This is good news. I'm glad to see the AMA step up as they realize patients are understandably "less willing to provide health information to physicians, as they are worried that the information may not remain private & confidential and may even be shared with tech companies." https://twitter.com/PlanetHIPAA/status/1260559577327767553

What a dream it would be if patients were given "meaningful control over their healthcare data and will be told, in clear and easy to understand language, exactly how their health data will be used and with whom that information will be shared."

And as a reminder, this info isn't protected, we need it to be: "data that has not historically been considered to be personally identifiable such as IP addresses and mobile phone advertising identifiers but could in fact be used to identify an individual."

I like that the AMA (doctors) recognizes that patients records are their own. But I will have to wait to see if they will "protect against healthcare data being used to discriminate against individuals. MedEd has a lot of work to do in training doctors about discrimination.

I've wanted "tough penalties to be imposed and for there to be robust enforcement of any new national privacy legislation" but this remains to be seen. @HHSOCR (HIPAA enforcers) doesn't currently enforce HIPAA to the full extent as it is - deferring to drs over patients.

Going to go through the list of principles they propose.

"1. Individuals have the right to know exactly what data of theirs an entity is accessing, using, disclosing, and processing—and for what purpose—at or before the point of collection."

This is good. This speaks to some of the issues I brought up yesterday about not knowing what is in your record because it's hidden in secret spots. You should know from the start what providers know about you so you can work together in your care. https://twitter.com/GilmerHealthLaw/status/1259991739290382336?s=20

"2. Individuals have the right to control how entities access, use, process, and disclose their data, including secondary (and beyond) uses."

This is also good. Right now, your info is shared without your knowledge, given to many entities, including very sensitive info.

Because your information is shared, I always recommend patients ask for an accounting of disclosures when they ask for their records. This won't show everything but it can reveal a lot. https://healthasahumanright.wordpress.com/2018/08/07/common-hipaa-issues/#AccountingDay

But patients shouldn't have to go tracking down who has access to their health information. It shouldn't be on us to be detectives when we're already struggling. A change to give us control of sharing our data would be a massive win for patients.

"3. Individuals should be notified within a reasonable period of time following a material change in the entity’s data access, use, disclosure, and processing practices."

This is okay, but it's not helpful to many patients who may not understand what these changes mean.

"4. Individuals have a right to direct entities to not sell or otherwise share data about them."

Currently there are restrictions on things like marketing, but that doesn't stop sharing other data - especially data thought to be "de-identified."

It's unclear here if this also means a patient could tell providers not to share data with other providers. I doubt that's what they mean, but they should. There are valid reasons to want to keep some of your health info private.

Right now, providerscan share anything and everything about you between each other. Those limits can include substance use records and may include some mental health records. Patients can also request to restrict access (under 164.522(a)) but it's confusing and limited.

However, recent rules have gone the opposite direction in terms of patient privacy and mandate that for patients on Medicare, hospitals tell primary care providers about a hospitalization. This is not a good thing for patients in vulnerable populations who need privacy.

So I'm guessing this 4th point isn't really to restrict access between providers or give patients control of their information and data to that extent, but it should.

"5. Individuals and entities should be able to protect and securely share pieces of information on a granular, as opposed to a document, level."

This essentially means pts would have access not just to summaries but to actual data points,which is useful for many chronic patients

"6. Individuals have a right to direct an entity to delete their data across the entity’s ecosystem of services, including when the entity goes out of business or is bought out by another entity (with potential narrowly delineated exceptions,...)"

I could see this being both good & bad for patients. It would be good to have the right to delete data. However, drs also have to retain records for a certain period of time. With principles of deletion vs retention at odds, patients could potentially lose access to data.

Patients may also regret any choice to have information deleted. Thus, it would be imperative that this work in concert with other principles to ensure patients have all their data before it's deleted.

"7. Individuals have the right to access and extract their data from a platform in a machine-readable format."

Yes, we should have a right to our own data but figuring out the definition of "machine-readable format" would be interesting.

Laws don't keep up with tech, so "machine-readable format" may not describe technologies to come and then patients still can't access their information. We see this with the "readily available electronic format" in HIPAA already which causes a lot of problems in getting records.

"8. Individuals should have the right to know whether their data will be used to develop and/or train machines or algorithms. The opportunity to participate in data collection for these purposes must be on an opt-in basis."

With the growth of AI, this is imperative.

Just a few weeks ago, we got word that Epic (a health care records system) was using untested AI to decide which COVID patients might decline. The data they used was likely not used with consent. https://twitter.com/GilmerHealthLaw/status/1253917884218130433?s=20

"9. Individuals should have a private right of action against entities that are subject to these requirements if the FTC and/or state Attorney General declines to pursue enforcement."

This is huge. This is saying they want to allow patients to sue doctors/health care systems.

But it shouldn't be limited to the FTC or AG, it should also expand to the OCR. Right now, if your rights are violated, you cannot sue a doctor/health care system. Given the @HHSOCR's lack of enforcement and terrible decision making, the ability to sue would be a game changer.

And no, I'm not litigious. I don't want to bring lawsuits against providers. I simply think if patients had the ability to bring these issues to court, a lot of providers would reassess their compliance and patients' rights would be strengthened.

Further, lawsuits would highlight the OCR's failings in enforcing HIPAA and create precident on issues of patients' rights, privacy, and security. It would finally allow patients to have an active role rather than having to passively submit to the whims of this agency.

"10. Privacy rights should be honored unless they are waived by an individual in a meaningful way, the information is appropriately de-identified (using techniques that are demonstrably robust, scalable, transparent, and provable), or in rare instances ..."

"...when strong countervailing interests in public health or safety justify invasions of privacy or breaches of confidentiality and, in such case, to the minimum extent necessary."

This is not a good principle. It mostly says - we take it all back if we decide we want to.

We already see this happening with COVID where patient privacy is being dismantled because it's in the interest of the public health. We can have a lot of debates about this (and many are) but this again rips away patients' control of their own data when someone else decides.

"11. Disclosures of an individual’s data should be limited to that information, portion of the medical record, or abstract necessary to fulfill the immediate and specific purpose of disclosure."

This is already a thing. It's called the Minimum Necessary Requirement.

The Minimum Necessary Requirement is read rather broadly by the OCR, so if this principle is to have any meaning it needs to be tightened and be backed by enforcement.

"Individuals who access their medical records using apps should have mechanisms to annotate— but not change—the copy of the record they hold. These mechanisms should track who made the annotation, when, how, and why."

This addresses inaccuracies in patients' records.

Too often, medical records have errors - including errors in diagnoses, allergies, medications, and even notes on progress of an illness. This info then gets shared with anyone who has access to your info. Right now, you only have the right to request an amendment to your record.

Patients should have a way to change their records when the information is incorrect. Not just annotate, but actually change the record so the information is accurate. Because too often, doctors/hospitals will leave in the wrong information.

This 12th principle basically says, "we don't trust patients to tell the truth, but okay, we'll let them do a little more than request an amendment." The medical system doesn't trust patients is what it comes down to. They don't trust our knowledge of ourselves or our info.

This also creates the same problems that already exist with records amendment requests - there is a huge onus on patients to document everything. Patients should have an easy way to make sure their info is complete & correct. The only way to do that is let us have full control.

And I get that some will say, "but, what if the patient doctors their records" (pun intended) - as in, what if patients erase info or put in diagnoses they don't have or alter the notes in a way that will benefit them. Sure, that could happen. But most people just want accuracy.

So that wraps up the individual principles the AMA released in their statement. There are also principles on equity, applicability, and enforcement. I won't go over them all, but I'll make a few brief comments. You can find the full AMA statement here: https://www.ama-assn.org/system/files/2020-05/privacy-principles.pdf

On equity: As I said above, providers/the health care system discriminates. No matter how much the AMA says it upholds a standard of non-discrimination, without better training and enforcement, discrimination will continue.

The AMA also says it realizes how sensitive patient info can be and that sharing it can be harmful. But I don't think they really understand the depth of the harm at hand. They don't have to suffer the consequences and often become defensive when patients speak up.

The AMA acknowledges the digital divide and the lack of resources some patients face. But I don't know that they're truly doing everything they can to fill the gaps to ensure equitable access to care - including in accessing/sharing health info.

The AMA also recognizes that law enforcement shouldn't get to stick their nose into your health info without cause. This is an area that is of great importance, especially with substance use. But I assume many would push back on this as they have forever.

On Entity Responsibilities: these are all things that should already be happening - like having policies posted and disclosing to a patient what information is collected.

On Applicability: It is absurd to me that they want these principles to apply to everyone else but them. They say they don't want this to apply to doctors/providers who are already covered by HIPAA. Of coruse they don't, because they don't want to take on more responsibility.

If the AMA is serious about protecting patients, they need all the principles described above to directly apply to them. Not just other apps or companies, but to doctors, hospitals, insurers, business associates, and others covered by HIPAA too.

This cannot be a situation where doctors get to proscribe what others should do and take no accountability for themselves. All providers need to step up. If they want privacy protections for patients, it has to be universal. That means updating HIPAA & increasing enforcement.