Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in the latter days of August 1996, the same day Netscape released the third iteration of its browser. Yes, that Netscape. A week later, Princess Diana and Prince Charles formally divorced after years of separation. A young Gabriel Perna prepared for the fifth grade and was soaking up the last days of summer.
What I’m trying to say is, it’s been a while.
Over the years, HIPAA has been updated and revised multiple times. As recently as last year, the Omnibus Rule was added to provide guidance for covered entities and business associates and the relationship between the two as well as data breach enforcement and breach notification. The rule added flexibility and clarity to a very overwhelming law and yet, it’s not enough.
HIPAA needs a major revamp. It needs to get with the 21st century.
This was the message at a recent hearing in Washington D.C. on healthcare innovation. The House Energy & Commerce Committee has held these hearings with healthcare stakeholders of all kinds—vendors, providers, payers. The most recent hearing focused on the limitations of the privacy law and how it hampers health digital startups.
A powerful message came from Joseph Smith, M.D., Ph.D of the West Health Institute, a nonprofit research organization. According to Modern Healthcare, Dr. Smith said he has seen multiple startup and small companies quell innovative plans because of the privacy law. The Morning Consult reports there was also testimony from Paul Milsener, Amazon’s vice president for global public policy, who said HIPAA is preventing a shift into healthcare cloud computing for the company. Our own Pete Rivera confirmed this fear in a recent blog on HIPAA and the cloud.
Others concurred with Smith and provided their own examples of when HIPAA impedes forward-thinking ideas. Committee Chairman Fred Upton (D-MI) promised to draft legislation that would address this issue, Politico reports.
Off the top of my head, I wonder how Google Glass, patient-generated health data (PGHD) devices, telemedicine, and other recent, modern marvels have or will be affected by the all-mighty HIPAA.
It’s not just the hindering of digital health innovation that makes me think HIPAA needs a revamp. There are other issues with the law. For one, as Blue Cross-Blue Shield of North Carolina vice president Susan Davis noted in the Morning Consult article (a great read by the way), healthcare is supposed to be delivered across the continuum in 2014. It’s hard to share data when providers are uncertain of when the law is going to ding them.
We want doctors to be able to share information, use multiple datasets, and take everything in, all to advance population health. But they’re worried anything can get them in trouble with HIPAA. Take a recent incident in Missouri, when a woman tried to take a photo of her 7-year-old son getting treatment to raise money for his hearing aids; she was told by the doctor it violated HIPAA. I mean, really? A nursing home in Florida wouldn’t cooperate with police in investigating a rape because sharing that data violated HIPAA.
I would gather that these situations probably happen often, never mind the times have doctors told patients, “No you can’t view your medical data because it violates HIPAA.”
If we’re being fair, maybe those doctors don’t know that HIPAA encourages the opposite. HIPAA is a confusing law that was drawn up well before healthcare started to go electronic and troves of patient data were available more readily. It needs a significant modernized update.
No one will deny the importance of strong protections of patient data. As I blogged about last month, the digitization of healthcare has only made these protections more important than ever. One only has to look at the privacy/security section of our website and see all the careless handling on protected health information (PHI) that goes on within healthcare settings these days.
I simply believe that the law can be readily revised to protect patient privacy in the digital health age, enable the flow of data, spur innovation, and not disrupt the investigation of a rape.
Please feel free to respond in the comment section below or on Twitter by following me at @GabrielSPerna