Has health IT’s rapid growth rendered HIPAA obsolete?

Computer screen security
Privacy experts wonder whether a 20-year-old law needs an overhaul to align with health IT innovation.

More than two decades after HIPAA was signed into law, privacy experts are split on whether the landmark privacy legislation needs a reboot to keep pace with a rapidly evolving, data-centric industry.

But exactly how the law should be updated remains a point of contention among privacy officers, according to an article in the Journal of AHIMA, published by the American Health Information Management Association.

Although HIPAA has undergone several updates since it was passed in 1996, some argue that new privacy laws can fill the gaps where the law has been outpaced by technology advancements—like mobile apps and wearables—that generate more shareable health data for patients. Others say HIPAA could benefit from an update that would encapsulate telehealth, patient portals and other electronic forms of communication, like texting.

Researchers have raised similar concerns about HIPAA, noting that a 20-year-old law may not be adaptive enough to keep pace with innovation. Before she left the ONC, chief privacy officer Lucia Savage, J.D., highlighted the agency's "unusual role" in ensuring that health IT takes privacy concerns into account and outlined ways in which the agency was working to safeguard electronic patient information.

RELATED: Why HIPAA needs an update

In many cases, states have already filled in the space where HIPAA has fallen behind by creating more stringent local laws that attempt to keep pace with the current technology climate. But a wide array of regulations has also led to confusion for hospitals and patients. Joy Pritts, J.D., the former chief privacy officer at the Office of the National Coordinator for Health IT, told the Journal of AHIMA that a broad privacy law probably isn’t politically feasible, and an ideal solution may come from developing an FTC-regulated code of conduct for organizations that fall outside of HIPAA’s purview.

RELATED: Onsite HIPAA audits coming in 2017: ONC official

“It’s not just a question of does HIPAA need to be fixed or improved, it’s whether regulatory structure needs to be improved,” Pritts said. “That’s what I would focus on personally and in doing that I would make it a little more uniform between the kinds of sensitive information that’s covered by HIPAA and what’s covered by the FTC.”

The industry's push toward interoperability and data-sharing means the dynamic between HIPAA and technology will continue to evolve. The federal agency that enforces HIPAA, the Office for Civil Rights, is expected to release HIPAA guidance at the end of the year addressing texting and privacy breaches. The agency has beefed up enforcement over the past six months, announcing several multimillion-dollar HIPAA settlements following a record-setting year of cybersecurity breaches in healthcare.