John Halamka and Deven McGraw: HIPAA not 'behind the times'

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is not as "behind the times" as some detractors of the law maintain, say Beth Israel Deaconess CIO John Halamka and newly named Office for Civil Rights Deputy Director for Health Information Privacy Deven McGraw.

Halamka and McGraw, in a commentary posted to the Agency for Healthcare Research and Quality's online journal and forum WebM&M (Morbidity and Mortality Rounds on the Web), detail HIPAA's history and examine how the law's interpretations have changed in the 19 years since its enactment.

They call the legislation's privacy rule--which applies to both electronic and paper-based information--"medium-agnostic," and label the security rule--which applies only to electronic health information--"flexible," particularly in the wake of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, the basis for the Meaningful Use incentive program.

Still, they say, as the industry continues to move away from paper and requires increased sharing of information to improve care quality, legislators must be mindful to continually adapt to the times.

"HIPAA's framework may need to flex and bend to meet the needs of a new health data ecosystem," Halamka and McGraw say. "Policymakers should endeavor to do more to ensure this framework continues to enable the kind of responsible health data sharing that is needed to improve patient care, population health and the greater patient engagement."

What's more, Halamka and McGraw say that healthcare entities--providers, in particular--should avoid using HIPAA as a scapegoat for being overly cautious regarding the sharing of patient health information with other providers or caregivers.

"Although intersecting federal and state laws on this topic can often be confusing and are a significant source of frustration, providers should still seek to avoid over-interpreting. ... Low tolerance for risk with respect to compliance with privacy laws can ... actually impose significant risks on patients."

A report published by the Office of the National Coordinator for Health IT in April blames both providers and vendors for information blocking in healthcare. It notes that some health systems engage in information blocking to "control referrals and enhance their market dominance" while incorrectly using HIPAA as a shield for doing so.

"It has been reported to ONC that privacy and security laws are cited in circumstances in which they do not in fact impose restrictions," the report says.

Halamka and McGraw add that despite the tradeoffs between convenience and security, "there no longer needs to be a tradeoff between privacy and safety." HIPAA's Omnibus Rule, unveiled in January 2013, provides adequate guidance to share data while maintaining privacy.

OCR Director Jocelyn Samuels made a similar assessment last month at the Health Privacy Summit in the District of Columbia, calling it a "false dichotomy" that privacy and data sharing are always at odds with one another.

"I don't want to set this up as a zero-sum game where in order to get privacy you have to abandon data sharing, or in order to do data sharing you have to abandon privacy," Samuels said.

To learn more:
- here's the commentary

Read more on