Imagine signing one consent form to receive help from a shelter, food pantry, substance abuse center, or other social service — but with that one action, you’ve opened the floodgates for staff and volunteers at hundreds of other organizations to see your private financial, medical, behavioral, and social data in its entirety. And you didn’t have a choice in the matter.
This is more than hypothetical; it’s happening in communities today.
We’re in this situation because privacy assurances within the Health Insurance Portability and Accountability Act (HIPAA) introduced 20 years ago this month have not kept up with healthcare organizations that are now taking an earnest and more modern approach to whole person care. This has left the door open for bad actors to take advantage of loopholes and diminish privacy for deeply personal information.
To maintain high standards for the privacy and protection of personal information that citizens across the U.S. have come to expect, legislators need to act before it’s too late.
It’s important to understand how the blurring lines between health care and social care have unintentionally created an environment that some organizations are exploiting.
Over the past two decades, the U.S. has made significant strides in recognizing the outsized impact that socioeconomic factors have on health outcomes and cost. In fact, it’s widely accepted that 80 percent of health outcomes are determined by these social determinants of health (SDOH) – including food insecurity, transportation barriers, housing instability and other factors. In other words, the medications you take or the decisions you make with your doctor, while important, only influence a fraction of your overall health.
This is why healthcare organizations have become more involved in social care. They realize how important it is for keeping people healthy, so as they continue to focus on what they do best — medicine and clinical care — they’re partnering with other organizations in their communities that provide social care. Nonprofits and community-based organizations (CBOs) that provide assistance for things like food, housing, transportation, utilities, substance abuse treatment and so much more are the bedrock of our social safety net. And when these organizations are connected to and working with our healthcare systems, it lifts the wellbeing of our communities and the people in them.
Organizing CBOs, nonprofits and other social services into a network to help people find the right resources at the right time amplifies the reach these organizations have, and the good they can do. But if a social care network is not thoughtfully designed with the right legal and moral boundaries for protecting personal information, privacy starts to erode.
Healthcare organizations are held to a higher standard for protecting personal information, thanks to HIPAA and other industry regulations — but the social care organizations they work with are not held to those same standards. This must change.
This spring, the State of New Hampshire passed a bill with overwhelming, bi-partisan support to provide important guard rails for privacy when accessing social services through a referral network. This simple but critical legislation for maintaining privacy can serve as a blueprint for federal action on the issue. In the meantime, states that care about the privacy of their residents (and which can act more nimbly than the federal government) should consider enacting similar legislation.
There is no legitimate argument for leaving privacy behind when modernizing the social safety net. Some might say that requiring individual consent — versus blanket consent — to refer a person to a social service will hinder access to care. This is simply not true.
Organizations across the country are successfully working with referral networks that require individual consent, proving that it can be done efficiently and effectively. On the other hand, there are others who are taking the opposite approach. In these cases, people may not realize that they’re giving blanket consent for their personal information to become accessible far and wide by others in their community.
So many people are concerned about how social media networks may be ignoring privacy by tracking people and sharing data — it’s a legitimate issue that gets constant attention. Social care networks are capable of similar actions, but the information they have access to is far more personal. This issue deserves just as much — if not more — attention until we can assure each individual has full control of their personal information and transparency to know who has access to it.
New Hampshire was the first to recognize that this breach of privacy has been taking place. As a result, the state took swift steps to prevent it from happening. It’s time for others to follow suit.
Erine Gray is CEO and founder of findhelp.org, a public benefit corporation working to modernize America’s social safety net for anyone who needs help or helps others.