January 2, 2020
Only What Matters in Health Information Policy
Happy New Year! You may have read the many 2019 accomplishment lists and predictions for 2020. A few things to note:
Some say “big talk, little progress” on interoperability, but Neal Khosla notes in an interesting article that policy changes can drive massive change in the digital health arena.
Health care consumerism is expected to grow as consumers and software developers gain more access to information and payers make more consumer-focused decisions.
And, of course, there were multiple predictions about how tech companies will keep moving into the health care space with varying levels of success, here, here, here, here, and here, including a nice list of the digital health mergers in 2019 that included Alphabet, Amazon and Apple buying digital health startups.
One Thoughtful Paragraph
California’s new Consumer Privacy Act (“CCPA”) just went into effect, so Californians can celebrate the new year by exercising their right to request that companies delete their personal information and /or refrain from selling it. “Personal information” is very broadly defined and whether the CCPA or HIPAA governs health information in California is going to take more than a few lawyers to figure out. Indeed, entities that handle health data in California may need to comply with three privacy laws: CCPA, HIPAA, and the CA Confidentiality of Medical Information Act. Just these three have overlapping jurisdiction and non-aligned definitions. Several other states are poised to enact their own broad consumer privacy laws. How will multi-state businesses and consumers who occasionally leave their state figure out which laws apply and to what data? Congress is considering multiple proposals too -- general federal privacy laws and others that seek to protect health data that is not covered by HIPAA protections. Will a new federal privacy law help or further confuse things? And remember back in 2018 when the Office of Civil Rights issued an RFI about how to update HIPAA? Since that RFI, there have been multiple requests for comment in proposed rules asking basically the same thing -- how can we make HIPAA work in a mobile app world where so many companies create, store, analyze, and sell health care information? They may have asked: “How do you catch a wave and pin it down?” (Sound of Music reference -- holiday hazard.)