July 27, 2014 at 1:32 pm ET
Uncharted Territory: HIPAA In the Big Data Era
Since 2009, the federal government has used its enormous influence to push the health industry to coordinate care, adopt new technologies and cut costs, all in an attempt to move the industry toward a more value-based model of care.
But representatives from a broad swath of the health economy – providers, insurers, and health information technology professionals – say the same resources haven’t been leveraged to update existing regulations or inform the healthcare community about how old rules apply in the new world. They worry that they’re increasingly navigating a regulatory minefield with an out-of-date map.
Of particular concern is the 1996 Health Insurance Portability and Accountability Act, or HIPAA, which governs the transfer of health information data under threat of fines and legal penalties for data breaches and unsanctioned practices.
At a House Energy & Commerce Committee hearing last week, Paul Milsener, Amazon’s vice president for global public policy, told Congress that outdated aspects of the law are impeding his company’s move into the health information technology sector.
“To help accelerate the delivery of new biomedical treatments and cures, Congress could work with the Department of Health and Human Services to modernize implementation of [HIPPA] so that healthcare providers can readily employ the benefits of cloud computing without any compromise of the strong privacy protections HIPAA now affords health information,” Milsener said.
But it’s not just those living on the cutting edge of the industry that say they need guidance. Doctors are dealing with more mundane, on-the-ground concerns every day, and some of their questions seem so basic it’s surprising they could provoke such confusion.
For instance, HIPAA defines the parameters under which doctors can share patient health information with each other. It limits the sharing of that information to an “entity,” which is widely considered to be the one hospital or health system that is caring for the patient.
But under Obamacare, doctors from different health systems are encouraged to work together in accountable care organizations, known as ACOs. These organizations can take many forms, but most often aim to get providers to coordinate care to make it cheaper and more effective. So is a singular ACO an “entity,” even if it involves many different providers? And if so, what kind of ACO qualifies?
“HIPAA was enacted in 1996 and they couldn’t have anticipated the current healthcare environment,” said Blue Cross-Blue Shield of North Carolina Chief Medical Officer Susan Weaver. The insurance company is operating several programs that aim to get providers to coordinate care.
“When everyone worked in individual silos, it was clear,” she continued. “But now they’re encouraging people to practice across a continuum, so that’s where there’s some confusion, and this is undermining the effort to leverage data for quality and efficiency, so we need some clarification and guidance.”
Basic technology is also causing HIPAA heartburn within the medical community. The law still levies penalties based on the volume of data that’s been compromised in a security breach, but it was passed at a time when doctors were unlikely to be carrying around thousands of files. In today’s world, a doctor could have exponentially more sensitive information on a laptop or even a phone, so providers would like to see a new way of assessing penalties that moves away from a volume-based system.
Tele-health has its own HIPAA challenges. Take, for example, consumers who want to communicate with doctors over Skype. Skype is not a secure network, and the company isn’t required to comply with HIPAA. That means if a doctor’s Skype consultations are breached, the doctor alone could be held responsible. Physicians remain on the hook even if they’ve adequately encrypted all of their data and communications. So should they sign a business associate agreement with Skype? What incentive would Skype have to do such a thing?
“None of these things were available or widely used in 1996 when HIPAA passed,” Weaver said. “Some clarity would be extremely beneficial, and now with EHRs becoming a bigger and bigger part of the equation, we need this clarity to leverage data to drive quality and efficiencies.”
The issue will soon extend to even more personal devices, like health and fitness trackers, where doctors may have access to, for instance, a patient’s glucose level through an app on a smart-watch. Some physicians are hesitant to adopt new technologies out of trepidation over potential penalties stemming from the unintentional misuse of little-understood digital platforms.
David Vockell, the CEO and founder of Lyfechannel, which develops lifestyle programs for diabetics and requires an open patient-provider communication lines, testified to E&C that it could be as simple as HHS explicitly defining “this is what’s covered, this is what isn’t,” for those who fall under HIPAA’s reach.
Providers say they also want clarity in the form of boots-on-the-ground training and educational resources from the government on how to navigate this new terrain. They say they’re encouraged by the federal government to coordinate, but are left reading tea leaves when it comes to the government’s regulatory intent and the potential vulnerabilities they face in the new healthcare economy.
Still, most say the health law and HIPAA aren’t in conflict with one another, and that HIPAA doesn’t necessarily need to be overhauled. Rather, they say the government needs to provide clarity, oversight, training and education to make sure the public and private sectors are on the same page.
“Until we have some clarity, it’s hard to even know what a Congressional overhaul [of HIPAA] would entail,” Weaver said.
For now, organizations like the American Medical Association are working to educate their members with what they know through online Q&As, tutorials, and the like, but more is needed, doctors say. Health and Human Services spokeswoman Erin Shields said the agency will “continue to address this issue.”
But there are signs Congress is ready to act, although in what capacity remains unclear. At the E&C hearing, Rep. Diana DeGette (D-Colo.) mentioned working with Chairman Fred Upton (R-Mich.) on legislation that could be ready in the fall.
“HIPAA is one of many issues that people have raised,” a spokesman for DeGette told Morning Consult. “Congresswoman DeGette will be working to maintain the right balance between patient privacy and the possibilities that data holds for transforming medical treatments and cures.”
At the E&C hearing, lawmakers seemed optimistic they could do something to ameliorate confusion over the law. But with the potential to get tied to Obamacare political battles, and Congress’ focus on the midterm election, any HIPAA clarity may not be able to escape congressional gridlock.