The Importance of Health Data Privacy Done Right for New Yorkers
People care about the security of their personal health data privacy and rightly so. They also care about accessing healthcare, where and when they need it. Telehealth quickly became a valuable and trusted care modality during the COVID-19 pandemic, delivering quality care for individuals unable to otherwise access care via video, audio and mobile devices. There’s currently a bill awaiting action from Governor Hochul, NY Health Information Privacy Act (S929), with the noble intent of protecting our privacy. However, despite good intentions, certain provisions of this legislation will create significant operational barriers and disruption for New Yorkers seeking health-related products and services via telehealth.
At the American Telemedicine Association, we firmly believe that the protection of patient data is a prerequisite for all virtual care services and is a core principle for our organization. We believe that sensitive health data should not be collected or shared without consent and support giving consumers transparency into how their data is being used. As telehealth providers often reach over state lines, we strongly believe that any state law and policy aiming to protect all consumer health data should be consistent with the same protections as the federal Health Information Portability and Accountability Act (HIPAA) and/or robust federal requirements.
Unfortunately, this bill misses the mark and is inconsistent with HIPAA standards – and every other state privacy law – in several ways. In its place it imposes many requirements that privacy experts have explained will inadvertently create confusion and undue burden for patients and healthcare entities.
Rather than an opt-in consent process consumers already understand, the Act would require a burdensome authorization process anytime an entity wants to process “health data” (loosely defined) that is not “strictly necessary” to provide the service. Further, this onerous “authorization” can only be obtained 24 hours after the consumer has engaged with the entity. On paper, this may sound like a safeguard. In practice, it means that a person seeking mental health care or contraception support, for example, would have to jump through redundant bureaucratic hoops just to continue receiving support after their visit. These procedural delays will chill participation and cause patient confusion especially among those who rely on mobile-first, virtual, and asynchronous health services – the very tools that have broken down barriers to care for millions. Ironically, a bill designed to protect privacy would result in less access, less awareness, and fewer choices for the very people it aims to empower.
This untested framework is not consumer friendly and runs counter to sound data policy.
First, a telehealth provider would need to collect *more* data – IP addresses, time stamps, and device ID – to actually comply with this authorization framework. Second, as a respected privacy expert has noted, the Act’s requirements are “so onerous that they cannot realistically be implemented and [will] . . . serve as a ban on common and beneficial data practices.”
For instance, suppose a patient visits a telehealth provider to receive treatment for a cold. In most states and under HIPAA, the entity might then process the patient’s data to remind them of the need for a vaccination months later, send them a coupon for a future health visit, run research analytics on the patient’s visit to help improve services, or send the patient educational materials on other health and wellness topics. Notably, none of this involves sharing any data with third parties – this is simply traditional, in-house patient management. Under the New York Act, however, these uses would not be “strictly necessary” to the treatment for the cold and would require the telehealth entity to obtain a signed authorization from the patient more than 24 hours after the visit.
Given that very few consumers will be inclined to sign these authorizations, healthcare entities are going to be required to disable or diminish important tools and services that engage and empower patients.
Telehealth practices already must meet standards for patient safety, data privacy, and information security, while advancing patient access and building awareness of telehealth practices. Personal health information used in telehealth and virtual care platforms, systems, and devices must be secured and protected from misuses and inappropriate disclosures. As drafted, the NY Health Information Privacy Act does not achieve these guidelines for health data security – the likes of which have already been enacted in numerous states across the country. If other states can successfully balance consumer health data protection with maintaining the user experience that makes virtual care useful and accessible, New York can too.
We urge Governor Hochul to require amendments to this legislation – to better align with proven health data privacy policy and existing privacy statutes and regulations in order to reduce both complexity and costs regarding compliance, and confusion for consumers. Health data privacy laws should be consistent with and not exceed HIPAA’s standards, to avoid an unequal framework for New York providers and patients.
Telehealth is and will remain an important way Americans access the healthcare they need, especially in rural areas. We ask Governor Hochul to ensure that consumer access to these services remain a viable option and support innovation and advancement of technology-assisted care for all New Yorkers.
Kyle Zebley is Senior Vice President, Public Policy, and Incoming Chief Executive Officer, the American Telemedicine Association (ATA)
Executive Director, ATA Action
*sponsored content*
