To the Editors:

The Health Information Portability and Accountability Act (HIPAA) passed the United States Congress in 1996 and was signed into law. The Secretary of Health and Human Services was tasked to develop the regulatory framework for its implementation in 1998. It is important to recall that in 1998, the internet was a new technology not available to all, Google was in its infancy and had no reach, and the idea that personal health data could be usable anonymously was prevalent. At that time, it may even have been true.

In 1998, policy discussions within the context of the value of research, supported the concept that if Personal Health Information (PHI) could be used for the public good and if individuals were not harmed in any way, why not share the data anonymously? Opposition to this concept would be difficult to support in 1998 because, compared to today, the computers of the day had limited processing and storage capacity, the aggregation algorithms available were in their infancy, and multiple sources of corroborating data did not exist.

Those days are gone. They have been gone for many years. They are not coming back.

In the last two decades, the gradual transition to a focus on financial arrangements with commercial entities was not foreseen, or at least was not foretold. As such, the HIPAA deidentification exception [https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html] is often misused by healthcare entities to partner with commercial entities in ways very different from the original intent.

The HIPAA exception is now hopelessly antiquated as it creates cybersecurity, reidentification, and privacy risks that were unintended when it was written. This exception now risks harming individuals as they are not given any opportunity to object to their data being shared. In at least some data sharing agreements, patients do not even know that their data is being shared or with whom, which is contrary to the doctrine of informed consent, and certainly antithetical to the rules of the GDPR [https://gdpr-info.eu/], especially Chapter 2, Article 7.

Taking personal data from someone without their permission devalues them. While as a society we identify the value of personal data, we act as though it is permissible to take it without offering anything to the individual, not even requesting their consent. If asked, many would consent. Some have good reason for denying consent. Those reasons should be honored, not rationalized away or ignored.

It is several years beyond the time when the HIPAA deidentification exception should have sunsetted. Once the exception is eliminated, all data previously shared with commercial entities that lack explicit permission of the individual should be expunged unless informed consent is obtained to retain it. The HIPAA deidentification exception has increasingly served as a violation of patient trust in the American healthcare system. It violates a key tenet of HIPAA: we will keep Personal Health Information private and secure.

The authors encourage The Department of Health and Human Services (HHS) to rescind the HIPAA deidentification exception as soon as plausible. Readers are encouraged to voice their views with HHS today.

Larry Ozeran MD, FAMIA

Richard Schreiber MD, FACP, FAMIA