Health industry must move beyond HIPAA 101

Why is a 20-year-old law still so confusing?

It's ironic that the Health Insurance Portability and Accountability Act, legislation intended, in large part, to simplify the administration of healthcare, continues to confound providers, patients and others, and make the industry more complicated.

You'd think we'd all have the hang of it by now. Evidently not.

The Health and Human Services Department's Office of the National Coordinator for Health IT and Office for Civil Rights are still educating the industry about HIPAA, this week releasing blog posts and fact sheets reminding people that the law does not conflict with interoperability. You don't even need patient authorization for all sorts of data sharing, such as quality assessments and improvements, population health based activities to improve care, patient safety activities and sharing information about a patient's treatment.

ONC Chief Privacy Officer Lucia Savage and Aja Brooks, a privacy analyst at ONC, explain why such reminders were issued, saying:

"At ONC, we hear all of the time that the Health Insurance Portability and Accountability Act (HIPAA) makes it difficult, if not impossible, to move electronic health data when and where it is needed for patient care and health. This is a misconception, but unfortunately one that is widespread. ... What many people don't realize is that HIPAA not only protects personal health information from misuse, but also enables that personal health information to be accessed, used, or disclosed interoperably, when and where it is needed for patient care." 

This comes right on the heels of guidance OCR issued last month reminding everyone about patients' rights to access their medical records, and how they can go about obtaining them.

OCR also divulged why it felt the need to release such information.

"Individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and request fixes to errors in their records, track progress in wellness or disease management programs, and directly contribute their information to research," the agency said. "As the healthcare system evolves and transforms into one supported by rapid, secure exchange of electronic health information and more targeted treatments discovered through the new precision medicine model of patient-powered research, it is more important than ever for individuals to have ready access to their health information. Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule. This must change." 

Both sets of guidance are the first in a series on their respective topics (ONC's second, focusing on permitted uses and disclosures, was published today). So one reminder is not enough.

Education and guidance on the law is always a good thing. But you'd think that after 20 years we should be beyond basic training mode on the fundamentals of HIPAA.  There are enough other provisions of HIPAA that are newer, yet to be hashed out, more complicated or untested.

For instance, we still don't have a final rule on the accounting of disclosures of patient information in electronic form. We're still expecting guidance on the definition of "minimum necessary." We don't t yet how OCR will interpret the extent that providers need to keep information secret from insurers when patients pay their bills directly, or implement the provision that enables patients to obtain a portion of moneys recovered from HIPAA violators.   

Clearly OCR believes that education on the basics is still necessary; otherwise it would not be spending its time and resources on it.

But HIPAA, unlike Meaningful Use, was not rolled out in stages. The industry should have the basics down pat already. - Marla (@MarlaHirsch and @FierceHealthIT)