Healthcare Innovators and Investors, Take Note: The HIPAA Privacy RFI Can Benefit You

This past Friday, the Office of Civil Rights within the U.S. Department of Health and Human Services published a formal Request for Information on Modifying HIPAA Rules to Improve Coordinated Care. The RFI’s publication starts a 60-day comment period ending on February 12, 2019. As many of us prepare for the J.P. Morgan Healthcare Conference in January, and then HIMSS in February, savvy healthcare innovators and investors will recognize this RFI as an opportunity to help frame the discussion about how to lower privacy barriers to innovation, while maintaining important protections in this sensitive data area.


On a quick read, the 54 questions that the OCR poses in the RFI appear centered on the real and perceived regulatory burdens of certain data-sharing and notice practices arising from the HIPAA Privacy Rule. Officially, the “OCR seeks public input on ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of [protected health information (PHI)].” And, as Martha Stewart would say, “It’s a good thing,” because none of us reads the HIPAA privacy notices that healthcare providers are mandated to give us.

Healthcare Providers Outside HIPAA
On more substantive questions, the OCR asks how to improve the sharing of PHI with healthcare providers who might not be covered entities under HIPAA. Now the wheels start turning: a medical cannabis firm focused on chronic pain treatment may not process electronic claims with insurers, but would benefit from eased data-sharing for treatment; therapeutic genomic firms that deliver more effective personalized treatments might also be outside HIPAA, but still legitimately in a patient’s healthcare provider circle.

Product Development
Similarly, how should the Privacy Rule change to accommodate requirements of the 21st Century Cures Act? According to the FDA and the law itself, the 21st Century Cures Act “is designed to help accelerate medical product development and bring new innovations and advances to patients who need them faster and more efficiently.” Although the scope of the OCR’s question is limited to consistency with the recent “information blocking” rulemaking from the Office of the National Coordinator for Health Information Technology, commenters more focused on the FDA side of the Cures Act should consider how access to PHI could be enhanced for innovation while still protecting patient privacy.

Research Authorizations
Currently, researchers can use PHI if they receive a valid authorization from the patient. Without an authorization, an institutional review board (IRB) may waive the requirement, but limit available PHI to the minimum necessary. Given that OCR is seeking ways by which to improve patient care and contribute to a more efficient health system, researchers might seek ways in which authorizations could be expanded to permit unanticipated future projects or to grant broader data access when conducted under an IRB waiver. We have discussed the challenges of managing consents for genetic data in an earlier blog post.

Health IT Platforms
For those in the health-tech space (such as electronic health records [EHR], personal health records, and patient engagement applications), the OCR’s questions demonstrate a laudable desire to understand how EHRs really work and what future product plans anticipate, the level of data logging that exists, and whether anyone asks for an accounting of disclosures.

The Opportunity

HIPAA (1996) and the Privacy Rule (2000) date back perhaps two, if not three generations, when we think of healthcare advances. Meanwhile, legitimate patient opportunities to benefit from precision medicine, diagnostics, theragenomics, and data analytics have arguably been hampered, if not stymied, by the Privacy Rule’s data-sharing restrictions. Certainly, the FDA’s Common Rule protects trial participants, but there are troves of valuable PHI that might be used to further the goals of the OCR and the Precision Medicine Initiative without placing unreasonable risks on patient data.

Innovators and investors in the broad health sector have an opportunity to help frame a discussion that might otherwise be dominated by healthcare providers (covered entities) and patient-privacy advocates. This is a chance to demonstrate the benefit that the innovative stakeholders bring to the discussion, as well as the means by which researchers and other innovators can be good stewards of such sensitive personal information.