Privacy and Security

State of Play:  In March, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notification of enforcement discretion for telehealth remote communications during the COVID-19 nationwide public health emergency.  The exercise of discretion applies to widely available communication applications, such as FaceTime or Skype, when used in good faith for any telehealth treatment or diagnostic purpose, regardless of whether the telehealth service is directly related to COVID-19.  Additionally, OCR issued guidance to help ensure first responders and others receive protected health information (PHI) about individuals exposed to COVID-19.  Congress enacted the Coronavirus Aid Relief and Economic Security Act, which includes a provision to align 42 CFR Part 2 with the Health Insurance Portability and Accountability Act (HIPAA), with initial patient consent.

HLC Position:  HLC leads a broad group of organizations, collectively known as the Confidentiality Coalition, to ensure that policymakers strike the right balance between the protection of confidential health information and the information-sharing needed to provide high quality of care.  The coalition is active with Congress and the administration on policies related to data exchange, privacy, data security, and cybersecurity.  Members believe that regulatory clarity is key to enabling health information flow and support efforts to create a uniform national privacy standard that does not conflict with the HIPAA privacy rule, rather than having inconsistent and differing state laws that currently supersede federal regulation.

HLC Recent Activity:

  • In April, the Confidentiality Coalition communicated with ONC and CMS, requesting an extended time period — a minimum of 12 months — for compliance with and enforcement of each requirement specified in the interoperability rules, in light of the COVID-19 pandemic.
  • In March, HLC met with staff from OCR to explain the barriers to information flow imposed by the Telephone Consumer Protection Act and encouraged OCR to work with the Federal Communications Committee to eliminate those barriers.
  • On February 12, the Confidentiality Coalition testified before the House Committee on Veterans’ Affairs Subcommittee on Technology and Modernization about data privacy and portability at the Veterans Affairs Department. The coalition expressed strong support for federal legislation to protect non-HIPAA health data in a manner that harmonizes with the existing HIPAA framework.
  • On January 24, the Confidentiality Coalition wrote the House Energy and Commerce Committee on its draft privacy legislation. The coalition advocated for bipartisan, robust federal consumer privacy rights and protections.
  • On January 7, the Confidentiality Coalition met with the Office of Management and Budget (OMB) to discuss privacy-related concerns with the ONC and CMS interoperability and information-blocking proposed rules.
  • On January 7, the Confidentiality Coalition met with OMB to discuss privacy-related concerns with the CMS interoperability and patient access proposed rule.
  • On October 25, HLC submitted comments in response to SAMHSA’s proposed rule related to the confidentiality of substance use disorder patient records. HLC supported alignment of 42 CFR Part 2 with HIPAA for treatment, payment, and healthcare operations and urged SAMHSA to make additional modifications within its authority.
  • The Confidentiality Coalition continues to hold meetings with staff in the House and Senate as Congress considers national privacy legislation. In these meetings, the coalition emphasizes the importance of streamlining privacy laws across states to ensure the flow of appropriate health information necessary to improve health and healthcare.
  • On September 18, the Confidentiality Coalition presented on the regulation of health information exchange at the “Data Privacy Conference USA,” sponsored by Forum Europe.
  • The Confidentiality Coalition established principles on privacy and security of health data not regulated by HIPAA. These “beyond HIPAA” principles are being shared with federal policymakers.
  • On July 30, Confidentiality Coalition Chair Tina Grande presented on the privacy and security implications of draft 2 of the Trusted Exchange Framework and Common Agreement (TEFCA 2.0) at the Workgroup for Electronic Data Interchange (WEDI) Summer Forum.
  • On July 17, HLC attended a listening session on interoperability of medical devices, data, and platforms to enhance patient care hosted by the Food and Drug Administration (FDA) and the Networking and Information Technology Research and Development (NITRD) National Coordination Office (NCO), National Science Foundation.
  • On June 17, the Confidentiality Coalition responded to a request for comment on TEFCA 2.0. The coalition recommended that TEFCA policies and procedures related to privacy and security align with HIPAA.  The coalition also urged the Office of the National Coordinator for Health Information Technology (ONC) to work with states’ governors through the National Governor’s Association to emphasize the importance of harmonizing states’ privacy laws.
  • On June 11, HLC signed a multistakeholder letter supporting an amendment to the fiscal year 2020 Labor, Health and Human Services Appropriations bill striking the prohibition of HHS from spending any federal dollars to promulgate or adopt a national patient identifier.
  • On June 6, HLC commented on Senator Lamar Alexander’s (R/TN) and Senator Patty Murray’s (D/WA) draft “Lower Health Care Costs Act.” The letter noted privacy and security concerns related to using an application programming interface (API) to provide access to third party applications that are not subject to federal privacy and security laws.
  • On June 3, the Confidentiality Coalition submitted comments in response to ONC’s proposed information blocking and interoperability rule. The coalition commented on the privacy and security exceptions related to information blocking.
  • On June 3, the Confidentiality Coalition submitted comments in response to CMS’s proposed rule on interoperability and patient access. The coalition supported private sector collaboration with technical assistance from HHS on the identification and collection of a common set of data elements using federally adopted standards to improve patient matching.
  • On May 16, the Confidentiality Coalition hosted staff from ONC who presented on the Trusted Exchange Framework and Common Agreement (TEFCA).
  • On May 7, the Confidentiality Coalition submitted a statement for the Senate Committee on the Judiciary hearing, “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.” The coalition supported the Federal Trade Commission’s oversight of personal health records that reside in non-HIPAA-covered entities.
  • The Confidentiality Coalition continues to hold meetings with staff in the House and Senate as Congress considers national privacy legislation. In these meetings, the coalition emphasizes the importance of streamlining privacy laws across states to ensure the flow of appropriate health information necessary to improve health and healthcare.
  • On May 22, HLC and the America’s Health Insurance Plans cohosted a privacy and security workshop at the WEDI Spring Conference. Tim Noonan, acting deputy director, health information privacy at the Office for Civil Rights (OCR), spoke at the workshop, giving an update on OCR’s current activities and future policy areas to be addressed by the agency.
  • On March 22, HLC responded to a request from Senator Mark Warner (D/VA) asking what healthcare entities are doing to protect patient information and essential operations from cyberattacks. HLC supported a national strategy to reduce cybersecurity that fosters a value-based healthcare system, efficient interoperation of health information technology, engaged and active patients, and trust among all participants
  • In February, HLC began cochairing the Workgroup for Electronic Data Interchange (WEDI) Privacy and Security Workgroup.
  • On February 27, the Confidentiality Coalition wrote in support of the U.S. Senate Committee on Commerce, Science, and Transportation hearing on “Examining Policy Principles for a Federal Data Privacy Framework in the United States.” The coalition encouraged a federal data privacy framework that is consistent nationally and includes similar expectations of acceptable uses and disclosures for non-HIPAA covered health information.
  • On February 26, the Confidentiality Coalition wrote in support of the House Energy and Commerce Committee hearing on “Protecting Consumer Privacy in the Era of Big Data.” The coalition encouraged consistent privacy rules so that persons and organizations not covered by HIPAA that create, compile, store, transmit, or use health information operate under a similar expectation of acceptable uses and disclosures.
  • On February 11, the Confidentiality Coalition submitted a response to the Office for Civil Rights’ request for information on the Health Insurance Portability and Accountability Act.