COVID-19: Evolving Regulatory IssuesMari Savickis and Cassie Leonard of CHIME on Patient IDs, Contact-Tracing Apps
The COVID-19 pandemic has spotlighted an array of evolving patient privacy issues that legislators and regulators will need to address in the year ahead, say government policy experts Mari Savickis and Cassie Leonard of the College of Healthcare Information Management Executives.
For instance, the pandemic has underscored the need for Congress to finally lift a more than 20-year-old funding ban on the Department of Health and Human Services developing or adopting a unique patient identifier, Leonard says in an interview with Information Security Media Group. She says an identifier would help to match all the right records to the right patient to ensure appropriate care.
"The longstanding language in the federal budget has really hampered the ability of HHS to advance a nationwide patient identification strategy, including the adoption of a unique patient identifier," she says. says.
"It's lead to a huge patient safety concern ... and a privacy issue. As a patient, you don't want your data to be in someone else's record. And the pandemic has made this patient safety and privacy issue more important. With a vaccine for COVID-19, we need a system to ensure the right dosage is given to the right person at the right time."
HIPAA, enacted in 1996, called for creation of such an identifier. However, since 1998, Congress has banned HHS funding for a unique patient identifier, citing privacy concerns.
While the House of Representatives has voted two years in a row to remove federal budget language prohibiting HHS from working on a unique patient identifier, the Senate voted in 2019 and 2020 to keep the provision in place (see: Bill Would Kill Prospect of National Patient Identifier).
"It's the Senate's job now to follow suit" by lifting the ban in the year ahead, Leonard says.
Meanwhile, COVID-19 contract-tracing applications have also introduced an array of privacy issues, Savickis says in the same interview with ISMG. "Where is the data going when you're downloading a contact tracing app? That information may include health-related information that may not be governed by HIPAA in many cases," she says.
"We have two parallel but unequal tracks to the way health information in this country is treated," she says. "We have those who are guardians of the data that must comply with HIPAA, and then there's an entire burgeoning sector - technology companies, third-party apps - that are taking consumer information ... and that does not fall within the purview of HIPAA."
In the interview (see audio link below photo), Savickis and Leonard also discuss:
- Other privacy and security issues involving COVID-19;
- Challenges faced by healthcare sector entities in complying with HHS' interoperability and information blocking final rules, which go into effect in April 2021;
- The impact of HHS' recent changes to the Stark and anti-kickback regulations to allow donations of cybersecurity technology and services to physician practices.
Savickis, vice president of public policy at CHIME, previously, she led health IT and HIPAA advocacy at the American Medical Association. She also served roles in the Centers for Medicare & Medicaid Services and the Office of the National Coordinator for Health IT.
Leonard is the director of congressional affairs at CHIME. Previously, she served as healthcare legislative assistant for Sen. John Kennedy, R-Louisiana and was a legislative assistant for Rep. Ed Whitfield, R-Kentucky.