Now 2 decades old, does HIPAA have the muscle to protect patient rights?Nick Biernat | 05.22.2019
Critics contend that some parts of HIPAA are hindering health tech innovation, while others argue it doesn’t protect privacy on emerging channels.HIPAA, the Health Insurance Portability and Accountability Act, has been one of the most hotly debated pieces of healthcare legislation ever since it was enacted in 1996. It was originally designed to protect employees’ rights to health insurance between jobs. Today, it is far more synonymous with privacy measures that were enacted along with the bill to address the use and disclosure of individuals’ health information—called protected health information (PHI).
HIPAA is From a Different WorldDespite many updates to the regulations since the law was first implemented, HIPAA critics contend the bill is in much need of an overhaul to reflect advancement in technology. At the time HIPAA was first written into law, society and technology were incredibly different from what we have today:
- A new Internet experience. The World Wide Web was just emerging as a more usable version of the Internet, and lawmakers could have done little to predict just how much it would change the way we share and exchange health information.
- Search 1.0. While we had Yahoo! and AOL, Google had not yet launched.
- Internet use. Americans with Internet access at that time spent fewer than 30 minutes a month surfing the Web.
- Early days of cell phones. Cell phones were just emerging in 1996, but they were large and limited. Consumers were more likely to receive text messages on a pager than a phone.
- Social what? Social media as we know it didn’t even exist.
HIPAA LimitationsHIPAA critics argue that the law is now out of sync with the digital and mobile technologies that dominate consumer communication and that are increasingly used within our healthcare system. For starters, the law only pertains to healthcare providers, health plans and healthcare clearinghouses involved in the transmission of PHI, known in the bill as “covered entities.” Developed more than a decade before Fitbit was even founded, the law was never intended to be a measure for managing the flow of healthcare data that exists in today’s digital ecosystem. With more than 300,000 health apps and a growing number of devices capable of tracking health data, some question if the law is still the best measure for safeguarding consumers’ health privacy.
Needed Changes to HIPAAWhile most can agree the law needs some modernization and reform, there are distinctly different philosophies driving demand for change:
- Digital age demands. On the one hand, some critics don’t believe the law goes far enough to protect consumers and their privacy in the digital age.
- Hampers the healthcare industry. Others believe the law presents an undue burden on the healthcare industry and is, in turn, stifling innovation at the time we need it most.
- Patients are paying the price. On both counts, patients are the ones paying the price, caught in a healthcare system that has not yet evolved to make accessing their personal health information easy.
Is HIPAA Negatively Affecting the Patient Experience?An unforeseen consequence of HIPAA has been its impact on patient communications. A top complaint among providers is that the law restricts them from delivering an experience in-line with today’s consumer expectations. Consumers are used to easy, seamless electronic communications and they want the same from their health providers. They want to be able to text their doctor directly, get emails from their care team and they don’t necessarily want to deal with logging in to a secure portal to make it happen. While electronic health portals have been positioned as a solution, security measures often make them cumbersome, and as a result, consumers fail to engage. Those pushing for a modernized bill say it should be as easy for patients to communicate with their care team as it is to conduct online banking.
Hindered Access to InformationDespite its intent, HIPAA has in some cases made it more difficult for patients to secure access to their health data and history. Patients are often told that due to the privacy constraints of HIPAA, they can’t access their records and they can’t be shared with another provider. Healthcare administrators who have been drilled to protect privacy, too frequently use HIPAA as a scapegoat not to provide access to health data and records. A study conducted by Yale University School of Medicine confirmed the scale of the problem, finding only 53 percent of hospitals they surveyed provide an option for patients to obtain their medical records. This runs counter to a key goal of HIPAA which guarantees patients’ rights to their protected health information. The HITECH Act extends the requirements, specifying organizations must provide patients with an electronic copy of their file. It can be especially difficult for loved ones who are caregivers to get access to the data and health information they need. Despite updates made in 2013 to ensure individuals can designate a third party to receive health data via a right of access request, many providers still are not familiar with the rules and are overly cautious in the release of information to caregivers.
Is HIPAA Holding Back Health Innovation?Many argue HIPAA is holding the healthcare industry back by placing restrictive burdens on data use that make it difficult for healthcare providers and patients to access information and to use health information to its fullest potential. They contend that HIPAA is slowing the pace of innovation and adding to skyrocketing costs that already plague our health system. In fact, fifty-nine percent of physicians, hospital administrators and health IT professionals cited the complexity of HIPAA requirements as a major barrier to modernizing the healthcare system in a survey by the Ponemon Institute. HIPAA critics believe the law’s ambiguity and fears of costly fines have created a risk-averse culture. The result is that HIPAA is often over-applied, which then poses negative consequences for our health system and the patients the law was intended to protect.
Unrealized Potential of Big DataBig data is transforming the way we process information and solve problems across industries, and nowhere is its promise greater than in healthcare. However, many contend HIPAA is a barrier to using health data to its fullest potential, and they maintain that compliance fears have hindered improvements in and from health data. A 2013 Bipartisan Policy Center report, titled A Policy Forum on the Use of Big Data in Health Care asserts that HIPAA is causing delays in the sharing and movement of data in a meaningful way. They believe that federal regulation is “misunderstood, misapplied, and over-applied in ways that may inhibit information sharing unnecessarily.” The unintended consequence of HIPAA is that patient data is often siloed. Clinical data and analytics that could lead to better health for the population is instead locked away and not put to optimal use.
Undue Burden on Start-Ups and InnovatorsAmong the chief complaints of HIPAA are its complexity and lack of clarity. The law’s ambiguity, particularly for new market entrants that don’t neatly fit the “covered entity” definition can make it difficult to interpret and navigate. Critics argue that those who are trying to innovate in the space face a high barrier to entry and unreasonable exposure to fines or lawsuits. That HIPAA-driven reality keeps many of the best and brightest away from the healthcare industry altogether. For the many start-ups in the health tech field, the consequences are real and significant:
- Legal burdens. Entrepreneurs must shoulder hefty legal fees as they try to interpret applicable laws and regulations.
- Compliance. Start–ups face increased development fees to achieve, maintain and ensure compliance with HIPAA requirements.
- Capital. Innovators often encounter hesitancy from potential investors due to compliance risks.
Many Argue that HIPAA Doesn’t go Far EnoughWhile many argue for a loosening of HIPAA restrictions in the name of innovation, others argue HIPAA does not go far enough to protect patient rights and privacy. These pro-privacy critics argue that HIPAA leaves consumers vulnerable in the wake of increased use of electronic health records, rapid advances in mobile health and unclear guidelines of data from wearable devices. Consumers themselves lack trust in the system and want better protection and privacy assurances. According to a recent Black Book survey, consumers have serious concerns about healthcare organizations’ abilities to protect their health data and to ensure that it will stay private.
- More than half of consumers who had used technologies provided by their physician or hospital such as electronic health records, portals, and apps, noted they were concerned about the privacy protections put in place. They questioned whether their data could, in fact, be kept private.
- Their lack of confidence was causing many to hold back from sharing their full medical information with their providers.
- Eighty-seven percent were unwilling to share comprehensive information for fear of how it would be shared.