By Dan Orenstein
Here is a thought-provoking statement about the HIPAA privacy and security rules: These rules were required by the 1996 legislation to support the exchange of health information. They were intended to provide limits and protections on the exchange of information, and were not added after the fact as a reaction against free information exchange.
Radical notion? Not really. The HIPAA transaction provisions were aimed at enabling health information exchange, and the privacy and security rules were designed to support that goal.
Here are a couple of observations about what has changed in the nearly 20 years since HIPAA was enacted:
Rather than enabling information exchange, many in health care perceive the HIPAA privacy and security rules as barriers to the free flow of health information.
Technology has changed dramatically; 1996, when the rules were created, occurred before the modern Internet took root in our every day lives. Additionally, social networks, the cloud, and mobile computing computing platforms did not exist. The world of today, technologically speaking, barely resembles the world of 1996. HIPAA, however, has not changed.
So perhaps it makes sense to revisit the HIPAA rules, to make sure that the privacy and security protections are optimized for today’s technology, with the goal of protecting individuals as well as enabling information exchange.
Yes, HIPAA does enable a wide range of disclosures through the Treatment, Payment, and Health Care Operations permissions. But there are numerous cases in which the HIPAA provisions are not clear. For example:
In her Health Leadership Forum, Amy Abernethy, MD, points out that only three percent of cancer patients have an opportunity to enroll in clinical trials, and that this low rate is due in part to the difficulty in searching for information on eligible participants due to the lack of clarity in the HIPAA privacy rule with regard to accessing relevant anonymized health data.
A rapidly growing area of the health care economy involves both provider and other organizations that can assist providers in outcomes evaluation, developing clinical guidelines, patient safety activities, and population-based activities to improve health or reduce health care costs. It is not clear whether HIPAA-covered entities may participate in multi-party arrangements to perform these activities, much less whether non-covered entity organizations may access the information required to facilitate these activities.
While it may be implied in Treatment or Health Care Operations that, absent a national patient identifier, patient databases can be queried to match patients to enable the exchange of treatment information or information to facilitate payment or operations across organizations, HIPAA does not clearly provide for this.
HIPAA limits patient control over their information to consents and written authorizations that apply in only limited circumstances and usually to one organization. HIPAA recognizes no mechanism that would give patients broad consent and control capabilities across the care delivery continuum.
In the absence of clear pathways to enable what many would consider to be fundamental to enabling health information exchange, lawyers have been more than happy to step in to provide cumbersome, customized multi-party written arrangements. Do the lawyers for health care organizations negotiating these contractual fixes represent patient interests?
I can’t imagine many would answer that this is the best way to empower patients. And applying these custom fixes is not even close to scalable or sustainable at a level that would support modern health information exchange.
We are failing to seize a tremendous opportunity for patient empowerment and engagement that lies right in front of us. A clear HIPAA pathway could enable patient consent and preferences to be administered centrally by qualified organizations that help coordinate health information exchange. This would eliminate a lot of waste and confusion while giving patients a much higher-level of visibility into, and control over, how their information is used and where it goes than HIPAA currently allows.
HIPAA privacy is often considered the “third rail” of health policy. Don’t even think about touching it. But this notion has gone too far when we fail to collectively take advantage of clearer pathways for use and disclosure of health information that could both empower and better protect patients as well as improve health information availability and the quality of care.
Dan Orenstein has served as athenahealth’s senior vice president and general counsel since 2010.Tags: #hipaacompliancesimplified, hipaa, privacy, shazzlemd