WPF responds to HHS and urges it to keep privacy protections in HIPAA strong

WPF has written to the US Department of Health and Human Services advising them on their Request for Information (RFI) about possible changes to HIPAA privacy and security protections. The RFI has a number of suggestions that, should they become part of a formal proposal, would significantly weaken HIPAA privacy protections.

Of the proposals in the RFI that impact privacy, we are the most concerned about HHS’s possible change regarding making disclosure of health records mandatory for treatment, and possibly also mandatory for healthcare operations. A requirement for mandatory disclosure of patient health records — even for treatment purposes — would significantly weaken privacy protections. In our comments, we explain why.

Currently, the HIPAA rule is permissive, not mandatory. A provider today can say to a patient, with a straight face for the most part, that the provider will not disclose that patient’s record without legal compulsion. But no reassurance to a patient that the patient’s record will be held to the highest possible level of confidentiality will be available if any treating physician anywhere in the country (or in the world) could demand disclosure for treatment of another patient.

We observe that even the existing rule allows for a middle ground. It allows treating physicians to consult with each other without any exchange of identifying information about any patient. There is no need to go beyond the existing compromise.

Compelled, mandatory disclosures for treatment will open the door to conflicts that cannot be resolved by other means. There will be no middle ground available. One provider will simply demand production of a patient record, and the other provider will have no choice. There needs to be some give in the system to cover hard cases, and the current rule is adequate for that purpose.

The only exception to consider is that if the disclosure of a patient’s records is for the treatment of that same patient, then compulsion may be appropriate with the written consent of the patient. There is no need to balance interests when only one patient is involved, and especially when that patient consents to the disclosure.

We have urged HHS to not weaken the provisions of HIPAA and to leave HIPAA disclosures as they are now — permissive, not mandatory. To read about this issue in more detail, and other privacy implications of the RFI, see our complete comments here.

Related Documents

Read: WPF Comments to HHS RFI regarding possible changes to the HIPAA privacy and security rule (PDF, 20 pages)

Posted January 28, 2019 in Health Privacy, Health Records, HIPAA, Public Comments, U.S. Department of Health and Human Services

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.