On April 24, 2025, the Healthcare Trust Institute (HTI) hosted a Capitol Hill briefing titled “Health Data Privacy101,” with insightful contributions from MRO’s own Anthony Murray, chief interoperability officer. With a need for a federal data privacy law, the session focused on the critical need for updating health data policies to better protect personal health information (PHI) and ensure compliance within the evolving digital ecosystem. Here’s a summary of the key points discussed during the briefing.
Introductory Remarks
Anthony began the briefing by outlining what MRO does and the essential role our organization plays as a clinical data management company and business associate to healthcare providers. MRO facilitates the HIPAA-compliant release of patient information to authorized requesters, navigating the complex and expanding digital environment.
Lauren Jones, sr. privacy and data protection counsel at Surescripts, highlighted the current patchwork of laws protecting PHI and individual rights, which although essential, are becoming outdated. This has led to new use cases and access points beyond the reach of established federal privacy policies like HIPAA and HITECH, causing confusion and compliance challenges.
Tina Grande, president and CEO of HTI, described the increased volume and patchwork of state privacy laws and the lack of harmonization with HIPAA or each other, and the importance a public/private partnership to protect patient and consumer data. “HTI is pleased to host Hill briefings with a goal of educating Hill staff on complicated health data policy issues, such as data privacy, cybersecurity and artificial intelligence. Our member organizations, such as MRO, bring their deep expertise on these issues to the forefront as policymakers grapple with how to regulate (or not) issues that ultimately affect the health and well-being of healthcare consumers. Building trust in information sharing is our focus so that innovations can continue to evolve in healthcare with the trust of patients and consumers that their data is being ethically handled.”
Anthony emphasized the need for updated regulations to streamline data management, ensure compliance, and protect patient information. He also provided real-world examples to illustrate these points.
PHI is Increasingly Monetized – Patient Access and Risks of Modern Technology
Anthony posed a question to the audience about the terms and conditions of gaming, personal fitness tracking and health apps, pointing out that most people do not read them thoroughly and instead simply click through and ‘approve.’ This lack of awareness extends to health-related data, such as BMI, blood pressure, sleep cycles and other personal information, which can be monetized by app developers.
He stressed the importance of simplifying the consumer experience, providing them with visibility and control over their data. Regulations should harmonize with HIPAA, ensuring the same levels of confidentiality, integrity, and availability while addressing the specific privacy and security needs of electronic PHI (ePHI).
Anthony cited a 2021 study by Alisa Knight and Approov, which found vulnerabilities in 30 mobile health apps, collectively exposing 23 million users (about the population of New York) to potential attacks. Gartner predicted that API attacks would become the most frequent vector for data breaches, underscoring the urgency of robust health data policies.
Compliance Complexities
Anthony discussed the operational challenges posed by recent updates to HIPAA privacy standards. Providers are accustomed to handling sensitive information in specific ways, but evolving definitions of sensitive data complicate the process. This increases the burden on providers, requiring additional efforts to identify and protect sensitive information within electronic health records (EHRs).
He emphasized the need for a national framework for compliance to minimize exceptions and streamline processes. Harmonizing state and federal regulations would reduce administrative burdens and support innovation while ensuring patient privacy.
Third-Party Bad Actors
Anthony expressed concern about bad actors exploiting regulatory loopholes to gain unauthorized access to medical records. Under HIPAA, patients and/or their representatives have the right to direct their PHI to third parties. However, this provision has been abused by commercial entities posing as patients to obtain records.
He explained that third-party directives (TPDs) often result in the release of more information than necessary, exposing patients to privacy risks. Patients are typically unaware of these requests, which bypass HIPAA protections.
Anthony called for clearer regulations to prevent fraud and protect patient data. He noted that MRO has lodged complaints with the Federal Trade Commission (FTC) against such practices, highlighting the need for stricter oversight.
Conclusion
The briefing concluded with a reminder of the importance of robust privacy and security protections for PHI. Anthony reiterated that health information is highly valuable and must be handled with care. He emphasized the role of MRO in ensuring that only the minimum necessary information is exchanged and that patient privacy remains a top priority.
Anthony also acknowledged the longstanding value of the HIPAA framework, which is trusted by patients and healthcare organizations. However, he stressed the need to address gaps in protection beyond the reach of HIPAA and HITECH, ensuring comprehensive coverage for all health data.
The Capitol Hill briefing by HTI and MRO highlighted the pressing need for updated Federal or national health data policies to address the challenges of the digital age. By harmonizing regulations, enhancing consumer rights, and protecting against bad actors, policymakers can ensure that patient privacy is upheld while fostering innovation and compliance in the healthcare sector.
