Do New HIPAA Updates Better Balance Security with Access?

In mid-January, the Department of Health and Human Services published the first major updates to the Health Information Portability and Accountability Act (HIPAA) since its enactment 15 years ago.

The HIPAA Final Omnibus Rule is so-called because it makes these changes as a long-awaited provision of HITECH, the portion of the 2009 stimulus bill that encouraged EMR adoption and other health IT innovation. Some highlights:

• It expands the privacy and security standards required of “covered entities” (providers and payers) to their “business associates” (third party contractors such as claims processing or quality assurance), which HIPAA previously covered by less stringent rules.
• It changes the default format for patients to receive requested records from paper to electronic and lessens the paperwork needed for them to release their information to third parties such as family members, kids’ schools, and researchers–yet also allows patients to hold back information about a visit from their health plan if they pay out of pocket.
• It prohibits the sale of protected health information without permission and limits its use for marketing and fundraising purposes.
• It lowers the threshold for security breach notification and increases penalties for noncompliance to a maximum of $1.5 million.

The business associate and breach notification changes are industry game-changers that have the potential to better protect patients but also to create ever more administrative burden. These topics have been extensively covered by media and other bloggers, so instead I want to offer my perspective as a future physician on how HIPAA and its new changes affect my patients and me in everyday ways in the hospital and clinic.

As an example, last year while seeing patients in urgent care, I met an older woman who was brought in by her caretaker daughter for a nosebleed. After some tests, I discovered that she was anticoagulated beyond the goal range for her blood thinner medication. Her daughter asked my attending if we could print out a copy of the lab results from our newly-implemented EMR so that she could take it to her mother’s primary care doctor to discuss dose adjustments. To my surprise, the attending apologized but said he couldn’t, that they would have to go to the medical records office to request that information because of concerns about patient privacy.

What good are EMRs to patients if we maintain the same analog workflows and don’t share our newfound accessibility to data with them–especially given that the data is about them? This was not a concern about patient privacy–the patient was sitting right in front of us and would happily give us permission to share her information. In fact, it may have been perfectly legal to do so, but HIPAA, or perhaps some interpretation thereof, seems to discourage individual actors from straying from established protocols for fear of incurring penalties. In this case, we sent the patient, an old woman in a wheelchair, all the way across campus to wait in line and complete paperwork to access a paper copy of a single electronic lab, a request which I later learned takes 1-3 weeks for processing (at which point this patient’s data would be obsolete).

It’s easy for us to forget that HIPAA was meant to make clear, for the first time in U.S. law, that patients have a right to their own health information. It also includes privacy rules meant to protect patients’ health information from getting into the wrong hands, but in urgent care, the messy, real-life implementation of those rules thwarted me from putting my patient’s data into exactly the right ones.

The new changes to HIPAA that provide for easier patient access to digital copies of health records and more efficient sharing with third parties may make situations like the above more rare, especially as patients begin using portals to view results and initiatives like Blue Button expand to improve sharing capabilities. Additionally, once patients have access to their data, they can use it however they want, including share it with mobile and other health apps, to which HIPAA rules, despite the updates, continue not to apply because they provide services directly to consumers rather than through healthcare providers. (Though that could change: According to mobihealthnews, one member of Congress is drafting separate legislation, called the Application Privacy, Protection, and Security Acts, or APPS Act, that would establish standards for all apps including ones that involve health data.)

The market has changed so much since HIPAA’s enactment that many of these adjustments were long overdue. New technology iterates faster than legislation, so in the long term we need to be smarter about implementing regulations that are sustainable enough to account for continuous innovation, and not just for the healthcare industry. And any future one-off updates to HIPAA should be careful to further balance the law’s duty to protect health information with its spirit of access.