Photo credit: Getty/designer491

While technology and innovation in healthcare has undergone a rapid evolution, the Privacy and Security Rules within the Health Insurance Portability and Accountability Act have remained stagnant, say registered nurse Karen Colorafi and attorney Bryan Bailey.

To that end, Colorafi, an assistant professor at the College of Nursing at Washington State University, and Bailey, of Phoenix-based firm Milligan Lawless, believe the rules should be updated to keep up with “unimaginable” advancements over the last 20 years.

“The Security Rule was created with unusual foresight as a set of flexible requirements that could change and adapt with innovation,” the authors say in a viewpoint published in JMIR Medical Informatics. “Yet every week, the headlines online and in the papers discuss significant HIPAA infractions. ... We listen to stories from our friends and patients about the battles they have mounted to gain access to their own healthcare data.”

Colorafi and Bailey offer recommendations based on one scenario: the electronic health record system demonstration. While demonstrations often are deemed helpful for training fellow providers, they also must be approached carefully, the authors say.

“It is important to remember that innovation does not simply happen once,” Colorafi and Bailey say. “A learning organization will revisit their policies and procedures related to the protection of data at least annually, or when a change in infrastructure demands. [W]e ought to consider that an Act that was innovative in 1996 may no longer solve the problems it was created to address, partly because the nature of the problem has changed.”

Earlier this year, lawmakers chastised the Department of Health and Human Services for what they called “sluggish” and “disappointing” progress on promised updated technical compliance guidance for HIPAA. In particular, the legislators were concerned about a continued lack of clarity about how HIPAA applies in a mobile environment, saying such murkiness prevented consumers from benefiting from connected health technologies.

Still, many in the industry already don’t take proper steps to ensure HIPAA compliance, meaning HHS officials must address similar issues year after year.