The date is August 21, 1996. The Macarena is at the top of the Billboard Hot 100 Chart. The medical drama ER, in its second year running, is the number one rated television show in the U.S. Bill Clinton has nearly secured a second term in the White House. One of the most influential pieces of U.S. healthcare legislation is signed into law.
The Health Insurance Portability and Accountability Act (HIPAA) in large part ensured continuity of health coverage when a person lost or changed jobs. Its overarching objective and impact, however, was much broader — governing how personally identifiable information (PII) could be shared, used or disclosed in order to protect that information from fraud and abuse.
A New Era
A lot has changed since 1996, when HIPAA was first introduced and George Clooney donned scrubs on TV. Much has also changed since 2013, when HIPAA saw its last set of major changes under the Final Omnibus Rule. Technology has evolved considerably. New payment and coordinated care models have emerged. Telehealth has finally taken hold as a viable alternative to in-person care, necessitating an evolution of policy and infrastructure to support its continued use. Healthcare spending has grown to nearly 18% of our nation’s gross domestic product.
In light of these changes and a pandemic that has tested the limits of our public health system, there is a unique and necessary opportunity to reexamine HIPAA regulations in the context of the current healthcare landscape. Temporary measures relaxing some HIPAA rules during the COVID-19 public health emergency (PHE) have helped to facilitate access to care via telehealth and made it easier for covered entities and their business associates to leverage healthcare data for cost containment and public health surveillance purposes.
While those measures are due to expire at the end of the PHE, the Department of Health and Human Services’ (HHS’) Office for Civil Rights (OCR) is proposing a number of HIPAA modifications that would help modernize the privacy rule for today’s post-pandemic, increasingly value-based and patient-centered world. With the update, the OCR is aiming to cut down on administrative burden, improve care coordination and promote data sharing and interoperability so that patients and healthcare operations can better access healthcare data for authorized purposes.
Ensuring Proper Use
These changes are a welcome upgrade to the decades-old law and an important first step in modernizing HIPAA for the needs and challenges of today. However, it should be emphasized that these changes are merely that — a step in the right direction. With the continuous introduction of new technologies enabling patients to manage their health and health data, further action must be taken to ensure that information is being used responsibly and in a useful way.
For example, as the federal government strengthens the rights of individuals to access their own health records, third-party apps — such as those authorized under Medicare’s Blue Button 2.0 initiative — are being developed to facilitate this capability. However, these third-party developers are not governed by HIPAA, but rather, the Federal Trade Commission. Therefore, the personal health information being exchanged through these apps is not subject to the strict rules governing the use and disclosure of healthcare data in nearly every other instance. Although there may be lengthy and technical disclosures describing where members’ data is going and how it is being used, the likelihood that these will be read and understood in their entirety is low.
Creating a More Efficient & Secure Healthcare Ecosystem
The above is just one example of many technical and operational challenges that must be addressed in order to protect sensitive data, while enabling its use for the benefit of public health and the sustainability of our healthcare system. Broadening access to healthcare data has powerful implications for coordinated, whole-person care, which necessitates the exchange of information across entities, such as between public health agencies, HHS and state Medicaid agencies. It also gives healthcare organizations and their business associates access to vital information to better identify and prevent fraud and abuse in the healthcare system while reducing unnecessary costs.
At the same time, of course, it creates new vulnerabilities. In today’s world, consumer data breaches are occurring ever more frequently. As healthcare becomes more consumer-centric, patient autonomy cannot come at the compromise of data security. Let’s work together —government and industry — to strike this balance and modernize HIPAA for the 21st century.