The COVID-19 pandemic has exposed numerous shortcomings in planning for, and operating during, a global crisis of this magnitude.
In the United States, personal protective equipment, ventilators, virus tests and ICU hospital beds remain in short supply. Public health authorities also have an increased need for more big data so trends can be mapped and resource allocations can be determined on a continuing basis.
The collection of this data, while justified on national emergency grounds, also has raised concerns regarding how much of it will be collected in aggregate and anonymously, and how much will entail sensitive health information to profile individuals who have been infected or recovered from COVID-19.
Contact tracing data also may help determine those who have been in direct contact with someone who has tested positive.
The good news is that the United States has a well-crafted federal law in place that has served us well for several decades. Although some exceptions are being carved out given the current emergency, they are being done with precision and respect for the overall bedrock privacy principles for this sensitive category of personal information.
The Health Insurance Portability and Accountability Act (HIPAA), a law enacted during the Clinton administration with broad bipartisan support, is nearly 25 years old. It has stood the test of time — even now. The law protects health insurance coverage for workers and their families when they change or lose their jobs, which is vital as unemployment figures skyrocket on a weekly basis.
A central feature of HIPAA that also is critical now, is its Privacy Rule, which regulates the use and disclosure of protected health information (PHI). PHI is any information held by a covered entity regarding health status or healthcare provisioning that can be linked to any individual(e.g., a medical record or medical payment history).
The rule is expansive in defining a covered entity, too; healthcare clearinghouses, employer-sponsored health plans, health insurers, and medical service providers both within and outside hospitals and clinics are included, as are independent contractors that have business relationships with any of them.
The healthcare community is required to respect PHI in a number of different, complementary ways. Generally, disclosure by a covered entity requires written authorization from the individual for the disclosure, and in any event, only allows providing the minimum necessary information required to achieve its purpose.
A covered entity also must notify individuals regarding how their PHI is being used, and enable an individual to correct any inaccurate PHI.
And there is enforcement of HIPAA through the Department of Health and Human Services Office for Civil Rights, and in some cases, by the Department of Justice Criminal Division. There is some debate regarding how vigorous the enforcement activities have been, given the relatively small amount of human and financial resources at hand to deal with tens of thousands of privacy complaints that are filed each year.
This deficiency seems real, and is worthy of a budget increase as part of any COVID-19 funding package that is introduced in the coming weeks.
Even with this situation, HIPAA has had a significant positive effect within the healthcare community, by creating a respect for personal health information that is greater than other types of personal information.
The combination of government policing and covered entity self-policing has created a durable health information ecosystem where relatively few bad-faith violations occur, and where public confidence in providing PHI remains high.
COVID-19 presents a real-time stress test to determine how effective HIPAA really is during a crisis of such large magnitude. The need for flexibility in applying the law when emergency circumstances arise was addressed in a 2013 rule change that permits waiver of HIPAA provisions under these circumstances.
This was done when Hurricane Harvey struck in 2017, and of course, most recently as COVID-19 rapidly spread across the country.
Yet even in these circumstances, the HIPAA waiver has not been a blanket one that tips the balance against individuals in favor of government officials who request both general and specific health information to help confront the epidemic.
Rather, the general principles of confidentiality and transparency remain intact, while also tailoring a specific enforcement moratorium narrowly. For example, there will not be any penalties for independent contractors that disclose PHI to public health authorities if such disclosure is done in good faith and the healthcare provider in that relationship is informed within 10 business days
But other requirements under the Privacy Rule are still subject to full enforcement, including important security and breach notification requirements.
In short, there seems to be an effective safety net in place regarding the collection and dissemination of PHI.
As post-pandemic measures are considered, legislatures would be well advised to consider whether the framework, history and application of HIPAA’s Privacy Rule during these trying times offers a starting point for crafting any new privacy laws that cover personally identifiable information outside the healthcare realm.
We may well have before us a template that can serve as a broader policy foundation once new laws are being developed, whether by individual states or by Congress if a federal approach is pursued