Committee readies recommendations to extend broad health privacy protections

The National Committee on Vital and Health Statistics is considering recommending extending the applicability of the federal rules that protect the privacy of individuals’ medical records.

The committee, which advises the Health and Human Services Department, issued a draft report full of recommendations on how medical records are used for purposes other than treating patients, such as for research and monitoring the quality of care.

NCVHS drafted the report, “Enhanced Protections for Uses of Health Data: A Stewardship Framework for ‘Secondary Uses’ of Electronically Collected and Transmitted Health Data,” in response to a request from the Office of the National Coordinator of Health Information Technology.

The document calls for extending privacy protections under the Health Insurance Portability and Accountability Act of 1996 to all users of health data. HIPAA’s coverage is limited to certain groups, primarily insurers and health care providers.

“The following observations and recommendations call for a transformation, in which the focus is on enhanced protections for all uses of health data by all users, independent of whether an organization is covered under HIPAA,” the report states.

Ways to accomplish that transformation are laid out in 13 pages of detailed recommendations, including these:
<li>Limit and control how so-called business associates with access to HIPAA-covered data use that data.</li>
<li>Strengthen regulation of Web sites that collect personal health information.</li>
<li>Provide more guidance to those covered by HIPAA on how to comply with it.</li>
<li>Require that users of personal health information outside HIPAA obtain patient’s authorization for those uses.</li>
<li>Enact more-inclusive federal privacy legislation, or at least expand the definition of covered entities under HIPAA.</li>

“There is an increasing need to adopt enhanced data stewardship principles by all entities that have access to health data, ...” the draft report states. “When an individual provides personal health information to anyone else, in any manner (e.g., in person or online), the information is provided in confidence and with implicit trust that the information will not be used in unintended ways.”

In the course of developing the report, the document states, the committee determined that the commonly used phrase “secondary uses of health data” is not a useful label. What one person regards as a primary use, such as billing for a doctor’s services, is secondary to another, the report states. Rather than distinguishing between primary and secondary uses of data, rules should cover all uses, it recommends.

The committee will receive public comments on the document in a telephone conference Oct. 31. It will consider revisions before delivering its recommendations to HHS later this year.