By Josh Douglas, Chief Technology Officer, Bridge Connector
Spending a career in health IT means I have heard many interpretations – both right and wrong – of the often-cited patient privacy law, the Health Insurance Portability and Accountability Act of 1996, or HIPAA. Unfortunately, those who have not studied these highly complex rules are very likely to misinterpret it. This is not surprising, as a law degree and time on the bench is likely needed to make sense of the complicated legalese in the 115-page document.
From my perspective, HIPAA was written to protect patient privacy, not to create data silos that reduce the quality of care. The act stipulates how patient data should be shared and who it can be shared with, but it does not prevent data sharing. Additionally, HHS released national standards for the security of electronic protected health information (e-PHI) and published the Security Rule in 2003 to enhance confidentiality. However, the act is often misinterpreted and cited as a hindrance to innovation. Not only is this a false narrative, but if we put in place portions of the law that have not been implemented, HIPAA would actually play a larger role in improving health IT, making the U.S. healthcare system more cohesive and better for patients.
As we think about how health IT will evolve in the next decade and solve the inadequacies in data integration that the COVID-19 pandemic has exposed, the industry needs to find solutions that build a more interoperable healthcare ecosystem. For example, if I visit my primary care physician, a local urgent care, and an outpatient radiology clinic on separate occasions, each of those providers should have a matching, comprehensive record of my medical history without asking me to rewrite it myself on a clipboard. Accurate, timely patient data is the most valuable resource in our industry and needs to sit at the center of healthcare.
The technology world has changed drastically since 1996 when HIPAA was implemented – and so has our perception of data and data privacy. In fact, a recent poll of over a thousand adults from the Pew Charitable Trusts suggests patients are increasingly comfortable with data sharing. Sixty-one percent of those polled were in favor of gaining access to their health records via mobile applications. As the digital native generations – Gen Z and Millennials – continue to make up a larger percentage of the population and patients increasingly feel their data is secure, that number will surely grow.
These are the ways we can use HIPAA and other existing legislation to improve data interoperability and make the U.S. healthcare system more effective.
Building A Unique Patient Identifier
If every part of the law was executed as intended, HIPAA would play a larger role in improving our health system than it does today. For instance, the law mandates the establishment of “a standard unique health identifier for each individual, employer, health plan and healthcare provider for use in the healthcare system.” A unique patient identifier (UPI) would have a tremendous impact on healthcare data because it would establish, for the first time, a digitized, holistic view of every patient. Some version of a UPI has been implemented in many sophisticated healthcare systems around the world and has proven beneficial to patient outcomes.
Up until this point, Congress has not supported funding a UPI, citing a potential threat to patient privacy. However, if we are going to improve patient outcomes, we need to reconcile security concerns while making information shareable across data systems. While there are certainly security considerations that need to be handled with care, I believe it is possible to create a secure, private and universal UPI system – and that the benefits would be well worth it.
To help close the gap between legislators and innovators, we must consider security technology advancements since HIPAA was signed into law in 1996. Blockchain was years away from common use then, and we can now leverage modern technology for truly unique identifiers in patients, such as genetic markers. Additionally, de-identifying patient data is a process that more private companies have focused on in recent years with an eye toward safe data sharing, but it removes important information that could be used to improve patient care through analytics. For instance, removing a patient’s birth date precludes the ability to stratify medical conditions by age.
Any of those solutions could help create a secure UPI that ensures all data remains with the individual patient and the relevant providers who need access to it, but it will take a collective effort from all industry stakeholders to revise the needed legislation. In fact, in July of this year, the American College of Surgeons, the American Health Information Management Association (AHIMA), the College of Healthcare Information Management Executives (CHIME), Healthcare Information and Management Systems Society (HIMSS), Intermountain Healthcare, and Premier Healthcare Alliance created an advocacy group to advance public and private sector collaboration for a patient identifier program in the U.S. called Patient ID Now.
Where We Go From Here
Interoperability has been a talking point for the better part of two decades and some progress has been made in recent years that will lead to improvement, but the challenges of the COVID-19 pandemic have highlighted the need for rapid change that makes patient data more integrated and accessible.
The Fast Healthcare Interoperability Resource (FHIR) provided a significant first step in standardizing data to make it easier to share across platforms. Last spring, the Department of Health and Human Services (HHS) issued a new ruling on interoperability that similarly sought to reduce barriers to sharing patient data safely.
Without sacrificing patient privacy, our healthcare system is positioned to fully realize the benefits of HIPAA, which has largely been misused and misunderstood since its passage. We need disruption, but we already have many of the tools we need to achieve it.
About The Author
Josh Douglas is the Chief Technology Officer at Bridge Connector, a technology company changing the way healthcare communicates by delivering streamlined integration solutions.