This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Welcome to Reed Smith's viewpoints — timely commentary from our lawyers on topics relevant to your business and wider industry. Browse to see the latest news and subscribe to receive updates on topics that matter to you, directly to your mailbox.
| 1 minute read

Proposed rulemaking reveals tension between privacy and patient access

Comments submitted last week from groups representing health care providers, patient advocates, and app developers reveal the divide over how far the changes in Federal rules should go to address the tension between rules permitting greater patient access to their medical records and the privacy afforded by the Health Insurance Portability and Accountability Act (HIPAA). Those comments were in response to “Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement,” from the Office for Civil Rights. 86 Fed. Reg 6446 (January 21, 2021).

Some groups, like the Association of American Medical Colleges (AAMC), support giving patients greater access to and control over their own health records but expressed concern about the increasing access to protected health care information from entities such as personal health application developers. Unless such entities are subject to HIPAA privacy and security standards, the AAMC wrote, "there is a real threat that the lack of appropriate patient privacy protections will erode any gains in patient engagement." 

And the other side of the coin was expressed in comments from app developers who believe the proposed rule changes do not go far enough. They argue that health information exchanges and networks, certified electronic health record vendors, and providers' other business associates could block requests for electronic health information from individuals, or from apps or services acting on a patient's behalf.

The proposed rule would allow patients to view and capture personal health information by, for example, taking notes, videos, or photos. The Medical Group Management Association recommended that OCR "allow clinicians to use their personal judgment in deciding when to allow patients to take photos or videos of their PHI at the point of care." 

Universal support was expressed for the OCR proposal to no longer require patient signatures on notices of privacy practices that will be provided to patients or their representatives.

It is worth following this issue to see how the final rules will impact this inherent tension

Hospitals and medical groups said that easing the exchange of health information and allowing patients greater access to and control of their health records could enable better care coordination and management. But they're worried about giving more access to smartphone apps and other entities that aren't covered by the Health Insurance Portability and Accountability Act.


privacy, hipaa, health care & life sciences, emerging technologies