Q&A: World Privacy Forum’s Pam Dixon

Health Oversight Waiver Opens Door to Broad Uses of Private Data

By Myrle Croasdale

To fight COVID-19, the federal government recently waived enforcement penalties for failing to comply with some patient-privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA).

The first of these waivers has been beneficial, said Pam Dixon, executive director of the World Privacy Forum, a nonprofit research group in San Diego, Calif., focused on privacy in the digital age.

One makes it easier for providers to release information to a patient’s family and friends. Another expands telemedicine.

Others, however, have raised concerns. 

The latest waiver allows community-based COVID-19 testing sites to operate without enforcement of the HIPAA privacy and security rules. Is there reason to be concerned?

Yes. The HIPAA privacy and security rules will not be enforced for the mobile community-based testing sites, which has many implications.

For example, there can be fewer controls to prevent the public from viewing who is getting tested — and no enforcement at this time for not adhering to (privacy) security rules.

A mobile testing site could be in a parking lot, for example, and any physical privacy buffers are only a recommendation, not a requirement.

People already have had their photos taken while getting tested for COVID. Under ordinary circumstances, this would not be happening. People need to feel safe and trust in the health-care system.

For anyone concerned about the privacy of a COVID-19 test, a better option is to be tested at their provider’s office, where HIPAA privacy and security rules will still be enforced. 

This waiver and the business associate waiver are too broad.

What’s at stake with the business associate waiver?

This waiver is unprecedented due to its breadth.

The waiver allows business associates to use or release patients’ protected health information under certain circumstances for public-health or health-oversight purposes without the health-care provider’s prior approval.

The business associates have 10 days to notify the health-care provider after the fact.

Right now, the public still trusts their doctors. But if the public understands their information can be released to public-health and health-oversight authorities — not by their provider, but by business associates they may not even know — that trust could be in jeopardy. 

Think of a large hospital and the many businesses that provides its services. An electronic health-record provider, for example, has access to copious amounts of health information.

It can share the data for a health-oversight activity without getting any permission from the hospital. It only has to tell them within 10 days.

“Health-care oversight” encompasses many activities, such as authorities looking up people on the deadbeat dads’ list or quality-assurance auditors looking for Medicare fraud.

These are legitimate activities in a health-oversight context. But do we need them for providing public-health authorities with the information they need for a COVID-19 emergency?

How should the business associate waiver be changed?

This waiver should be narrowed to sharing only with federal, state and local public-health authorities.

Providers should be able to veto the sharing of their patients’ data by business associates, or they could be notified concurrently with the data-transmission.

Ten days is a long time for a provider to not know about a business associate sharing patient data.

How have business associates reacted to this waiver?

Right now, the business associates I have spoken with are concerned.

They think the waiver could cause a loss of trust with the providers they serve, so they are planning on being very cautious and not abusing this emergency action.

Myrle Croasdale is a Minnesota writer.

Sources (external links):
HHS.gov: HIPAA waivers in place for the coronavirus pandemic 
HHS.gov: Business Associate HIPAA Waiver during COVID-19 pandemic 
HHS.gov: HIPAA Community Based Testing Site Waiver during COVID-19  
Worldprivacyforum.org: WPF Statement on the COVID-19 Community Based Testing Sites HIPAA Waiver
Worldprivacyforum.org: WPF Statement on COVID-19 Business Associate HIPAA Waiver

Filed under: