Patient Privacy News

AMA Shares Privacy Principles for Non-HIPAA Covered Entities, Data

Designed to empower patients with more control over the data collected about them, new data privacy principles from AMA target health data collected by non-HIPAA covered entities.

AMA privacy principles consumer data privacy protections risk management federal privacy legislation Congress

By Jessica Davis

- The American Medical Association unveiled a set of privacy principles for non-HIPAA covered entities, designed to empower consumers with more control over the health data collected about them. AMA will leverage the insights to engage the administration, Congress, and other industry stakeholders.

Enacted in 2009, HIPAA does not apply to several key instances of health data generated in the modern digital age. For example, the Department of Health and Human Services has clarified that protected health information shared with a third-party app chosen by the patient is not covered by HIPAA.

More specifically, “If the individual's app – chosen by an individual to receive the individual's requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.”

In light of these gaps in HIPAA, Congress and industry stakeholders have been steadily working to craft federal privacy legislation. For AMA, it’s crucial potential legislation “protects the sacred trust at the heart of the physician-patient relationship.”

AMA’s newly released privacy principles are designed to fuel the privacy conversation and ensure patients are empowered with controls over their health data that falls outside of HIPAA, as well as transparency into how that data is being used and who has access.

READ MORE: OCR Shares COVID-19 Privacy and Security Threat Resources

The push for contact tracing apps amid the COVID-19 pandemic is further driving the need to ensure individuals remain in control of their data and feel confident their information will be secure.

“Patients’ confidence in the privacy and security of their data has been shaken by repeated technology sector scandals and the wired economy’s default business model that quietly gathers intimate glimpses into private lives -  often without patient knowledge, consent or trust,” AMA President Patrice A. Harris, MD, said in a statement.

“As a result, patients are less willing to share information with physicians for fear that technology companies and data brokers will have full authority over the use of their indelible health data,” she added. “Unfortunately, recently finalized federal regulations will make this more likely to happen.”

The privacy principles are aimed at data not previously considered personal but that could be personally identifiable, such as IP addresses and advertising identifiers from mobile devices, and center around individual rights, equity, the responsibility of non-HIPAA covered entities, applicability, and enforcement.

The goal is to shift the responsibility for privacy from the individual to the data holders, including the third-party vendors accessing the data of individuals. Any violation of these rights would result in robust enforcement of penalties.

READ MORE: EFF Warns COVID-19 Tracing Apps Pose Cybersecurity, Privacy Risks

For individuals, those rights would include knowing the exact information an entity can access, use, disclose, or process, as well as the purpose, at or before data collection begins. Consumers should also have the right to control those uses, including secondary and beyond and be notified within a reasonable timeframe when changes to those policies occur.

Further, the principles assert that data should be secured and shared at a granular level, rather than a document, while individuals should have the right to delete their data across the entity’s services, “including when the entity goes out of business or is bought out by another entity.”

The principles also outline rights of access and data extraction, opt-in and opt-out rights, private right of action, privacy waivers, the de-identification of data, and disclosures.

“Individuals who access their medical records using apps should have mechanisms to annotate— but not change—the copy of the record they hold,” according to the principles. “These mechanisms should track who made the annotation, when, how, and why.”

Equity is also a key piece of the privacy principles, as “healthcare information is one of the most personal types of information an individual can possess and generate — regardless of whether it is legally defined as ‘sensitive’ or protected health information under HIPAA—and individuals accessing, processing, selling, and using it without the individual’s best interest at heart can cause irreparable harm.”

READ MORE: Privacy Groups Urge Pence to Combat COVID-19 Fraud, Patient Harms

Any privacy law should take several equity factors into account, including vulnerable populations, low-income individuals, and other potentially discriminatory profiling.

“Because low-income individuals and other vulnerable populations have fewer resources and tools at their disposal to effectively assert their privacy rights, purchase technology with the most advanced and up-to-date privacy and security technology, and recover from harmful invasions of privacy, privacy frameworks (legal or otherwise) must advance policies to benefit individuals of all income levels,” according to the principles.

“For example, the AMA would not support a policy in which paid apps provided greater privacy protections than free apps,” it continued.

Notably, the principles would apply to all entities that access, use, transmit, and disclose data, including business associates covered by HIPAA. However, any forthcoming privacy legislation should exempt HIPAA-covered providers given current obligations to the privacy regulation.

The principles also apply a carve-out for local, state, and federally sponsored registries and medical specialty-run registries, which will be deemed compliant with impending privacy legislation if they’ve established a Data Governance Council, which must include patient representatives and established practices for sharing registry data.

However, some health conditions, like HIV or substance use disorder, may need more restrictive privacy safeguards, according to AMA.

“The delicate balance between privacy and data protection on the one hand, and the protection of public health on the other, presents a number of challenges,” said Harris.

“The AMA’s privacy principles provide a meaningful framework to guide data collection efforts, privacy legislation, and public health plans to help ensure that steps we take now will not unfairly and disproportionately impact vulnerable populations down the road, but rather will instill trust in the systems we establish to help keep people safe and healthy,” she concluded.