Just a few short months ago, we held a webinar on the battle between privacy vs. access. And access was winning. The push towards digitization and automation favors access, and with regulations like the Cures Act focused on enhancing patient access to health information, access was the focus.
But now? Privacy has clawed its way to the top and it doesn’t seem like it will be stepping down any time soon.
PRIVACY VS. ACCESS: IS IT A FAIR FIGHT?
We talk a lot about the battle between privacy and access but really, privacy and access are just two sides of the same coin. Peanut butter and jelly. Ketchup and mustard. Toast and avocado. You can’t have one without the other. The goal is not for one to reign victorious over the other, but rather to find the perfect balance between the two.
But that perfect balance is hard to find, and we as a healthcare community have not figured out how to do it just yet. So in the meantime, the pendulum will continue to swing back and forth, with the hope that one day we can find the middle ground where privacy and access are perfectly in sync. For now, it’s privacy’s turn in the spotlight.
QUESTIONS AROUND PRIVACY IN THE SPOTLIGHT
Google “Dobbs decision and privacy” and you’ll get 6.5 million results and counting. No matter which side of the issue you’re on, it’s undeniable that the decision raises a number of legal questions around patient privacy.
There are privacy protections in HIPAA, but there are also exceptions for certain law enforcement purposes. So how will this work as the enforcement of the Dobbs decision begins to take shape?
HIPAA, unsurprisingly, leaves a lot of grey area here. HHS recently released some new guidance on the HIPAA privacy rule, but it’s just that – guidance. There is not any clear legal precedent yet on patient data and how it can or cannot be used in the enforcement of the Dobbs decision. But in the meantime, you can be sure that this ongoing debate will keep a spotlight on privacy that won’t dim any time soon.
PRIVATE EYES ARE WATCHING YOU
We’ve all had the experience of searching for something online, say a new pair of running shoes, then having ads about running shoes pop up as we scroll through social media and search the web later that day. But what about when this happens with patient data?
A recent article uncovered how patients are unknowingly giving up certain privacy protections by accepting terms and conditions that allow their health information to be used for advertising purposes. While the patient has technically consented in this situation, when’s the last time anyone you know read through the long list of terms and conditions as part of a check in process at a doctor’s office?
And even more disturbing, another article discovered tracking software on hospital websites that was being used to send data to Facebook. In this instance, the intended use of the data is not clear, but the mere fact that sensitive health data is being shared without any patient consent is certainly cause for alarm.
These issues are exploiting loopholes in HIPAA, and adding to the ongoing conversation on privacy. As a result of this recent publicity, situations like this will likely come under more scrutiny, and we would not be surprised to see more strict guidelines released in the future that limit these types of activities.
INTENT: THE GREAT EQUALIZER
The key to finding the middle ground between privacy and access is intent. When considering record requests, ask these two questions:
- What information is being requested?
- Why is this information being requested?
When a patient or another provider is the requestor, the answer to intent is straightforward and undeniably positive – to improve a patient’s outcomes and advance their clinical care.
But when you get into other types of requests, intent is often much less clear. As we explored above, intent can include reasons like law enforcement or advertising. For example, is advertising warranted when it’s used to educate a patient about personal risk factors and potentially improve outcomes? Maybe. What about to advertise a drug based on a patient’s condition? That’s more debatable.
You can argue either way on most of these issues and that’s exactly why there’s so much discussion about them. But coming back to the question of intent is a good way to begin to untangle the right balance between privacy and access.