LYMEPOLICYWONK: Why HIPAA privacy rules must not be eroded
By Lorraine Johnson
When you walk into a doctor’s office these days, you’re handed a sheaf of papers related to something called HIPAA—the Health Insurance Portability and Accountability Act.
HIPAA has to do with patient privacy, including questions of who has access to your personal medical information.
It is regulated by the Office of Civil Rights (OCR), which is part of the US Department of Health and Human Services.
OCR has proposed changing the HIPAA privacy rules, in ways that LymeDisease.org believes will harm patients.
In our view, the changes would make it harder for patients to access their own healthcare information. The new rules would also make it easier for private patient healthcare data to be shared with others without the consent of the patient, and more difficult for patients to determine who their healthcare data has been shared with.
Today, we filed comments with the OCR objecting to these changes.
Patient privacy needs more protection, not less
We live in a time where the intersection of technology and healthcare creates both enormous opportunities for patients as well as extraordinary risks that patient privacy may be eroded through the non-consented sharing of personal healthcare data by others.
Our patient registry, MyLymeData, is a good example of the types of opportunities that patients have to pool their data to look for a cure.
However, non-consented sharing of private healthcare data is fraught with peril, because those obtaining the data might not use it for the benefit of patients. Personal health data can be misused to stigmatize patients, discriminate against them or to diminish their concerns.
Patient data can also be used to further commercial interests, for instance, to promote profit motivations of the pharmaceutical industry or by insurers to deny patients coverage.
LymeDisease.org developed strong data privacy standards for MyLymeData. Patients consent to enroll in the registry and the data in the registry may only be used for the benefit of the patient community. MyLymeData vets researchers as well as the use of data. MyLymeData does not sell data to pharma or provide it to insurers or any others with a commercial agenda.
Data is both knowledge and power
The comments we submitted reflected these principles—which essentially say that patients should be at the center of data sharing. Data is both knowledge and power. Patients should own and control that power to make certain that data sharing benefits rather than harms patients.
Privacy, stigma, and discrimination are major concerns for the Lyme community, particularly for those with chronic Lyme disease. We recently surveyed more than 1,900 patients enrolled in the MyLymeData registry on the topic of privacy, data use, trust, discrimination and stigma. Our comments to the OCR reflected both our strong belief that data sharing should be patient-centered as well as the results of our survey.
In the survey, most patients (78%) said they were concerned about privacy in Lyme disease. Survey participants also said that they face disrespect and discrimination both within and outside the healthcare system and worry that healthcare data might be used to discriminate against them by employers and insurers.
I will dedicate another blog post to the survey results. In the meantime, we invite you to read our comments to the OCR here: HIPAA comments by LymeDisease.org
See our one-page summary of our Privacy Survey here: MyLymeData Privacy Study
Lorraine Johnson, JD, MBA, is the Chief Executive Officer of LymeDisease.org. You can contact her at email@example.com. On Twitter, follow her @lymepolicywonk.