FHIR Chat · Awaiting "HIPAA 2"? Comment on THIS · patient empowerment

Stream: patient empowerment

Topic: Awaiting "HIPAA 2"? Comment on THIS

view this post on Zulip Dave deBronkart (Sep 21 2020 at 23:32):

Yes, important! (I'm renaming @Virginia Lorenzi's thread to be legit clickbait) It's from Aug 26 but didn't get attention here, and deadline for comment is Friday

"Collaborative Group Proposes Self-Regulatory Model & Standards Focused on Non-HIPAA Health Data"

... eHI and CDT released A Draft Consumer Privacy Framework for Health Data ... a description of health data that warrant protection, as well as the standards and rules that should govern them. ... also includes a self-regulatory model...

Specifically, from that link: (emphasis added)

... with the rise of wearable devices, health and wellness apps, online services, and the Internet of Things (IoT), extraordinary amounts of information reflecting mental and physical wellbeing are created and held by entities who are not bound by HIPAA obligations. This issue has only gained importance in the last several months, as new regulations will also be moving HIPAA-covered medical records into this commercially-facing and unregulated space.

?! I did not know that new regs will be moving covered data into this unregulated space. What's up with that?

From the main document again:

The public is invited to review the draft framework and offer constructive feedback by Friday, September 25, 2020. ... Alice Leiter at eHI (alice@ehi.org) or Andy Crawford at CDT (acrawford@cdt.org), or visit https://www.ehidc.org/resources/draft-consumer-privacy-framework-health-data.

view this post on Zulip Virginia Lorenzi (Sep 22 2020 at 00:26):

I just learned in the PAC that they will extend for them. So feedback would be good.

view this post on Zulip Dave deBronkart (Sep 22 2020 at 01:39):

You mean they'll allow feedback beyond this Friday 9/25?

view this post on Zulip Josh Mandel (Sep 22 2020 at 02:36):

I did not know that new regs will be moving covered data into this unregulated space. What's up with that?

This is misleading.

  1. New regulations give patients the right to share their data -- the regulations by themselves don't move data; patients do.

  2. Some parties (e.g., hospitals) receiving patient-shared data have obligations under HIPAA as they always have; other parties receiving data have obligations under FTC jurisdiction. In both cases there is some regulatory scheme that applies.

view this post on Zulip Josh Mandel (Sep 22 2020 at 02:37):

(I shared this feedback during a previous round of edits, but it looks like the published recommendations did not incorporate.)

view this post on Zulip Josh Mandel (Sep 22 2020 at 02:43):

The bottom line for me, and the point on which these recommendation all fall flat, is the idea that we can somehow carve out certain data as "health data". The truth is that any PII-level consumer data may be relevant to health.

Furthermore, creating new obligations for non-HIPAA-covered-entites would tilt the playing field significantly, basically giving hospitals, health systems, and insurers much more room to maneuver (e.g., because they still get to share data under HIPAA TPO, or bundle up "deidentified" data to sell -- and their competitors wouldn't be allowed to).

view this post on Zulip Virginia Lorenzi (Sep 22 2020 at 07:35):

Yes, beyond Friday

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -