Is HIPAA Obsolete?

By Jay Eisenstock, Chair of the WEDI Board of Directors and founder of JE Consulting
Twitter: @WEDIonline

In 2003, the health care industry scrambled to comply with the HIPAA Privacy Rule. This rule is composed of regulations for the use and disclosure of Protected Health Information in healthcare treatment, payment and operations by covered entities. The key point is these regulations apply to covered entities: doctors, hospitals, pharmacies, health plans, and select others who support them. When the regulations were drafted in 1996, clinical records were mostly paper based and conveyed to interested parties by phone or fax. The multitude of devices and applications in use today from fitness trackers to weight management programs could not have been anticipated. As a result, few of these are covered under the existing HIPAA Privacy regulations.

Data collection about an individual’s biology, psychology, behavior and daily environment is now possible due to the proliferation of wireless and mobile health technologies. This data is vital to the prevention and treatment of diseases and chronic conditions. Often companies outside traditional health care, not subject to the HIPAA regulations, parlay the use of this information into commercial products. While individuals have the right to know how their health care information is exchanged and used, internet enabled devices and applications may exchange data without their knowledge or understanding.

The recently released Interoperability and Patient Access rule lists privacy and security of patient information as a top priority. It outlines steps to protect patient data and make informed decisions about sharing patient health information with third parties. While this could be considered an improvement to the existing HIPAA Privacy regulations, the onus of compliance remains with the health plan and not directly with the third party.

With advances in technology and the greater awareness individuals now have about their health care, the issue is less about keeping health information private and more about controlling its use. People are drawn to these devices and applications because of the benefits promised and the desire to improve their well-being. For this, they will gladly give up some of their private information. The current pandemic provides examples of how this shift is occurring. One example is the use of mobile devices to report and support contact tracing. Another is CMS choosing not to enforce HIPAA Privacy for some telehealth uses during the pandemic.

The HIPAA Privacy Rule is important and will continue to be relevant for many uses across the spectrum of health care. It’s complicated because technology is ubiquitous and drastically alters the flow of personal health information. The government cannot regulate all aspects of this data. We as individuals must determine for ourselves when, how, and to what extent our personal health information is communicated to others.