Chasing Technology for 25 Years

HIPAA is consistently falling behind health and wellness technology and jeopardizing the privacy of individuals.

Limited by its precursors and its own genesis, the Health Insurance Portability and Accountability Act (HIPAA) has spent a quarter of a century catching up with technologies connecting to health care and wellness.

Before the wrongly marked HIPAA privacy rule, common law necessary Health data confidentiality. Confidentiality is not privacy; it only protects the disclosure of data, not its collection. In the mid-twentieth century, the common law of confidentiality emerged, not because personal health information should be protected, but because clinical and public health should be protected necessary Individuals to disclose health information in order to facilitate their respective narrow or far-reaching tasks.

These clinical and public health priorities explain much of the structure of HIPAA. For example, the protective aspects of HIPAA are often subordinate to the outsourcing of disclosure. HIPAA’s confidentiality roots were not limited to just protecting against disclosure, they also have necessary a traditional health care relationship, such as B. between a doctor and a patient, ie between the data subject and the data administrator.

In contrast, information technologies now enable far more promiscuous behaviors, whereby the person concerned often does not know the identity of the administrator.

The HIPAA Privacy Policy is wordy and complicated, and does not contain general principles to educate the reader or aid in interpretation. It is therefore hardly surprising that over the decades people have misunderstood HIPAA. It has been quoted as the legal basis for all possible untenable positions. Recently, for example, some commentators have taken the ridiculous position that HIPAA power It is illegal to ask about someone’s vaccination status!

In a broader sense, providers have cited the HIPAA privacy rule to justify “Information blocking, “strive keep what they see as proprietary information within the network in order to keep Health data from the hands of “Big Tech” or – perversely, from HIPAA’s own Access rulesdecline Patient inquiries for their own records. Just recently, the U.S. Department of Health (HHS) suggested Changes to the rule to improve patient access and coordination of care between care providers.

However, these issues pale in comparison to HIPAA’s biggest limitation. Simply put, HIPAA doesn’t protect all health data. Rather, it limits the disclosure of some health information by traditional health care providers and health insurers. As more and more health data is generated outside of traditional health care, the protective effects of HIPAA diminish, putting it at a disadvantage in a world of digital health.

Born into a world of medical records and reimbursements that was a somber celebration of paper-cluttered filing cabinets and the staccato rhythm of fax machines, the architects of the HIPAA privacy rule at HHS created Understood their work to be part of the effort to reach health care stakeholders Administrative simplification ”or more efficient technological communication.

The mandate to create better technological communication comes from Title II from HIPAA, which also provides the HHS data protection and security regulatory agency. However, HHS may not have anticipated the complex race with information technology that has unfolded over the past quarter century, a race in which HIPAA’s influence has been increasingly marginalized.

HIPAA was staged not long after the internet was created, but before the internet became as popular or commercially used as it is today. In fact, only a few providers were using information technology at the time. HIPAA transaction rules forced Health insurers and providers introduce e-commerce tools and fill electronic “envelopes” with patient information required for reimbursement and related transactions, while the HIPAA Privacy Rule provides a legal system to protect against disclosure of this newly transferable health information .

As vendors became more closely linked and policy makers began to support financially With specific technologies, such as electrical health records, it became apparent that HIPAA privacy regulations were lagging behind. Soon and with financial support from the federal government, the “meaningful useSubsidy program has increased the number of electrical health records dramatically.

Scholars have spilled lots of critical ink on the sensible utility. What is clear, however, is that, like it or not, the US healthcare system has quickly become the collector and custodian of billions of patient health data points. At the same time as the subsidy program, a few years after the start of the revolution in electronic health records, the HITECH law from 2009 responded with some heightened HIPAA protections, such as: sale of protected health information, Violation Notifications, and more robust enforcement.

In the hunt for a technology – electronic health data collection – HIPAA was not prepared for the next big revolution – digital health or wellness data generated by patients and consumers outside the health system with Apps on phones and wearables, or through the countless “intelligent” devices in households and cars, known together as “Internet of Things. “ The data collectors or custodians of this data are rarely traditional healthcare providers, insurers, or their business partners. As a result, HIPAA protections simply do not apply to this data.

In the meantime, American companies were realizing the value of health data. Individuals and companies building artificial intelligence in healthcare or robots need clinical and health data to feed their machine learning algorithms. Other companies known as data brokers sell “scores” based on an individual’s financial, physical, and mental health to life insurers, employers, and landlords.

These data brokers are blocked from direct access to health files by the data protection regulations and have easy access to them created their own facsimiles of patient records by merging HIPAA data (“Laundered” by public health authorities), patient-curated data, and medically influenced data. They succeeded Create health-related “Big data“In a HIPAA-free zone.

technology continues to expand the scope of health care and wellbeing so that an increasing percentage of health and wellness data usage is not subject to HIPAA, with custodians unregulated or unregulated thinly regulated.

What must seem like a long list of complaints and criticisms of HIPAA must be tempered with the recognition that the limited protection against misuse of health information provided by the HIPAA rules is a positive outlier in US data protection. Consumer data circulate such material protection is lacking in other areas.

Unfortunately, HIPAA is so uniquely tied to the idiosyncratic structure of the U.S. health care system that it fails as a model for other areas. And the HIPAA architecture makes it likely that it will continue to struggle to keep up with technology-mediated health care and the commercialization of health data.

The partial rebuttal of this criticism is that the US Congress has an obligation and can provide strong protection for health data that circulates outside of traditional health facilities. For example, the HITECH Act has cleared health violation reporting to the US Federal Trade Commission rule Protects the data in user-curated health records.

However, Congress has yet to agree on broader consumer privacy protection, similar to what the European Union and the state of California have adopted. As a result, patients who are constantly bombarded with their healthcare providers’ privacy notices may fail to realize that huge amounts of their private health information is circulating outside of HIPAA protection.

Nicolas Terry
Nicolas Terry is a law professor and executive director of the Hall Center for Law and Health at the Robert H. McKinney School of Law at Indiana University.

This essay is part of a six-part series entitled Looking back on 25 years of HIPAA.