May 4, 2021
Robinsue
Frohboese
Acting
Director and Principal Deputy, Office for Civil Rights
U.S.
Department of Health and Human Services (HHS)
Attention:
RIN 0945-AA00
Hubert
H. Humphrey Building
Room
509F
200
Independence Avenue, SW
Washington,
DC 20201
Regarding:
RIN 0945-AA00, Proposed Modifications to
the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and
Individual Engagement NPRM
Submitted
electronically via www.regulations.gov
Dear Acting Director Frohboese:
Thank you for the opportunity to
provide comments on the Proposed
Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to,
Coordinated Care and Individual Engagement (NPRM).
The Florida Health Information
Management Association (FHIMA) is a nonprofit component state association of
the American Health Information Management Association (AHIMA), with over
4,100+ health information (HI) professional members statewide.
FHIMA affirms and supports the public
comments submitted by AHIMA in their March 22, 2021 letter to Acting Director Robinsue
Frohboese.
Like AHIMA FHIMA represents
professionals who work with health information and health data across the
healthcare continuum of care. FHIMA’s mission is to “empower Health Information
Management professionals to impact health by advancing best practices.” We
empower people to impact health which “drives our members and credentialed HI
professionals to ensure that health information is accurate, complete and
available to patients and clinicians. Our professionals work at the
intersection of healthcare, technology and business and can be found in data
integrity, information privacy and security and revenue cycle job functions
worldwide.”
FHIMA actively supports value-based
healthcare, care coordination and case management communications among
individuals and covered entities (including hospitals, physicians, and other
health care providers, payors, and insurers). The proposals in this Notice of
Proposed Rule Making (NPRM) seek to address these areas while continuing to
protect the privacy and security of individuals’ protected health information.
FHIMA supports patients having timely
access to their own protected health information (PHI), and electronic
protected health information (ePHI), and data as a necessary foundation for
patient engagement. PHI provides patients and consumers with “a driver’s manual
and roadmap,” promoting a greater awareness and understanding into their own
health and healthcare options, as they work towards achieving better health for
themselves and their families.
Our FHIMA membership, have asked us to
share a few additional public comments, and wherever possible, provide some examples
to the OCR. These public comments do not seek to replace those already offered
by AHIMA, which we fully support and affirm.
Rather, they are being submitted to offer additional thoughts on the proposed
rulemaking.
·
The comments are divided into three main
sections below:
o Section One addresses
general public comments, and this section is further divided into eight general
categories.
o Section Two addresses
proposed legislation in the State of Florida in the areas of patient access,
timelines, right to examine original medical records, fees, legal
representative access to client’s medical records, etc.
o Section Three is an
“ask” from FHIMA to expand the HIPAA Privacy Rule to include third-party application
developers and their applications.
Section
One: General Public Comments by category as follows:
1.
Timelines:
o Recognition
and consideration that one size does not fit all “covered entities.” Depending
on their size and financial situation, some covered entities will have no
problem with this shorter timeline, while others will.
o For
example, covered entities may experience:
§ Lack of access
to up-to-date technology:
§ Perhaps assumptions
may have been made that all covered entities have access to technology, and if
they do, that this technology is kept up-to-date.
·
For example, Matthew A. Michela, President and
CEO of Life Image, said in a statement, “The
medical imaging Data Company also found most healthcare groups aren’t using
digital technologies to share info with patients, with 66% still relying on
paper and 32% using CDs.”
·
Recognition and consideration of the barriers
that hybridized legacy systems pose on covered entities which complicates
searching multiple databases and systems to fulfill requests for records. An
informal poll taken reflects that some of the covered entities have anywhere
from eight to forty-three different databases they must search when processing
and fulfilling requests for medical records.
§ Lack of
Access to Broadband: All covered entities do not have access to broadband. Recognition
and consideration of the barriers posed by America’s digital divide. Digital
deserts affect care coordination and case management communications among
individuals and covered entities, so what would appear to be noncompliance by
the covered entity may be the result of this.
·
In conjunction with Federal Communication
Commission (FCC), FHIMA has been educating and working with our Florida State
Legislators on legislation to increase the awareness and the need for improving
broadband penetration for Florida’s healthcare providers.
·
For several years now, FHIMA has been
educating and working with the Florida Hospital Association and the Florida
Medical Association on Florida legislation and regulations in order to improve
and address access to broadband and telemedicine in Florida.
§ Lack of
Access to Trained Staff: Do all healthcare providers have access to trained
staff? Do they ever experience staff turnover and shortages affecting the
capacity to process and fulfill a fifteen-day turnaround time?
·
Perhaps assumptions may have been made that
all covered entities have adequate, experienced, trained staff. For example,
one of our Florida trauma centers, which has a hybridized, legacy system,
receives and processes 12,000 to 14,000 medical record requests each and every month.
Recognition should be considered regarding the volume of requests received and
how this may impact the timeline and the financial burden this volume places on
the covered entity.
§ Recognition
and consideration of the barriers posed by America’s increasing healthcare cybersecurity
intrusions, to include ransom ware, and the issues these pose on the capacity
to fulfill a fifteen-day turnaround time. In some cases, patient records are
never recovered.
§ Recognition
and consideration of the barriers posed by America’s increasing medical
identity theft which pose barriers to both the proposed fifteen-day timeline
for turning around medical record requests and also on the privacy and security
of patient information.
·
For example, a Florida patient applied for a
business loan at their local Florida bank. The loan was approved and the
patient was asked to come in to complete the loan process. While scheduling
this appointment, the individual said that it would be a couple of weeks before
he could make it in because he was currently in the hospital. The bank’s loan processer
was able to locate the hospital where the loan applicant was being
hospitalized. The loan processer completed the patient directed access request to
a third-party and sent it to the hospital who in turn processed the request.
The information released to the bank’s loan officer contained substance abuse
medical records for the loan applicant. The loan was subsequently withdrawn by
the bank. This case is currently in litigation.
2. Strengthening
the Access Right to Inspect and Obtain Copies of PHI
·
“OCR proposes to require covered entities to
allow individuals to take notes, videos, and photographs using personal
resources after arranging a mutually convenient time and place for the
individual to inspect their PHI including points of care where PHI in a
designated record set is readily available for inspection by the patient.” FHIMA
“…supports the right of individuals to
inspect their PHI, however, we have concerns regarding how this provision might
be operationalized in a manner that minimizes provider burden and maintains
patient privacy. For example, this proposed requirement will require additional
training and education of all staff to ensure that a patient is only recording
their own PHI. For requests made during the point of care, we are concerned
that such a requirement could lead to workflow disruptions, taking providers
away from their operational purpose because responding to access requests are
not always in the clinical workflow. We are also concerned about the potential
for liability to a covered entity when certain elements of PHI have not been
incorporated into the record yet (e.g.—lab values, imaging, etc.) and an
individual takes a photo and/or video of their PHI which in turn, is relied
upon for care by another provider. Additionally, we seek clarity on whether
covered healthcare providers would be allowed under this provision to object if
an individual’s recording and/or photograph includes the provider.”
·
To add to this, FHIMA is concerned about some
of the physical building structure requirements in operationalizing this
provision in the healthcare office setting. Is there enough of a private and
secure area for the staff and patient to allow for this function to be
conducted outside the daily workflow within the healthcare provider’s office? Once
again, one size does not fit all.
·
FHIMA asks OCR to use care when adopting and
finalizing the NPRM provisions. Recent proposed “access to examine original
medical records” to their “clients” medial records have taught us valuable
lessons and highlighted relevant pressures in which provisions of the NPRM may
inadvertently provide support to some of the more inappropriate provisions that
have been advanced in the Florida legislature by these for-profit third parties
(i.e., to access and to examine original medical records of their “clients” by
the “client’s legal representative” within a specified timeline). See section two.
3. Privacy
and Security Barriers and Burdens on Patients and Covered Entities: AHIMA
offers education, training and certification in the privacy and security of
health information and data: “Certified in Healthcare Privacy and Security
(CHPS®).” Individuals who earn this AHIMA designation
will achieve recognition of their expertise in designing, implementing, and
administering privacy and security protection programs in all types of
healthcare organizations. Holders demonstrate advanced knowledge of the privacy
and security dimensions of HIM to include best management practices.
o Recognition
and consideration of the barriers and issues posed by the shortened fifteen-day
turnaround time to properly vet third-party security and access controls to
fulfill third-party access to electronic healthcare records portals and
databases. (i.e., EHRs/systems/databases/portals. Currently, Business
Associates (BA) have to go through a rigorous vetting, screening, legal and
security background process before they are given access to a provider’s (EHR)
and portal.
4.
Fees:
o OCR to
consider and recognize the financial paradigm shift that the proposed fee
structure would pose on covered entities who will now have to pay a business
associate to perform the release of information function, or the covered entity
will have to bring the release of information function back in house.
§ The
financial impact of the proposed fee structure would cause a paradigm shift.
For example, one of our Florida Level I trauma centers, which currently
outsources their release of information function to a HIPAA compliant third-party
business associate, would now have to pay their business associate to perform
the release of information function, or they would have to bring the release of
information function back in-house at an estimated annual cost of $2,500,000.
§ This
health provider has a legacy, hybrid system with multiple databases which
process approximately 12,000 to 14,000 requests for health information each and
every month.
§
“AHIOS
worked with Hemming Morse to study the financial impact of the NPRM. Using data from 14 AHIOS member companies,
which processed nearly 15 million records requests in 2020, Hemming Morse
estimates that finalization of the NPRM would create a shift in costs, which
could exceed $1 billion annually or more than $10 billion over the next 10
years, from commercial third-party requesters to hospitals, physician groups,
and other outpatient service providers.
Hemming concludes that, by applying the federal Patient Rate to TPDs for
PHI in EHRs, Commercial Third-Party Requesters will jump from patient
authorizations to TPDs, thus shielding themselves from paying state-regulated
fees. Further, history shows that when
Commercial Third-Party Requesters must pay for their requests, they limit the
size of their requests. Conversely, when
those requesters can get those records for free or close to free, the size of
the requests increases greatly.”
o
The HIPAA compliant processing of requests for
PHI and ePHI and examination of original medical records is not without
associated costs. Fulfilling requests for third-party, for-profit businesses,
not involved in care coordination, case management or patient care puts added
financial and economic pressures on healthcare providers (i.e., life insurance
companies, banks, personal injury attorneys, all attorneys, other businesses,
etc.). Requests to be used for legal purposes require a “certified copy” of
their “clients” medical records for court.
o Additionally,
FHIMA requests that the associated costs be reimbursable to the covered entity
when they must use thumb drives, CD’s, and other storage methods to process and
fulfill requests for medical records in the form and manner it has been
requested.
5. Associated Costs of Proposed Rule: Statement of estimated regulatory costs (SERC)
o The “release
of health information” process and function has associated costs which have fiscal
and economic impacts on the healthcare provider community. Passing the proposed
language would cause a paradigm shift, which has a direct financial impact on
the healthcare provider industry. This proposed “fee” language in this area has
been the cause of much discussion, debate and proposed state legislation and
rulemaking efforts here in Florida. Please see section two below.
o FHIMA
requests recognition and consideration by the Centers for Medicare and Medicaid
Services (CMS) and OCR of the barriers and issues posed by the proposed
policies which would create a measurable financial paradigm shift and cost
burden on covered entities, including small healthcare providers, certified
electronic health records technology (CEHRT) businesses, covered business
associates and subcontractors.
§ “AHIOS worked with Hemming Morse to study the
financial impact of the NPRM. Using data
from 14 AHIOS member companies, which processed nearly 15 million records
requests in 2020, Hemming Morse estimates that finalization of the NPRM would
create a shift in costs, which could exceed $1 billion annually or more than
$10 billion over the next 10 years, from commercial third-party requesters to
hospitals, physician groups, and other outpatient service providers. Hemming concludes that, by applying the
federal Patient Rate to TPDs for PHI in EHRs, Commercial Third-Party Requesters
will jump from patient authorizations to TPDs, thus shielding themselves from
paying state-regulated fees. Further,
history shows that when Commercial Third-Party Requesters must pay for their
requests, they limit the size of their requests. Conversely, when those requesters can get
those records for free or close to free, the size of the requests increases
greatly.”
o
FHIMA requests the OCR perform
a fiscal analysis and economic impact statement on the direct economic impact on the healthcare provider community
prior to implementing the proposed HIPAA Rule fee
provisions (i.e., Statement of Estimated Regulatory
Costs (SERC).
§
Depending on the outcome of the Statement of Estimated Regulatory Costs (SERC), The Centers for
Medicare and Medicaid Services (CMS) could initially provide incentives to meet
the new HIPAA Privacy Rule program requirements.
§
For example, historically, the Centers
for Medicare and Medicaid Services (CMS) provided providers with an EHR
Incentive Program—also known as Meaningful Use or MU—initially provided
incentives to accelerate the adoption of electronic health records (EHRs) to
meet program requirements.
6.
Patient Education:
o Organizations
like FHIMA, AHIMA, and others in the privacy and security space have been
providing consumers with patient education and information they need to make
informed decisions regarding their health information.
o
FHIMA members request that the OCR assess its
current efforts to educate the public about how to ensure that their private
health information stays private.
o We need
the help of federal agencies, ONC, OCR, Federal Trade Commission (FTC), U.S.
Department of Health and Human Services Office of Inspector General, and the
FCC to provide search engines and algorithms to help consumers identify these domestic
and international API’s and Applications, what privacy rights they may be giving
up, and how to measure the security of these sites.
o We recommend
that the HIPAA Privacy Rule be expanded to include the plethora of domestic and
global API’s, Applications and companies that inundate and directly market to
patients in order to collect their health information. They have little to no knowledge
regarding health information privacy and security industry best practices. It
can be difficult for an average consumer to wade through the fine print and
technical terms these API’s, Applications, and companies send to them or post
online. See section three.
o We
recommend that the policy makers create red flag rules and patient right of
action under HIPAA to seek remedies for damages if the patient is harmed.
7.
Covered Entity Education (Actor):
o Organizations
like FHIMA and others have been collaborating with the Florida Hospital
Association, the Florida Medical Association, Florida’s Legislators, the
Florida Justice Association, and others in the privacy and security space have
been providing education and information to their employers/organizations they
need to make informed decisions regarding their health information.
o
FHIMA members request that the OCR assess,
collaborate, and join in the effort to educate the public in order to ensure
that their private health information stays private and secure.
8.
Alignment and Harmonization with Other Federal
Rules:
o In
general, FHIMA professionals are concerned about certain aspects of this
proposed rule and how these aspects align cohesively with other Federal rules
and provisions like OCR’s Cures Act Final Rule. We request that recognition and
consideration be addressed to harmonize these rules on how to best translate
these policy concepts into tools in order to better assist the covered
entities.
o The lack
of harmonization of regulatory language and definitions between federal
statutes:
§ For
example: Harmonization of who is defined as the patient (individual)? Who is
defined as the patient’s personal representative? Who is defined as the
patient’s legal representative? Definition of a designated record set?
§ For
example: Harmonization of the timeliness of production of ePHI and PHI.
§ For
example: What are the unintended consequences of the designated record set
being a key component of the definition of electronic health information (EHI).
What was originally intended as a means to clarify the scope of an individual’s
right to access, amend, restrict and acquire an accounting of disclosures, has
become, under the ONC Cures Act Final Rule, what an actor must be able to
access, exchange and use for purposes of information blocking.
§ In some
cases, the proposed changes could not be complied with due to a lack of
documentation within the proposed shortened fifteen-day timeline.
Section Two: Florida specific proposed
“patient access” legislation as follows:
Similar
proposed legislative language was filed during the 2017 and 2019 Florida
legislative sessions respectively. In all three years, 2017, 2019 and 2020,
this legislation has failed to pass and become law in Florida. The 2019 and
2020 bill versions passed the full House but failed to pass in the Senate.
Florida’s proposed
language in the 2020 version of the patient access bill would have caused added
confusion with Florida State, HIPAA, HITECH and other federal laws and
regulations. It would have created a paradigm shift of additional
administrative and technology costs and burdens on Florida’s medical provider
community, their patients and Florida’s healthcare system overall.
Florida
House Bill 1147 and Florida Senate Bill 1882 sought to amend and create new
Florida statutes regarding the definition of a “legal representative” access to
medical records. The proposed bill would have created new Florida statutory language
giving “ALL legal representatives” and all requesters the access and the
right to obtain current patient records who have not been discharged via the
patient portal. Unfortunately, the amendments and new statutes in HB 1147
and SB 1882 would put greater administrative and financial burdens and expenses
on an already taxed medical provider community. If passed, it would have violated
patient privacy and the covered entities’ security rule provisions. The broad
nature and overreach of the bill’s proposed language reflect the true nature
and intent of the proposed legislation providing statutory cover to for-profit,
third-party “legal representatives” who request “client” records for their own
financial gain and at the expense of the medical provider community.
So, the
point here is that Florida and other state legislatures are trying to advance
legislation that defines “legal representative” in the broadest possible way
and provides virtually unlimited and free access to their “client’s” protected
health record via the patient portal.
It is,
therefore, important that OCR’s proposed revisions to HIPAA be granular and make
it very clear that access remains the patient’s prerogative and sound third-party
directed authorization practices are not compromised. OCR should not promulgate
changes that will open the flood gates on access end runs, such as those being
repeatedly attempted in Florida.
Other portions
of the proposed bill language that were most in need of review and discussion were:
1) HB
1147 and SB 1882 (2020) - Patient Access to Records and Timelines: The title
of this proposed bill is a misnomer and should be amended to reflect the true
nature and intent of the proposed legislation to read: “Legal Representatives
access to their client’s medical records within 14 days” at non-HIPAA rates and
access through web-based patient portals. Please refer to the new Section 5.
Section 408.833, Florida Statutes, is created to read: “408.833 Client access
to medical records. “ (Lines 192 – 221)
Attorneys
have “clients.” Healthcare providers do not have “clients.” They have
patients and residents.
Attorney
groups and other third-party business groups are seeking to redefine and
reclassify themselves as the “patient personal representative” so that they can
obtain “free certified copies” of their client’s medical records and have these
same rights of access and examine their “clients” original medical records
within a specified timeline for court and other legal purposes.
For
example: The proposed bill would have
created new Florida statutory language giving “ALL legal
representatives” and all requesters the right to obtain the right to access and
examine current patient records who have not been discharged within specified
timelines:
·
Facility: access to examine “clients” original
medical records or microforms within 10 working days; provide copies of the
requested records within 14 working days
·
Nursing Home Residents: access to examine
original requested records within 24 hours and provide copies of the requested
records within 2 working days
·
Healthcare Practitioner: access to examine
“clients” original medical records, or microforms within 10 working days;
provide copies of the requested records within 14 working days
2) HB
1147 and SB 1882 (2020) - The proposed bill would have eliminated current
Florida statutory language giving access to a person’s curator, personal
representative, parent of a minor, or to the next of kin of a decedent the
right to obtain patient records in violation of HIPAA.
3) HB 1147 and SB 1882 (2020) - The proposed
bill would have created new Florida statutory language giving “any and all legal
representatives” the same fee structure and right of access to their “clients”
web-based patient portal, or submission through a patient’s electronic protected
health record within 14 working days after receiving a written request.
Additionally, within 10 working days after receiving such a request from an
individual or an individual’s “legal representative,” a service provider shall
provide access to examine the original records in its possession, or microforms
or other suitable reproductions of the records.
For copies of records of care and treatment of a resident, the timeline
was reduced to 24 hour working days access and provide copies of the requested
records with 2 working days respectively.
This
proposed language would have violated patient privacy and security since it
would have allowed any and all “legal representatives” requests to have the
same right of access their client’s patient portal, as well as to examine the
original records in its possession. Currently, information in patient
portals is not partitioned off by date of encounter into a “designated record
set” for legal purposes. Patient portals were never technologically designed
for the courts, legal issues, and/or “legal representatives” to ask for and
receive access to certified copies of their client’s medical records. Rather,
patient portals include internal communications between patients and their
healthcare providers, appointment scheduling, healthcare records for continued
care, outside records and reports, ancillary services reports, insurance,
billing, payment information, and demographic information available to patients
via the patient portal.
4) HB 1147 and SB 1882 (2020) - The proposed
bill would have created new Florida statutory language as seen in Section 5:
408.833, Florida Statutes, is newly created to read: 408.833 Client access to
medical records. Number (1), (Lines 192 – 202). This newly proposed “legal
representative” definition is in direct conflict with HIPAA. (See
below) This proposed language gives the
right to access and examine original medical records, to “all legal representatives” in violation of
HIPAA Personal Representatives, 45 CFR
164.502(g)
5) HB 1147 and SB 1882 (2020) - Fees:
The
process of retrieving, copying, and producing a medical record takes trained
professionals who understand the intricacies of federal and state privacy laws
to protect patient privacy. Not to
mention, these professionals also must be trained in various electronic health
record platforms as interoperability is still merely a goal. Also, many providers have legacy systems
which need to be checked when producing a record which requires the HIM
professional to have experience with multiple software systems.
The term
“Microforms” has been stricken-out of current F.S. 395.3025 for the sole
purpose of reducing copy costs to $2.00 for non-paper records, which in turn
could then be interpreted to include ePHI.
See Line 91 - 96, Section 2. 395.3025 Patient and personnel records;
copy costs copies; examination: Number (1): “The licensed facility shall further allow any such person to examine
the original records in its possession, or microforms or other suitable
reproductions of the records, upon such reasonable terms as shall be imposed to
assure that the records will not be damaged, destroyed, or altered.”
Yet, the
term “Microforms” was added back into the newly proposed language under Section
5: 408.833, Florida Statutes, used to create: 408.833 Client access to medical
records: Number (3), Lines 215 - 219. This newly created language authorizes
the client or a “client’s" legal representative" to: “(3) Within 10 working days after
receiving a request from a client or a client's legal representative, a
provider shall provide access to examine the original records in its
possession, or microforms or other suitable reproductions of the records.”
If passed,
the bill proposes language would make changes to copy fees as outlined under FS
395.3025 Patient and personnel records; copies; examination. Lines 69 – 96. It
would do away with existing copy cost for microforms and create a legal
ambiguity for all non-paper copies subject to a charge not to exceed $2. This would create a legal black hole in which
legal battles will ensue, along with the financial burden on all facilities and
healthcare providers currently governed under FS 395.3025.
Section Three: FHIMA requests expansion of the
HIPAA Privacy Rule:
Lastly,
FHIMA members encourage the OCR to bring our message to Congress to expand the
HIPAA Privacy Rule to include third-party applications and their application
developers in order to provide regulatory oversight and guidance regarding the
increasing commercialization and monetization of patient’s personal and electronic protected health information. These third-party
applications are being marketed to U.S. consumers both domestically
as well as internationally.
Currently, federal policy is squarely on
expanding access and removing barriers and relaxing guardrails. The Office of
the National Coordinator for Health IT (ONC) is encouraging the use of applications
and portals for patient access. Over the past year, there has been a 300%
increase in the rate with which patients and patient directed third-party
access are requesting and retrieving personal and protected health information and
electronic protected health information using applications and portals.
FHIMA requests that applications being marketed to consumers meet
HIPAA privacy and security rule regulatory standards. That these applications be
HIPAA approved and certified, and that this certification be readily visible to
any consumer downloading any application which seeks to curate their PHI and
ePHI.
Guillermo
Vargas, MISM, CEO, WeCcode says, “As an
experienced cyber security expert in the applications development industry, it
is critical to require developers to follow HIPAA privacy and security rules
when building application programs that handle ePHI. Such federal rules are
essential for the privacy and security of ePHI. My experience covers securing the
code for covid19resultsfl.com at the beginning of the pandemic, and by designing
a blockchain architecture for protecting ePHI at rest and in transit. With that
said, the need for HIPAA to regulate application developers dealing with ePHI
is critical, since there is nothing stopping the applications and their developers
from direct marketing and selling curated and harvested ePHI domestically and
internationally. It is impossible to protect the privacy of ePHI at the rapidly
increasing rate these applications are being created and directly marketed to
the consumer who seek to monetize their ePHI.”
§ One Example:
“Sen. Bob Menendez, D-New Jersey and
Democratic New Jersey Reps. Bonnie Watson Coleman and Mikie Sherrill sent a
letter to the FTC, blasting certain menstruation-tracking mobile health applications
for failing to obtain user consent before sharing sensitive information of
women with outside parties.”
“The
letter follows a recent lawsuit against Easy Healthcare, which owns the Premom
fertility applications. The filing alleges that the platform routinely shares
personal and geolocation information with three marketing, data collections,
and analytics firms with ties to China.”
“The
lawsuit further claimed those Chinese firms were also allowed access to
sensitive user data, such as personal health interests, health, religion,
politics, and a host of other sensitive data.”
“Though
alarming, multiple reports have found the majority of health and mental health applications
routinely share user data without consent or even transparency about the
practice. This can be attributed to many of these applications falling outside
of HIPAA regulations.”
“Thus,
many of these consumer applications hold massive privacy gaps and concerns.
What’s worse, some of the most popular mHealth applications are vulnerable to
API attacks due to the use of hard-coded API keys and a number of security
oversights.”
§
Our members are increasingly aware that
patient information is being collected by a variety of companies and
third-party entities into their private databases through the use of API’s
and/or applications. These companies and third-party entities offer patients
“free services” or other such inducements such as “a free electronic medical
record and database services” and “free research services” on the front end.
Recognition of the impact that the decisions EHR software developers make in
order to save on development costs at the expense of the patient, and also on
how they harvest and sell patient data on the back end under the upfront guise
of providing a patient with their own "free" and "personal"
electronic health record. Once acquired by the Applications, sometimes patients
aren’t even provided access to their own PHI, and the “free electronic medical
record and database services,” and/or “free research services” which they were
promised are not fulfilled.
§ Additionally,
some of these third-party companies have made business arrangements with other
business associates to provide marketing links to their sites. One third-party
company has a privacy policy that says we are, “Links to Other Sites…We are not responsible for the security or
privacy practices of these sites, the products or services offered by these
sites, or the content appearing at these sites, and does not endorse any of the
products or services marketed at these other sites.” What considerations
and regulations are in place to inform, educate and protect patients from these
emerging trends?
§ This is
often done without educating, and fully informing the patient, that their
curated/harvested health information is being “sold” on the back end once it
has been acquired in their database. What considerations and regulations are in
place to inform, educate and protect patients from these emerging trends?
§ Once
acquired, these companies harvest and use the patient data and information in
order to monetize it on the back end for a variety of purposes.
§ Third-party
businesses are collecting patient health information for business purposes
through use of a “patient directed access request” (i.e., life insurance,
mortgages, health insurance, bank loans, personal injury, employment, legal
purposes, other business, etc.).
o
In addition, some of the aforementioned
companies have it in their policies that if they decide to sell their API
and/or Applications and/or company, the curated/harvested patient information
transfers to the new owner/buyer.
o
In addition, patients are being asked to agree
to indemnify these companies, officers, employees, directors, and agents in
case of any and all losses, damages, liability and expenses. What protections
do patients have in this case?
o
Is there a “patient right of action under
HIPAA” to seek remedies for damages if the patient is harmed? If not, this
needs to be remedied to provide a patient right of action under HIPAA to seek
remedies for damages if the patient is harmed by this.
o
Recognition and consideration should be made
which would provide more granular patient consent regarding third-party access
in certain defined situations. Specific definitions should be created
documenting patient directed third-party access.
In closing, we recognize that both the advancement of time, and the
development of new technologies, will keep us moving forward in these areas. This
is inevitable. As we do so, we must keep the patients’ right to timely access,
and examination of their medical records, as well as the privacy and security
of their PHI, in the forefront of all regulatory decision making.
Once again, we thank you for the opportunity to comment on this
proposed rule. Like AHIMA, FHIMA looks forward to having the opportunity to
work with OCR to ensure the finalization of this rule and subsequent
implementation. Should you need any additional information, please contact: Dee
Kring, CAE, CMP, Executive Director, FHIMA Central Office | 325 John Knox Road,
Ste. L103, Tallahassee, FL 32303 | Office: (850) 205-5644 | Email:
executivedirector@fhima.org
Thank you.
Respectfully submitted,
Jennifer
Schunke, MS, RHIA
FHIMA
President/Director
Lesly
Carreras, RHIA, CCS
FHIMA
President-Elect/Director
Lee
Starling, JM, RHIA
FHIMA
Past President/Director
Dee
Kring, CAE, CMP
FHIMA
Executive Director
Glenneta
“Nitta” Thompson, MBA RHIA
FHIMA
Chief Delegate/Director
Linda
Renn, RHIT, CHPS, CCS, CPC, CPC-H, CHTS - TR
FHIMA
Advocacy and Public Policy Chair
AHIMA
Advocacy and Public Policy Committee Member
Attachment:
Florida
HB 1147 (2020). Patient Access to Records