What do the phrases federal regulation and HIPAA compliance bring to mind? If you work in healthcareparticularly in healthcare information technologyprobably not much that's positive. That's too bad, because the Health Insurance Portability and Accountability Act of 1996 has on balance been a very good thing for healthcare and health IT. And the next version of HIPAAcall it HIPAA 2could make things better still.
HIPAA has surely forced most healthcare organizations to get serious about information security, perhaps for the first time. In too many cases the deep caring about information security professed by many people in the field was not enough to prompt spending serious money on it, to require health workers to take their security duties seriously or to educate healthcare customers about their information rights.
It's true that HIPAA hasn't done much to fix health privacy problems overall, but only a fundamental change in the way U.S. healthcare is financed can do that. People still worry about how their health information is going to be usedclearly not an irrational fear when loss of insurability is an ever-present threat. When patients read their HIPAA-required privacy notices, they learn the uncomfortable truth that their information can be used for just about anything in order to make the system run.
What about healthcare workers? The act doesn't require that organizations' policies or worker training for HIPAA be in plain language. But neither does it require the kind of mind-numbing verbiage to which so many organizations resort. No wonder most people in healthcare exposed to HIPAA view it as a silly annoyance at bestthe reason they now have to append a confidentiality notice on the e-mail about the office picnic.
But even assuming HIPAA is a good thing on balance, why do we need a HIPAA 2? It's because so much has changed.
Centralized and sharable electronic medical records were much on the minds of HIPAA's drafters, and were the rationale for most of its security provisions. Everyone assumed that the cost-effectiveness of EMRs over paper was a self-evident truth even back in the 1990s. It has taken more than a decade for that conviction to manifest in healthcare organizations, if you measure belief by actual deployments. But now that EMRs are arriving in force, regulatory refinements will likely be required.
Health information has changed, too. Once-exotic genetic information has become ubiquitous, and the day when it makes up part of everyone's healthcare record is fast approaching. HIPAA punted on that issue, as it did on virtually every other special type of information, with the exception of psychotherapy notes. State regulations have had to fill the void.
The relatively recent spread of electronic personal health records may be an even greater challenge. Major technology players such as Microsoft Corp. and Google, EMR vendors and others have joined to deploy more than 100 versions of PHRs to date. Individuals' PHR-based record-keeping could change the very nature of how health information is collected and used.
Recently the National Committee on Vital and Health Statistics has been among those pondering how HIPAA might be updated. As the NCVHS notes, the focus under HIPAA until now has been on regulatory constructs like covered entities and business associates to protect health data. Concomitantly, far too much time and money have been wasted on consultants and lawyers who have to advise providers on who is covered by what under the complex HIPAA rules, with the central aim of protection from liability instead of how to actually safeguard patients' information.
The NCVHS prefers we focus instead on having protections for all uses of health data and all types of users. The entire spectrum of uses and disclosures would be guided by the notion of data stewardship rather than simply focusing on minimal compliance with the rules.
HIPAA 2 should be seen as an opportunity for providers to partner with their workers and customers to treat health information appropriatelya good deal for everyone.