HIPAA Modernization of Security Standards
The Health Insurance Portability and Accountability Act, better known (if not always spelled correctly) as HIPAA, was signed into law by President Bill Clinton in August 1996.
A lot has changed in the two decades since – in the ways consumers interact with health systems and the ways technology is transforming care delivery and the patient experience. So maybe it's time to give the privacy law a refresh, said the American Medical Informatics Association and the American Health Information Management Association.
WHY IT MATTERS
As access to personal health information is easier than ever, with smartphones now ubiquitous and apps and connected devices proliferating by the day, both AMIA and AHIMA have voiced support for HIPAA modernization.
In a joint appearance on Capitol Hill, in a presentation about unlocking data for patient empowerment, experts from the two groups highlighted how healthcare has a lot of catching up to do to serve a population used to online shopping, travel booking, review sites and more.
Webinar: The Future of Medicine: Protecting Privacy Without Impacting Quality of Care
Toward this vision of improved patient experience, AMIA and AHIMA said U.S. policymakers should take steps to update HIPAA to enable greater data access and portability – something that looks more likely than it did even a few months ago.
It could be done in a couple different ways, they said. First, potentially, by establishing a new concept of a health data set, with that HDS comprising all the clinical, biomedical and claims data maintained by a covered entity or business associate.
Another option is to revise HIPAA's existing "designated record set" definition, requiring certified health IT products to provide that amended DRS to patients digitally – enabling in a way that enables them to use and reuse their data.
They explained that a new definition for HDS would support individual HIPAA right of access and guide the future development of ONC's Certification Program so individuals could view, download, or transmit to a third party this information electronically and access this information via application programming interface.
Revising the existing DRS definition, meanwhile, offer more clarity and predictability for both providers and patients, AMIA and AHIMA said.
THE LARGER TREND
Even as the availability and maturity of consumer technology has improved, "more than two decades after Congress declared access a right guaranteed by law, patients continue to face barriers," said Dr. Thomas Payne, medical director, IT Services at UW Medicine. "We need a focused look at both the technical as well as social barriers."
AMIA and AHIMA called a broader conversation regarding consumer data privacy, and called on Congress to "extend the HIPAA individual right of access and amendment to non-HIPAA Covered Entities that manage individual health data, such as mHealth and health social media applications. The goal is uniformity of data access policy, regardless of covered entity, business associate, or other commercial status."
Moreover, the groups said regulators should clarify existing regulatory guidance related, for example, to third-party legal requests, such as those by lawyers looking for information without appropriate patient permissions.
ON THE RECORD
"Congress has long prioritized patients' right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles," said Dr. Doug Fridsma, president and CEO and AMIA. "But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined."
"AHIMA's members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape," said AHIMA CEO Wylecia Wiggs Harris, in a statement. "The language in HIPAA complicates these efforts in an electronic world."