Big Data: Will the Omnibus HIPAA Rule bring America closer to protecting personal privacy?

As the world becomes more connected, and individuals lives more public through the social media, the protection of personal privacy becomes a major concern for those in the healthcare field.  The health care industry is moving large amounts of patient data, also known as big data, into electronic health records (EHRs) and personal health information (PHI) and storing the information with remote cloud services.[1] The switch to electronic data gathering and cloud storage comes with both exciting advances in health care but also presents a substantial risk to personal privacy.[2] The Health Insurance Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) have aimed to safe guard the mass of information technology that is gathered in the health industry.[3] However, the question remains – is it enough? 

America has been slow to recognize the individual right to health information privacy compared to other industrialized countries, most notably the European Union (EU).[4] The EU established a basic right to personal privacy as a fundamental value at the Council of Europe Convention in 1950, which automatically encompassed health information when the need arose.[5] Conversely, America established the right to privacy through common law and slowly covered more facets under that basic right to privacy.[6] It was not until the passage of HIPPA as amended by HITECH that America recognized the right to health information privacy.[7] The historical differences lead to two very different viewpoints of how health information would be perceived.  America assumes that the information will be gathered and then attempts to protect the individual down the line through a down stream model.[8] On the other hand, the EU does not make this assumption and attempts to protect the individual from the accumulation process all-together.[9]

Under the American framework, health information was originally stored on site with the health care provider.[10] However, this method quickly became expensive and hard to manage, so health providers began using cloud storage with off site third party carriers.[11] Under the omnibus HIPPA rule, the third party entities, or business associates (BA), are considered to be down stream from the health care providers and fall under the realm of HIPPA liability.[12] The HIPPA rule also proscribes liability to not only BA's who access and use data regularly, but also those that simply maintain the health information.[13] The heightened security level hinges on the persistence of custody, not the degree of access.[14] Further downstream, HIPPA also covers the BA's subcontractors under the scope of liability as long as they are a person whom a [BA] delegates a function, activity, or service.[15] There is one major uncertainty to the omnibus HIPPA rule in regards to downstream liability: if the cloud service provider maintains encrypted health information without key access, it is unclear if the company will fall under HIPPA liability.[16]

On the other hand, the EU protects the individuals' privacy from the beginning by carefully considering and enumerating the circumstances where PHI can be gathered.[17] Instead of encouraging complete medical records to be stored, the EU deploys modules pertaining to different types of information.[18] For instance, a “vaccination module” will store information that is only relevant to vaccinations.[19] Further, the modules have strict guidelines on who can access them and for what reason as well as how long the data controller can maintain the PHI.[20]

HIPPA and the amended HITECH laws have brought America closer to protecting personal privacy, but there is still a long way to go.[21] The American down-stream protection scheme may never fully protect individuals.  The more people who are allowed access to PHI, the more chances a breach will occur.  The solution perhaps rests in the EU framework which encourages protection from the very start by limiting what can be gathered and where it is stored.

Andrea Torgrimson is a current student at DePaul University College of Law.  Ms. Torgrimson received her Bachelor of Arts in Political Science from The University of New Mexico.  She will obtain her J.D. Degree with an emphasis in health care law in 2017.

Resources [1] Janine Hiller, et al, Privacy and Security in the Implementation of Health Information Technology: US and EU Compared, 17 B.U. J. Sci. & Tech. L 1, 1 (2011). [2] Id.  [3] Id. at 2. [4] Id. at 31. [5] Id. at 21. [6] Id. at 30. [7] Id. [8] Id. [9] Id. [10] Frank Pasquale & Tara Adams Ragone, Protecting Health Privacy In an Era of Big Data Processing and Cloud Computing, 17 Stan. Tech. L. Rev. 595, 598 (2014). [11] Id. at 596. [12] Id. at 608. [13] Id. at 611. [14] Id. [15] Id. at 613. [16] Id. [17] Supra, note 1. [18] Id. [19] Id.  [20] Id. [21] Supra, note 10.