From his perspective as a sometimes venture capitalist, Smith replied, he's seen a lot of “small companies that don't go forward (with innovative plans).” Why? HIPAA.
“Once they understand the HIPAA penalties, and the machinery involved, and the limitation that imposes on the value that they can create, they demur,” he said, making the healthcare system poorer, in terms of innovation, in the process.
“Perhaps we, in an effort to protect the patients, are constructing a healthcare system that they and we cannot afford. And we're putting the balance in the wrong spot,” he said. “We may be protecting (patients) to death.”
Paul Misener, vice president for global public policy with Amazon.com, argued that the current interpretation of HIPAA harms the delivery of new treatments—and his company, which is the market leader in cloud computing services.
Currently, he argued, the law considers Amazon's cloud services division to have increased responsibility when sensitive health information is stored there, even though Amazon has no access to the encrypted health information in question. That requires extra paperwork, he explained.
Mary Grealy, the president of the Healthcare Leadership Council, offered the most thoroughgoing argument for reform. In her organization's estimation, there are a few areas that need reform: the authorization procedures in HIPAA impede the adoption of big data analysis tools; the de-identification standards in HIPAA impede research; and the patchwork of 50 sets of state privacy laws makes compliance difficult.
Accordingly, Grealy called for a national privacy framework. The framework would allow organizations to match patients to their records, to take one example. Another example, provided in her written testimony, concerned Institutional Review Boards, the bodies that oversee academic research. Currently, they often misunderstand privacy rules, Grealy argued, leading them to impose additional restrictions with no privacy gains. Reform would strip the boards of that obligation.
Other witnesses took different tacks regarding privacy laws. Dr. Martin Harris, the chief information officer at Cleveland Clinic, said that he's “not looking to change” HIPAA.
“What I'm looking for is to empower a patient to choose to opt out of it, should they want,” he said. Allowing patients to opt out will create “an activated patient, an engaged patient, a patient who will help redesign the delivery system.”
This climate of rethinking privacy rules is neither limited to the Energy & Commerce Committee, nor limited to HIPAA. A Wednesday event on Capitol Hill advocating for bills that would direct electronic health record incentive dollars to behavioral health providers also featured comments on privacy.
Dr. Joseph Cvitkovic, the director of behavioral health care at Jefferson Hospital in Pittsburgh, said that it's time to “open the doors and windows and really look at what is legitimately right for privacy issues and where we come down, and what's best for patients and families.”
Al Guida, the leader of the Behavioral Health IT Coalition, which hosted the event, agreed. Guida pointed to regulations “more stringent than HIPAA” that pertained to patients with addiction disorders. “That legislation was passed in 1972; it did not envision digital worlds,” he said, saying that the Substance Abuse & Mental Health Services Administration's reconsideration of patient consent regulations for health information exchanges and accountable care organizations would be critical.
The advocates for different privacy regulations are echoing points from the broader software community. For example, Larry Page, the CEO of Google, has expressed his irritation regarding privacy laws in health before. In an interview given last month, he discussed a hypothetical in which researchers “had the ability to search people's medical records in the U.S. … Maybe with the names removed.”
“I imagine that would save 10,000 lives in the first year,” he said. But, he concluded, “That's almost impossible to do because of (HIPAA).”
It's unknown what practical effect these advocates will have. Representatives on the House Energy & Commerce Committee have not directly tipped their hand on privacy, though perhaps their choice of witnesses is illustrative of their feelings. Committee chair Rep. Fred Upton (R-MI) has said that the Committee intends to come out with a framework for a 21st century cures bill by the end of the year, with potential action following in 2015.
Follow Darius Tahir on Twitter: @dariustahir