AMIA Suggests it’s Time for a HIPAA Update

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world.

The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology.

HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are.

The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access.

Healthcare providers often provide access to a limited range of patients’ health information via patient portals – information such as prescribed medications, allergies and lab test results; however, AMIA suggests the HIPAA Privacy Rule should be clarified so patients are aware they have the right to access all health data held by a covered entity in a designated record set or to obtain a digital copy of their legal health record. In the paper it is suggested this could be clarified in guidance from the Office for Civil Rights rather than a HIPAA legislation update.

However, an update to the legislation has been suggested to cover mHealth apps and related technologies. Currently, health data is collected, stored, and transmitted by a wide range of non-HIPAA-covered entities, yet non-covered entities are not required to provide users with access to their data.

If HIPAA is not extended to include these non-covered entities, AMIA suggests there should at least be HIPAA-like requirements for non-covered entities that would allow users of mHealth apps to gain access to their data. An alternative would be for industry stakeholders to develop codes of conduct that could be followed to ensure patients are able to access their data, if required.

Currently, non-covered entities are able to collect, use, and share ‘PHI’ in ways that may place patients’ data at risk of exposure or could result in data being shared improperly. The researchers suggest “HIPAA should be strengthened and extended, in particular to accommodate the broader set of data and stakeholders that are relevant to patient health, such as data from the use of Fitbit and Apple Watch.”

AMIA also suggests more needs to be done to make it easier not only for patients to access their data, but to pass on the information to other healthcare organizations. “EHR certification and health care system accreditation should be tied to making it easy for patients not only to obtain their data, but to obtain the data in a manner that preserves “computability” and standardization such that the data can be readily transferred to and consumed by other health IT systems with little or no need for further processing.”

AMIA also recommends federal officials and private sector stakeholders develop a process for vetting mHealth applications to ensure they have a minimum level of privacy, security, and safety protections.

Federal agencies should also collaborate to create a policy framework for research and innovation; “a framework that includes “common rule” updates to facilitate secondary use of data for research, common Data Use and Reciprocal Support Agreements, common enforced technical functionalities and specifications based on standard APIs, and data portability from HIPAA-covered entities.”

In total,  17 policy recommendations were made. The paper was recently published in JAMIA.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.