Skip to content Skip to navigation

HIPAA Needs a Bigger Revamp

July 30, 2014
| Reprints

Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in the latter days of August 1996, the same day Netscape released the third iteration of its browser. Yes, that Netscape. A week later, Princess Diana and Prince Charles formally divorced after years of separation. A young Gabriel Perna prepared for the fifth grade and was soaking up the last days of summer.

What I’m trying to say is, it’s been a while.

Over the years, HIPAA has been updated and revised multiple times. As recently as last year, the Omnibus Rule was added to provide guidance for covered entities and business associates and the relationship between the two as well as data breach enforcement and breach notification. The rule added flexibility and clarity to a very overwhelming law and yet, it’s not enough.

HIPAA needs a major revamp. It needs to get with the 21st century.

This was the message at a recent hearing in Washington D.C. on healthcare innovation. The House Energy & Commerce Committee has held these hearings with healthcare stakeholders of all kinds—vendors, providers, payers. The most recent hearing focused on the limitations of the privacy law and how it hampers health digital startups.

A powerful message came from Joseph Smith, M.D., Ph.D of the West Health Institute, a nonprofit research organization. According to Modern Healthcare, Dr. Smith said he has seen multiple startup and small companies quell innovative plans because of the privacy law. The Morning Consult reports there was also testimony from Paul Milsener, Amazon’s vice president for global public policy, who said HIPAA is preventing a shift into healthcare cloud computing for the company. Our own Pete Rivera confirmed this fear in a recent blog on HIPAA and the cloud.

Others concurred with Smith and provided their own examples of when HIPAA impedes forward-thinking ideas. Committee Chairman Fred Upton (D-MI) promised to draft legislation that would address this issue, Politico reports.

 Off the top of my head, I wonder how Google Glass, patient-generated health data (PGHD) devices, telemedicine, and other recent, modern marvels have or will be affected by the all-mighty HIPAA.

It’s not just the hindering of digital health innovation that makes me think HIPAA needs a revamp. There are other issues with the law. For one, as Blue Cross-Blue Shield of North Carolina vice president Susan Davis noted in the Morning Consult article (a great read by the way), healthcare is supposed to be delivered across the continuum in 2014. It’s hard to share data when providers are uncertain of when the law is going to ding them.

We want doctors to be able to share information, use multiple datasets, and take everything in, all to advance population health. But they’re worried anything can get them in trouble with HIPAA. Take a recent incident in Missouri, when a woman tried to take a photo of her 7-year-old son getting treatment to raise money for his hearing aids; she was told by the doctor it violated HIPAA. I mean, really? A nursing home in Florida wouldn’t cooperate with police in investigating a rape because sharing that data violated HIPAA.

I would gather that these situations probably happen often, never mind the times have doctors told patients, “No you can’t view your medical data because it violates HIPAA.”

If we’re being fair, maybe those doctors don’t know that HIPAA encourages the opposite. HIPAA is a confusing law that was drawn up well before healthcare started to go electronic and troves of patient data were available more readily. It needs a significant modernized update.

No one will deny the importance of strong protections of patient data. As I blogged about last month, the digitization of healthcare has only made these protections more important than ever. One only has to look at the privacy/security section of our website and see all the careless handling on protected health information (PHI) that goes on within healthcare settings these days.

I simply believe that the law can be readily revised to protect patient privacy in the digital health age, enable the flow of data, spur innovation, and not disrupt the investigation of a rape.

Please feel free to respond in the comment section below or on Twitter by following me at @GabrielSPerna



Hi Gabe,
Thought-provoking blog! Have you thought through some specific examples of how you want the HIPAA law to change? It might be an interesting exercise, because you have to imagine how what you come up with meets the needs and requirements of consumer and privacy advocates, all types of healthcare entities, as well as the entrepreneurs you talk about, and then makes it through Congress and the Administration. There is a reason the health reform law was hundreds of pages long and terribly complex: any law like this is drafted by lobbyists for powerful interest groups. Personally, I tend to be skeptical whenever businesspeople tell us we need less regulation -- like coal extraction or power-producing companies telling us not to worry about air pollution monitoring...

Thanks for the comment David. I definitely don't have the answers nor the expertise to even consider how this could be developed but off the top of my head, I'd like to see privacy legislation that accounts for data liquidity. There needs to be a way for information to pass through different levels of care with ease. Providers shouldn't have to worry about violating HIPAA when trying to coordinate care. Right now, that capability does not seem to a reality for most providers. I also think data identification should become standardized, which, for one, would allow researchers to use large sets of data easily in their work and studies. Think of all the start-ups that stopped because they couldn't use research data because of HIPAA. Also, there has to be a way to protect consumer interests, while allowing for flexibility on certain instances where revealing patient data would be helpful. I'm sure a lot of this is people who misunderstand the law, which should be addressed as well. I agree, you have to be wary of less regulation, but in some cases, I think it could help.

I often hear people calling fro a HIPAA rewrite and they talk about the same types of things you did here: people scrap plans to innovate, providers hoard data, its "old", it prevents use of modern technology, etc. When I ask for specifics... what part of the rule prevented you from doing this or that?... I've never gotten a compelling response. Almost all of the objections are based in misunderstanding or incorrect assumptions. The rule is complex, but as the above commenter mentioned, that was necessary to enact a rule that could cover the huge variance in types of providers, services and vendors that are covered. Specifically with the Security Rule, which is what comes into play when you talk about innovation, the cloud and modern technology, the feds drafted a masterful piece of legislation that enforced good IT governance without getting into the implementation details. In my mind, there is almost nothing in the Security Rule that a good technology provider shouldn't be doing on their own and it doesn't preclude you from using ANY technology, new or old.

Privacy requires extra work. Period. If we rewrite the rule, we'll still have to do that work.

All that said, I do wonder if the reputation of HIPAA is so scarred that there's no chance of getting people to open their minds and understand how to work with it. To that end, I wonder if a "rewrite" that said essentially the same thing (it would almost have to unless we loosen up on the privacy), but in a new way to more explicitly promote data sharing, etc, would people take a second look and conquer their own fears?

Lastly, I think our best bet is to accept that HIPAA exists and always will in one form or another. So we should do our homework, understand the rules and build solutions and services that work within it. Collectively, the health care industry is wasting too much time and energy fighting this ghost.

You bring up some fair points. Any law around patient privacy will require a lot of work, no matter what it entails. Revamping HIPAA won't change that. However, I do think it's still necessary...or perhaps, there is a giant misunderstanding across the industry about how the law works. In that case, maybe a focus on education is the answer. Either way, people are using HIPAA as an excuse for the lack of data liquidity and healthcare innovation, among other things.