Does HIPAA Need to Be 'Modernized'?AMIA, AHIMA Want to Update What's Covered Regarding Patients' Access to Their Data
Two health IT professional associations are urging Congress to "modernize" HIPAA to improve and extend patients' rights to securely access, view, download and transmit their health information - including health data not currently covered under HIPAA.
For example, they want individuals to have the right to access their health information from companies offering mobile health apps and health-related social media that aren't now required to comply with the HIPAA provision.
Some regulatory experts say that while patients' right to access their health information is critically important, making major changes to HIPAA as the groups recommend might be difficult or unwarranted.
'Unlocking' Patient Data
In a Dec. 5 statement summarizing a Capitol Hill briefing that same day, the American Medical Informatics Association and the American Health Information Management Association call on Congress to "unlock patient data."
The groups urge lawmakers to approve changes to HIPAA "to improve patients' access to their health information and protect their health data in a burgeoning app ecosystem."
They recommend extending the HIPAA provision on an individual's right to access their health data to include organizations that are not currently considered HIPAA covered entities or business associates, but, nevertheless, manage individual health data. Examples include companies that offer mobile health apps and health-related social media. "The goal is uniformity of data access policy, regardless of covered entity, business associate or other commercial status," the associations note.
"There may be lots of reasons to update HIPAA, but it isn't very easy to take the existing law and just apply it to a broader range of entities that aren't covered today."
—Kirk Nahra, Wiley Rein
"A growing number of mobile health technologies and health social media applications that generate, store and use health data require attention as part of a broader conversation regarding consumer data privacy," the two groups say.
Health Data Set
Another recommendation is for Congress to rework HIPAA to expand the type of health information to which individuals should have access. That could be achieved either by establishing a new term, "health data set," which includes all clinical, biomedical and claims data maintained by a covered entity or business associate, or by revising the existing HIPAA "designated record set" definition.
A new definition for health data set, or a revised designated record set within HIPAA, would better support individuals' right to access their data, the associations argue.
Under the HIPAA Privacy Rule, a patient has the right to access their protected health information in one or more "designated record sets" maintained by a covered entity in the form, format and manner requested if readily producible, the association's notes.
The HIPAA designated record set is defined "as a group of records maintained by or for a covered entity that comprises the medical records and billing records about individuals ... for enrollment, payment, claims adjudication, and case or medical management record systems ... that are used ... by or for the covered entity to make decisions about individuals."
The associations note that the HIPAA Privacy Rule further states that the term "record" refers to "any item, collection or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for a covered entity."
The groups add: "Given the broad nature of HIPAA's definition and HIPAA-related guidance, healthcare organizations have interpreted differently and applied inconsistently which information may be included as part of the designated record set."
This variation has led to discrepancies in the information provided to patients regarding the medical records release process and confusion over how to comply with federal and state regulations, the groups contend.
Do Changes Make Sense?
The proposals from the two associations are drawing mixed reviews.
"I believe there is a lot to like in the AMIA and AHIMA proposals to expand the scope of the HIPAA standards to organizations that are handling health-related personally identifiable information," says attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.
"These proposals from health information professionals present an important countervailing argument to indications from Department of Health and Human Services officials that they are open to scaling back the privacy rule's protections because they are perceived as too burdensome on health care organizations."
But some regulatory experts argue that while patients' right to access their health information is critically important, making the various recommended changes to HIPAA wouldn't be easy. And some question whether the changes are even necessary to achieve the two associations' objectives.
"The goal of AMIA and AHIMA is a very important one - individual rights to their data is an issue that individuals and their advocates feel very strongly about, for very good reasons," says privacy attorney Iliana Peters of the law firm Polsinelli.
But she argues that many organizations that are not regulated by HIPAA already "are making individuals' access to their data a priority, even without it being mandated by state or federal law."
While the HIPAA Omnibus Rule in 2013 made business associates and subcontractors directly liable for HIPAA compliance, "it may be more difficult to expand such liability to entities that are not part of the particular healthcare ecosystem," Peters says.
Holtzman says the proposal to expand the individual right of access to health information stored or maintained by entities that are not currently covered under HIPAA "would add to the present confusing hodgepodge approach to what health information is covered," and he argues that identifying the patchwork of technology vendors and developers who would be subject to expanded requirements could prove difficult.
A better approach, he suggests, would be to give consumers "a national right to privacy of all personally identifiable information collected about them as well as setting a national standard for information security protection and breach notification."
No Easy Answers
Privacy attorney Kirk Nahra of the law firm Wiley Rein isn't sure the changes proposed by the two groups are warranted.
"While patient access remains a consistent problem - because of technology, confusion, intransigence and other elements - I'm not sure this new concept of a designated record set would address any of those issues or is really needed," Nahra says.
"There may be lots of reasons to update HIPAA, but it isn't very easy to take the existing law and just apply it to a broader range of entities that aren't covered today," he says. "If you were going to develop a 'new HIPAA,' that covers all healthcare information, it would need to be a whole new set of rules and not one that only dealt with [patients' right to] access."
Peters notes that the Federal Trade Commission also has jurisdiction in the area of data privacy and security enforcement, including for companies that sell apps or offer social media.
The FTC "has already established breach notification requirements for many of these types of entities, so it may be that the FTC may be better situated to address this particular issue," Peters says.