By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure – #HCdeJure
The development of new technology in healthcare and the massive expansion in sources of healthcare data have both created many complications when it comes to protecting and securing sensitive information about individuals. Inevitably, the discussion then turns to the role of HIPAA, which then turns to HIPAA not meeting current needs.
Recent Example of HIPAA Not Being Enough
A recent article starts off by describing HIPAA as “appearing[ing] obsolete and riddled with new technology-induced gaps.” The article goes on to detail new forms of healthcare technology that have arisen since HIPAA was initially enacted in 1996 as well as new areas of healthcare information. The article references iPhones being years away at that time, which doesn’t even start to touch upon all of the new patient/customer facing developments.
The still emerging issues around pixel tracking on websites were also cited. Websites from additional companies were found to contain tracking technology as well as additional findings that hospital websites continue to send out data despite earlier reports that drew negative attention.
The article then goes on to talk about exposure concerns through social media and direct to consumer companies. In each of those areas, data can be used and disclosed in very unexpected ways. At the same time, it may be easier for third parties or government agencies to access information in those arenas. All of the access could result in unexpected consequences for individuals.
After identifying the concerns, the article raises the possibility of industry developing its own standards for improving privacy protections of health data. Alongside potential industry initiatives, tweaks to HIPAA are called for, including modifying access controls and changing enforcement to criminal (it is worth noting that HIPAA already has criminal penalties in certain circumstances).
Is HIPAA Missing the Mark?
A fundamental question underlying all of the discussion is whether HIPAA is actually missing the mark. HIPAA arguably works as it was designed to work. It sets clear standards (at least relatively clear when compared to other healthcare regulations) for the privacy and security of healthcare information. The Privacy Rule lays out uses and disclosures in a number of circumstances along with a number of individual rights when it comes to that information. The Security Rule then lays out a flexible framework that guides organizations toward the foundation for strong protection of the data under each organization’s control.
HIPAA then clearly identifies what organizations need to comply with the requirements set out in the different rules that it is comprised of. As should be well understood, covered entities and business associates need to comply with HIPAA. The scope of entities swept into the ambit of HIPAA can become quite broad when looking at the definition of those terms. Admittedly, covered entities could be somewhat limited as it is really just healthcare providers (hospitals, physician practices, long-term care, and other care delivery organizations) and health insurance (which can include components of many employers). The bigger category then becomes the business associates, even when arguably a number of business associates don’t fully understand when HIPAA becomes applicable.
From that basis, HIPAA is very likely working as intended. What is that intent though? HIPAA is and was meant to address healthcare information within the bounds of the traditional healthcare industry. Why did that happen? Very likely because that was how the world was organized in the mid 1990s when HIPAA was enacted. Industries did not bleed across lines so much, or at least the intersections between industries weren’t necessarily so obvious back then.
When reframed in that light, HIPAA did fit what it was supposed to do. Further, the inherent flexibility of the security side of HIPAA does allow for the evolution of technology. HIPAA was not locked in stone or so static that it couldn’t keep up with ideas that were not yet conceived when the law was passed.
Expansion Outside the Traditional
If there is an acceptance that HIPAA works as intended, then how should the growth of non-traditional healthcare organizations and solutions be viewed? From one perspective, the emergence of non-traditional healthcare has an element of intentionality when it comes to avoiding HIPAA compliance and application. Some of the companies specifically look for the edges of HIPAA and specifically position operations just outside of those edges. The intentionality to avoid instances where HIPAA will control how healthcare information may be used is not necessarily an inherent flaw of HIPAA.
The ease with which newer organizations and solutions can sidestep HIPAA reflects a couple of points. First, it shows that a privacy and security law hyperfocused on one industry is not a good fit for the path currently being pursued by technology. Companies are smart and will seek out ways to make operations easier and less subject to outside scrutiny. No one wants to have a government agency looking over their shoulder, so why not create a permissible setup that avoids those problems.
Second, and arguably an expansion of the first point, a siloed approach to privacy does not align with the current state of the world. Technology has created so many points of intersection and eroded so many walls that historically existed that old approaches are unlikely to work. Arguably, that is why a number of other countries and some states have moved in the direction of enacting comprehensive privacy schemes that attempt to address privacy from the data perspective first as opposed to coming at the issue from an industry perspective.
The Other Problem: Misunderstanding
Leaving aside whether the scope of HIPAA is appropriate or meets current needs, an ongoing problem is the lack of full or accurate understanding about what HIPAA does. Jokes about HIPAA gained steam throughout the pandemic, but not appreciating what HIPAA does has been a longstanding problem. If organizations have not taken the time to read through the rules and interpretations then it is hard to comply with those rules.
The misunderstandings then lead to making false assertions about HIPAA, which often goes in the direction of making things more difficult when it comes to accessing information or protecting it. Arguably, that could be part of the reason why some of the recent complications have arisen, such as all of the website tracking that has been implemented without due consideration. Improving understanding will not solve the inherent scope limitations of HIPAA, but it could at least set the stage for improvement.
Where to Go From Here?
What will the future path be for protecting the privacy of information, whether it be healthcare or other information? A strong position would be taking the approach mentioned before, which is to have a comprehensive privacy scheme enacted that is not limited to one industry. A piecemeal approach will always create gaps because the piecemeal approach inherently does not even try to address all instances. Going industry by industry just makes it more likely or possible for companies to find ways to sidestep situations where the requirements apply, which just gets back to the current situation.
The contents and requirements of what should go into the comprehensive privacy scheme are open for debate. However, it is important to have that debate so that progress can be made. Being stuck in the same situation will just allow the same problems to continue, which does not really help anyone. Now, will the moment be seized and new opportunities created?
This article was originally published on The Pulse blog and is republished here with permission.