Is it time to rewrite HIPAA regulations?

Is it time to rewrite HIPAA regulations? 

In today’s world, fitness and health tracking apps are becoming more and more a way of life. We record our sleep patterns and the snacks we eat between meals. We count our steps and monitor our workouts at the gym.

These types of applications have not only helped bring awareness toward living a healthy lifestyle, they’ve helped patients take charge of their own healthcare data.

Those are all very good things. But there may be an unintended consequence to these wide-ranging smartphone applications and wearable devices. And those consequences led to a very interesting debate last month.

HIPAA for the Future

In issuing a 32-page-long report to Congress, the U.S. Department of Health and Human Services and the Office of the National Coordinator for Health Information Technology raised a very important point regarding the rise of healthcare apps.

“While HIPAA serves traditional health care well and continues to support national priorities for interoperable health information with its media-neutral Privacy Rule, its scope is limited,” the report read.

In other words, the regulations in place to protect patient data — specifically HIPAA — aren’t keeping up with the latest technological advances. Nor do they do much to help provide guidance to the developers of these apps with what information needs to be protected.

The logic in the report makes sense: HIPAA and other healthcare privacy regulations were all written well before these apps were even dreamed up, let alone a reality. HIPAA was enacted in 1996, before our nation really had significant widespread access to this new thing called the internet.

So, that begs a pretty substantial question: Is it time to re-write HIPAA? Or even replace it with other data privacy regulations?

One week before the HHS and ONC issued its report, a group of professors and health technologists testified about these challenges. Nicholas Terry, a professor at Indiana University, explained the complications and confusion of current privacy regulations for healthcare app developers.

“Let’s say I use an app to access my EHR,” he said. “The moment that that data leaves the EHR and enters the smartphone app, there is considerable confusion as to the legal state of it. If that app was provided by the hospital or a business associate, then the HIPAA shield would be all over it. If it was not, if it was an app the patient just purchased from the app store, it’s highly likely HIPAA would not apply. So now you have two sets of identical data, one bundle is subject to the most stringent privacy laws we have in this country, the other is essentially unregulated.”

Terry has an extremely valid point. The line between what needs to be protected by HIPAA and what doesn’t has become extremely blurred as these apps continue to integrate into the healthcare industry.

Here’s the interesting thing, though. In their report, the HHS and ONC didn’t make any concrete recommendations on how to proceed, but simply identified the gaps within the regulation.

“Wearable fitness trackers, health social media and mobile health apps are premised on the idea of consumer engagement,” the report read. “However, our laws and regulations have not kept pace with these new technologies. This report identifies the lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared and used by [entities not covered by HIPAA].”

While the report didn’t issue recommendations, one of the healthcare technologists who testified prior to the report’s issuing said that a starting point might be to change the way healthcare data is classified.

“In my mind we have to set a very clear bar between what’s recreational (data) and what’s professional (data),” said Dr. Matt Patterson, the president of a healthcare technology company. “And I don’t think it’s ‘who’s using it’ but I think it’s more related to the level of risk and the safety involved. Subsequent to that, there has to be a crosswalk capability that allows recreational data to be ‘drafted to the big leagues.’”

So, while we’re living in an era of constantly evolving healthcare regulations, it’s time to put HIPAA on our watch list. Will changes be coming? We don’t know for sure, but the case has very strongly been made for modifications if not complete reform of HIPAA.

COVID-19 Resource Center    Visit our Resource Center to stay up to date.​