Senator Presses EHR Distributors on Affected person Privateness Controls

A privacy-minded senator is pressuring U.S. well being tech firms to provide sufferers extra management over the place their knowledge goes, framing the problem as a matter of nationwide safety in addition to privateness.

See Additionally: Utilizing the Netskope HIPAA Mapping Information

Sen. Ron Wyden, D-Oregon, rating member of the Senate finance committee, is urgent digital well being report distributors to construct merchandise with options that empower sufferers to higher management how their well being data is shared and accessed.

The push by Wyden comes as federal regulators have ramped up enforcement of laws that promote the interoperability, safe change and entry of affected person knowledge. That features the Division of Well being and Human Companies in September asserting plans to “actively” implement the twenty first Century Treatment’s Act of 2016’s data blocking rule, which goals to enhance the movement of affected person data for higher care coordination.

“Whereas interoperability improves care by enabling higher data-sharing, it have to be balanced with robust privateness protections for delicate well being data,” Wyden wrote.

Wyden contacted 10 EHR distributors – Oracle Well being, Meditech, Altera Digital Well being, Medhost, WellSky, Netsmart, McKesson, Veradigm, Athenahealth and TruBridge – urging the know-how companies to supply sufferers “direct management” over which entities can entry their healthcare data.

Epic, the biggest vendor of EHRs within the U.S., knowledgeable the senator on Dec. 3 that the corporate was already addressing his affected person knowledge privateness management issues with new options being added to their merchandise.

The twenty first Century Cures Act’s data blocking rule prohibits licensed well being IT distributors, healthcare suppliers and well being data networks from “blocking” well being data change, apart from a handful of causes, together with privateness and cybersecurity (see: HHS Says It is Cracking Down on Well being Data Blocking).

Additionally, the HHS Workplace for Civil Rights since 2019 has issued dozens of enforcement actions involving alleged violations of the HIPAA Privateness Rule’s proper of affected person entry provision, which requires HIPAA regulated entities to satisfy, in a well timed method, sufferers’ – or their representatives’ – requests for his or her well being data contained in a chosen well being report (see: Sufferers Nonetheless Battle With Full Entry to Well being Data).

The workplace introduced Tuesday its 54th enforcement motion in a HIPAA proper of entry case. It concerned a $112,500 settlement with Concentra, a Texas-based occupational well being companies supplier that HHS mentioned took about one yr and a number of requests to supply a person with entry to his well being data.

However with interoperability comes elevated danger. “At the moment, the delicate well being knowledge of the overwhelming majority of People might be accessed by well being suppliers in states across the nation, no matter whether or not these suppliers are literally treating the affected person, or whether or not the affected person has ever stepped foot of their state,” Wyden wrote.

A U.S. Division of Protection inspector basic investigation in 2021 discovered that the well being data of army personnel could possibly be improperly accessed for “functions of extortion, public embarrassment, or sale to others,” Wyden wrote.

“These points underscore the necessity for interoperability frameworks that shield affected person rights, guarantee knowledge isn’t misused and permit important care to proceed at once or concern of authorized penalties.” Wyden mentioned.

Epic in a Dec. 3 letter to Wyden mentioned that the finance committee made public that the Wisconsin-based EHR vendor is creating a brand new function in its MyChart affected person portal that “will assist sufferers perceive their choices for knowledge sharing and empower them to determine whether or not their medical data are shared throughout healthcare organizations.”

These embody options that enable people to choose out of report sharing; enable people to “disguise” their data’ existence from different healthcare organizations utilizing the identical EHR; present people with an inventory of healthcare organizations utilizing the EHR which have accessed their well being data; and supply prompts for people to verify their report sharing preferences once they obtain delicate classes of care.