The American Hospital Association (AHA), a prominent body representing an array of nearly 5,000 healthcare organizations, hospitals, health systems, affiliated physicians, nurses, and caregivers, has recently penned a significant letter to Melanie Fontes Rainer, the Director of the Office of Civil Rights (OCR). The AHA, a staunch advocate for sound healthcare policy and quality patient care, expressed its viewpoints on several recent OCR proposals relating to amendments in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
In the comprehensive communication, the AHA conveyed its hearty endorsement for the OCR’s proposed rule aimed at enhancing privacy protections specifically within the domain of reproductive healthcare. This proposed rule, titled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” has been at the center of legislative discussions since its announcement in the Federal Register (88 Fed. Reg. 23506 (RIN 0945–AA20)) on April 17, 2023.
The AHA’s support for the proposed rule was reflected in the words, “The proposed rule will enhance provider-patient relationships by providing heightened privacy protections for information about care that is lawful under the circumstances in which it is provided, but may nonetheless get swept up in criminal, civil or administrative investigations.” The association accentuated the importance of privacy in engendering trust within the patient-provider relationship and highlighted how trust deficiencies could potentially ripple out into broader public health repercussions.
However, the AHA’s endorsement of the OCR’s initiatives was counterbalanced by its expressed significant concerns about another crucial aspect of the OCR’s policy framework – the December 2022 guidance on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” The said guidance interprets an Internet Protocol (IP) address as protected health information under the purview of HIPAA. The AHA contended that this interpretation is excessively expansive, leading it to articulate fears about potential “significant adverse consequences for hospitals, patients, and the public at large.” Furthermore, the AHA argued that such broad interpretation might inadvertently curtail public access to reliable and vital health information.
The December 2022 guidance issued by the OCR was a response to increasing incidents where patient data found its way to social media platforms via tracking technology installed on hospital websites and within secure patient portals. The guidance aimed to provide much-needed clarity regarding the regulations surrounding the usage of such tracking technologies by entities covered by HIPAA and their business associates. It emphasized that “regulated entities are prohibited from utilizing tracking technologies in ways that may lead to unauthorized disclosures of protected health information (PHI) to technology vendors or any other HIPAA rule infringements.” The guidance further underscored that any disclosures of PHI to technology vendors for marketing purposes, without a HIPAA-compliant authorization, would be viewed as unauthorized disclosures. Additionally, it mandated that entities covered under HIPAA must establish business associate agreements (BAAs) with technology vendors who handle PHI on their behalf for a covered function, such as healthcare operations.
Despite these explicit clarifications, the AHA called for the OCR to either suspend or significantly amend the December guidance. The AHA underscored the imperative for the OCR to acknowledge and adapt to the realities of online activity by hospitals and health systems, and proposed the OCR seek public comment before reissuing the guidance. This proposal suggests a more inclusive, democratic process, giving the public a voice in shaping regulations that directly impact their health information.
The letter from the AHA marks a crucial moment in the ongoing dialogue between healthcare providers and regulators. It illustrates the organization’s steadfast commitment to improving privacy protections in healthcare, while also cautioning about the potential unintended consequences of certain policies. The AHA’s recommendations may prompt further scrutiny and potential revision of the OCR’s December guidance. This interaction epitomizes the dynamic and evolving nature of healthcare privacy policies.