Since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996, “HIPAA compliance,” “HIPAA violation,” and other such terms have become a familiar part of our national lexicon. And yet 20 years after its passage, HIPAA is not only often misunderstood, but also ever so slightly out of date—and potentially in need of an upgrade. This is the case that (as first reported by MedCity News) the AHIMA Journal’s Mary Butler makes in a new essay assessing the two-decades-old law originally designed to promote the portability of health information. “Though it is over 20 years old, it appears HIPAA is still not completely understood by patients and providers,” she notes.
The essay outlines several of the key challenges HIPAA faces today. As Butler explains, one of the most common misconceptions people have about HIPAA is that it is a law designed to protect patient privacy, while in reality, lawmakers had sought to promote the portability of patient health information. (Among other attempts to remedy this, the Office of the National Coordinator for Health IT [ONC] has recently attempted to clarify the law’s intentions.) What’s more, HIPAA was drafted, passed, and signed at a time when the Internet was in its infancy—as was telehealth. As a result, the law doesn’t always account for modern privacy and cybersecurity challenges (the skyrocketing number of data breaches in the past few years, for example), or for the use of telehealth technologies. It also doesn’t account for some modern patient preferences—as Butler points out, many people want to be able to text with their doctors, and to have their information easily shareable, electronically, among their various providers. Finally, further complicating matters: a number of states have developed their own, stricter laws governing patient data and privacy.
What, then, should be done to bring HIPAA into the modern era—or should it be scrapped altogether? Butler sought input from a number of industry experts, all of whom offered differing opinions on the best way forward. While all essentially agreed that the “intentions” of HIPAA were the right ones, some felt it should be replaced, while others asserted that it should simply be supplemented. Those interviewed also had different views on whether a national privacy law would be a viable option, with some arguing that it would go a long way toward “consistency” among states, and others asserting that it would be best left to states themselves. But there was strong agreement that, whether in the form of a replacement for HIPAA or a series of supplemental laws, lawmakers must account for modern technology and patient preferences. “We’re never going to be done in this area,” Joy Pritts, who formerly served as chief privacy officer at ONC, told Butler. “It’s evolving constantly and we do need to keep up with the way data is generated and exchanged.” What’s more, breaches need to be addressed; Butler points to new efforts to utilize blockchain technology to enhance interoperability—and security—as one example of potential industry solutions. For her part, Lucia Savage, who worked at ONC under President Obama, encourages lawmakers to incentivize innovation. “I think, to me, the best course is to really have competition for the best in class and let the consumer pick what’s right for them,” she noted.