA does not cover every instance where health data exists. Health data that exists outside of typical patient-provider interactions and healthcare facilities, such as in a healthcare app or smartwatch, are not necessarily covered by HIPAA. The Health Information Privacy Reform Act (“HIPRA”) was introduced last November to account for the technology that has changed how individuals access their health data. As a result of the privacy concerns surrounding this technology, HIPRA seeks to extend protections to health data that is currently not protected under HIPAA. 

The key provisions under HIPRA are as follows:

Increased Privacy Protection

HIPRA seeks to increase privacy protection, in part by introducing new definitions regarding applicable health information (“AHI”), regulated entities, and service providers.

“AHI” is defined under HIPRA as all information that “identifies an individual or with respect to which there is a reasonable basis to believe that the information could be used to identify an individual, and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and may include information […] that was not created or received by a health care provider, health plan, employer, or health care clearinghouse.” This definition indicates that protections under HIPRA would apply to information beyond what is considered patient health information (“PHI”) under HIPAA.

HIPAA applies to covered entities (i.e. health plans, healthcare providers, and healthcare clearinghouses) and business associates. HIPRA broadens the scope of HIPAA by establishing privacy standards for regulated entities and their service providers. A “regulated entity” is defined as “a natural or legal person that, alone or jointly with others, determines the purpose and means of processing [AHI]”, and a “service provider” is “a natural or legal entity that processes [AHI] on behalf of a regulated entity and that is not a covered entity or business associate.”

Privacy, Security, and Breach Notification

HIPRA requires the Secretary of Health and Human Services (“HHS”) to promulgate regulations setting forth privacy, security, and breach notification standards for the processing of AHI by regulated entities and their service providers. These standards must “provide protections that are at least commensurate with, and wherever feasible and appropriate harmonize with” the protections under HIPAA and section 13402 of the HITECH Act. For example, regulated entities and service providers would be required to disclose how a user’s health data will be used and disclosed. HIPRA affords users the right to receive a privacy notice from the regulated entity, access to their AHI, amend or delete their AHI, and requires that AHI be portable.

Access Requirements

HIPRA also establishes rights and requirements regarding access to certain PHI. For example, when an individual requests that a covered entity or business associate transmit, produce, or provide access to a copy of the individual’s PHI to a person or entity, the request must meet the requirements of a valid authorization under HIPAA.

HIPRA authorizes covered entities and business associates to require the receiving party to pay or to accept terms, limitations, and conditions of use and disclosure when transmitting, producing, or providing access to PHI. 

Patient Notifications

For regulated entities and service providers who gain access to an individual’s PHI through the patient right of access under 45 CFR § 164.524, such entities or service providers must issue a written notification informing the patient that the PHI will no longer be subject to protection under HIPAA and how and to which entities such PHI may be redisclosed. Further, any regulated entity or service provider must obtain an individual’s consent before selling their PHI to a third-party.

When a regulated entity or service provider offers digital technology that generates wellness data, the entity must provide notification that the data will not be subject to HIPAA and offer an opportunity for the user to opt-out of the wellness data generation.

De-Identified Information

HIPRA also requires the Secretary of HHS to promulgate regulations establishing unified national standards for rendering AHI as de-identified information within one year of HIPRA’s enactment.

The de-identification standards must be equal to or more stringent than the standards under HIPAA. Specifically, these standards must address the use of privacy-enhancing technologies and specify that the information provided by a regulated entity, service provider, covered entity, or business associate to another person or entity is not considered de-identified unless the recipient agrees, in writing, to not re-identify the information. 

National Academies of Sciences

HIPRA requires the Secretary of HHS to engage the National Academies of Sciences, Engineering, and Medicine within 60 days of its enactment to conduct a study on the potential risks and benefits of paying compensation to patients for sharing their identifiable data for research purposes.

Enforcement

The protections outlined in HIPRA are enforceable by the Secretary of HHS and the Federal Trade Commission (“FTC”). Those in violation of HIPRA may be subject to civil penalties and sanctions.

Companies who run healthcare apps, sell wearables and process health data should closely monitor this expansion of patient privacy protection. If adopted, those impacted should take the appropriate steps to ensure compliance with HIPRA, such as updating any operations manuals or compliance documents. 

To learn more about the Health Information Privacy Reform Act, and how its adoption could impact you, please contact BMD Member Jeana Singleton at jmsingleton@bmdllc.com or Attorney Kate Crawford at khcrawford@bmdllc.com.