Is HIPAA outdated? AHIMA questions whether law is keeping pace with change
It's been more than two decades since President Bill Clinton signed the Health Insurance Portability and Accountability Act into law in 1996. Since then, the rule has arguably become far more synonymous with its privacy provisions than the health plan flexibility for which it's named.
And 20 years later, its rules – made all the more complex by the rise of health information technology and the electronic data exchange it enables – continue to confuse patients and providers alike, according to the American Health Information Management Association.
A new article in the Journal of AHIMA asks: "Is HIPAA Outdated?"
After all, writes the journal's associate editor Mary Butler, "HIPAA came of age at the same time as the Internet—though policymakers couldn’t have foreseen how much the two developments would grow to impact each other."
The explosion of digitized and connected health over the past two decades have led many to call for the law to be rethought, she said.
"Mobile health devices such as the FitBit, electronic health records, telehealth services, social media, and other wearable health trackers have taken on a life of their own, outpacing privacy regulations – even with the HITECH update to HIPAA in 2009 and the Omnibus Rule changes in 2013 – creating recent gaps in national privacy and security law. Some see this as a gap in HIPAA that should be filled."
AHIMA's Privacy and Security Council spends a lot of time working to improve patient understanding of HIPAA – for instance by developing a form that accompanies the Notice of Privacy Practices filled out by patients when they visit the doctor, spelling out the law's provisions in plain writing.
"HIPAA combined with the HITECH Act strengthened privacy rights and helped patients take greater control over their own health information," said AHIMA CEO Lynne Thomas Gordon, in a statement.
Still, she added, "as technology continues to advance rapidly, the challenge is to ensure HIPAA keeps pace. Regardless of how HIPAA evolves, AHIMA will remain focused on helping patients recognize their rights to their own health information and assist providers with compliance."
In the Journal of AHIMA article, Butler spoke to two recent chief privacy officers at the Office of the National Coordinator for Health IT.
Joy Pritts, who served at ONC from 2010 to 2014 and helped shape the 2013 Omnibus Rule, said more stringent state laws have led to stronger privacy protections in HIPAA.
"If you didn't allow the states to do something in this area, we wouldn't be where we are today," she said. "We would not have breach notification in HIPAA if states had not started breach notifications – California in particular. I'm not in favor of federal preemption of state law because that's where a lot of the good ideas originate."
Pritts added that it's not just HIPAA that could use updating, but the larger regulatory structure at the federal level: "I would make it a little more uniform between the kind of sensitive information that's covered by HIPAA and what's covered by the Federal Trade Commission," she said.
Lucia Savage, who was chief privacy officer at ONC from 2014 until earlier this year, said a big challenge is that consumers have embraced mobile technology to a degree most providers have not, and expect their health data to be shared as easily as they access other information.
"We've done a really excellent job of raising the awareness of the importance of privacy among healthcare professionals and officer managers," she said, "but in this particular case we maybe overcorrected. We need to swing the pendulum back a little bit. For a patient to be told 'I can't give you information about you,' it just doesn't hold up to scrutiny."