HHS Urged to Update HIPAA to Protect Patient Medical Records
The data sharing deal between Google and Ascension Health raises patient privacy concerns.
After a patient data sharing deal came to light between Google and Ascension Health, the Citizens’ Council for Health Freedom (CCHF) says the federal government needs to update the Health Insurance Portability and Accountability Act (HIPAA) to allow patients to opt in—not opt out—in such arrangements and to outlaw coercive consent forms.
CCHF president and co-founder Twila Brase sent a letter December 6, 2019 to Roger Severino, director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), detailing why the law should be revised. The letter says HIPPA is too permissive and, along with Electronic Medical Records (EHRs), “establishes unconsented access” to private medical records.
Data Mining Patient Records
CCHF sent the letter days after a November 2019 Wall Street Journal (WSJ) report about a data sharing agreement between Google and Ascension Health, a large private health organization. Ascension Health will transfer the data in question, including patient names and private medical records of approximately 50 million people from 21 states, to Google through March.
In a blog post, Google stated the goal of the project is to develop “an intelligent suite of tools for clinicians, including a tool that aims to make health records more useful, more accessible and more searchable by pulling them into a single, easy-to-use interface for doctors.”
The WSJ article says Google is not charging for the service, which Brase says is telling.
“Patient data is the 21st century version of gold, so they don’t need to charge for it,” said Brase on The Heartland Daily Podcast.
“[They can] rummage through our records to do data mining, to figure out algorithms through artificial intelligence, to essentially create a brand-new business for themselves on the use of patient data,” Brase said. “[They can] do predictive analytics to see how expensive patients are going to be in the future.”
HIPAA Not About Privacy
Brase says HIPAA does not protect patient privacy, as many people assume. According to Brase, HIPAA is “a notice of disclosure practices over which [patients] have no consent.”
Brase refers to the documents patients are required to sign at visits as “single-signature coercive consent forms.” The HIPAA privacy rule, which became law in 1996, requires patients to “opt-out” of information sharing.
In its letter, CCHF says it believes the Ascension-Google arrangement is legal because both companies refer to the 400-word long list of “health care operations” under HIPAA, including 65 non-clinical business, like Google. A health care operation is a “covered entity” authorized to disclose or receive health information without individual consent.
“The shocking disclosure that the Ascension health care system is sharing the medical records of 50 million people in 21 states with Google shows clearly that HIPAA does not protect patient privacy, was never written to protect patient privacy, and has been used to deceive Americans into believing they have privacy rights when they have none,” the letter stated.
HHS is Investigating
According to a November 2019 WSJ article, the OCR is seeking “to learn more information about this mass collection of individuals’ medical records.”
Brase says it is a perfect time to review HIPAA.
“Privacy rights are less about privacy than they are about control,” Brase said. “We say ‘he who holds the data, holds the rules.’ It’s about the reach into the exam room.”
The CCHF letter states Google and Ascension Health are not alone in sharing patient medical records. Technology companies are making similar deals with other health care organizations.
“What emerges from these intrusive enterprises may or may not be in the patient’s best interest – but patients aren’t being given a choice,” the letter stated. “They have been stripped of their rights. Their data is not theirs. They have no control – because of HIPAA.”
Ashley Bateman (firstname.lastname@example.org) writes from Alexandria, Virginia.
Citizens’ Council for Health Freedom Letter to Roger Severino, Director, Office for Civil Rights, U.S. Department of Health and Human Services, December 6, 2019: