The Health Insurance Portability and Accountability Act (HIPAA) protects individuals’ medical records and other personal health information. Though HIPAA was adopted more than 20 years ago, when healthcare tech looked very different, much of the original language of HIPAA remains unaltered.
Despite the changing technological landscape, HIPAA still covers a great number of diverse scenarios. Whether a hospital is maintaining paper-based patient records or transferring information electronically, the purpose of HIPAA remains the same as it did in 1996.
However, some argue that HIPAA regulations have not kept pace with technological developments. Rafael J. Grossmann, MD, clinical advisor at Magic Leap, explains that HIPAA regulations are very strict and often prohibitive to implementing new digital health solutions. “Anyone who wants to come up with a solution that will eventually have a real effect needs to address HIPAA and the safety of the patient data very carefully,” Grossman says.
Still, HIPAA continues to determine the trajectory of digital transformation in American healthcare. In this article, we explore where HIPAA compliance is causing headaches, and what solutions are emerging.
HIPAA Compliance: Trends and Challenges
Digital transformation in healthcare means putting technology at the center of all operations. This paradigm shift is disrupting long-standing practices with new processes that are continually evolving.
The ultimate goal is a synchronization of all patient and provider touchpoints. “From search-to-surgery; websites, call center, registration, consultation, billing, admission, inpatient services, pharmacy, cafeteria, discharge and post-discharge follow-ups, and the entire journey has to be taken into account while strategizing towards digital transformation,” explains digital strategist Richard Roy Mendonce.
In 2019, we witnessed disruptive healthcare technologies make progress. Unsurprisingly, HIPAA compliance proved to be a challenge for each.
Wearables and Remote Patient Monitoring
Wearable technology is a rapidly growing market that includes both consumer devices like fitness monitors and medically oriented devices like mobile ECGs. Juniper Research forecasts that 5 million individuals will be remotely monitored by healthcare providers by 2023.
“Both wearable data and voice assistants show promise in passively collecting data that patients previously had to report in a manual mode,” Laura Lovett writes at Mobile Health News. “This could help with both accuracy and ease in studies.”
While there is the potential to improve one’s health with such devices, there are also major privacy concerns. Forbes contributor Mary Meehan is just one of many people with privacy-related questions for the wearables industry. “Our wearables are collecting loads of health-related data on us. Who owns that data? And now that Google has bought Fitbit, what’s that going to mean for privacy?”
HIPAA applies to covered entities like providers, insurers and business associates — meaning vendors. Data gathered via wearables don’t always fall under HIPAA security guidelines. If a person buys a Fitbit and then uses it to track information like number of steps taken per day, calories consumed and heart rate, the data is not protected under HIPAA. That’s because there’s no covered entity or business associate involved.
Jack Murtha interviewed HIPAA compliance officer Nicholas Heesters to help further explain the nuances that exist wearable tech and privacy. Heesters encourages us to consider the following situation:
“At the direction of a healthcare provider, a patient downloads a smartwatch app that monitors health data points that are then integrated into an electronic health record. The app developer or marketer, meanwhile, is receiving money from the provider for the digital service. In that case, the developer is generating, collecting, storing and sharing data on behalf of a covered entity — and, as a business associate, it must abide by HIPAA.”
In short, any healthcare provider using wearables to collect and transmit data will need to be careful to protect that data. If they fail to do so, they run the risk of violating HIPAA. As a reminder of just how severe those penalties can be, they range from $100 to $50,000 per violation with a maximum penalty of $1.5 million per year for each violation.
Virtual Health and Telehealth
Physician adoption of telehealth increased 340 percent from 2015 to 2018, according to American Well’s Telehealth Index: 2019 Physician Survey. Additionally, 69 percent of physicians indicated a willingness to try telehealth. The survey estimates that by 2022 as many as 590,000 physicians will be using telehealth.
Doctors now communicate with patients using email, phone and webcams. In addition to patient communication, physicians are also communicating with each other for easier collaboration and more informed decisions. But it is increasingly important to pay attention to how secure those lines of communication are.
Timothy M. Hale, Ph.D. and Joseph C. Kvedar, MD explain how the primary security risk in telehealth is that of unauthorized access to data during collection, transmission or storage. Any transfer offers the potential for a security breach. Hale and Kvedar argue that, despite efforts to create secure devices and apps, many contain serious flaws, and hackers and malware pose an increasing threat to the security of telehealth systems.
More and more records are being digitized, which sets the stage for predictive analytics and big data. The more big data is used in healthcare, the more efficient the industry can be. With big data and predictive analytics, patient patterns can be identified more quickly and effectively. And the larger the data set, the more quickly those patterns can be identified.
The effect of predictive analytics in healthcare is dramatic. It is being used to cure diseases, avoid preventable death and improve our quality of life. But big data is not immune to the issues of security and privacy.
“Part of the technological challenge involves using massive data sets that incorporate information from many patients,” Marc Helberg, a managing vice president at the consultancy Pariveda Solutions, writes for Managed Healthcare Executive. “This has its own difficulties, including adhering to privacy laws, ensuring data sets are ‘clean,’ and finding the right modeling approach to glean the most insight.”
The benefit from understanding as much about a patient as possible, as early in their life as possible, is extraordinary. The safeguards needed to protect patient information are perhaps equally as important.
Electronic Health Records
The trends we’ve discussed have contributed to a never-before-seen increase in patient data. These shifts, combined with HIPAA required data retention requirements, make managing electronic health records (EHRs) a challenge.
Data entry involved with EHRs can be cumbersome, and the security measures currently in place can compound matters. “Beyond lost time, these administrative headaches overwhelm doctors,” writes Sally Pipes, president and CEO at the Pacific Research Institute. “More than three-quarters of doctors report symptoms of burnout, according to a Merritt Hawkins survey. Many of them point to the EHR mandate as the primary cause.”
In addition, patient and third-party requests related to EHRs are often costly and time-consuming. While patients can request electronic copies of their records, security concerns exist when sending information using unsecured email or using a patient’s USB drive.
The lack of simple solutions for data sharing results in frustration on both ends.
How to Insure HIPAA Compliance
Now that we’ve identified some trends, opportunities and challenges, let’s take a look at the potential solutions.
One loophole that organizations have found is the use of de-identified data. De-identified patient data is health information from a medical record that has been stripped of all information that could be used to identify the patient.
The HIPAA privacy rule does not cover de-identified data. As the rule states: “De-identified health information created following these methods is no longer protected by the Privacy Rule because it does not fall within the definition of PHI.”
For that reason, de-identified data has been playing an important role in preventive analytics and medical research. Scientists get access to a gold mine of much-needed information, without needing to meet traditional HIPAA compliance.
Despite this, David Talby, CTO at Pacific AI, encourages anyone handling this type of information to exercise caution. “Assume that you are at risk when sharing de-identified data and act accordingly,” Talby advises. “Protect de-identified data almost as diligently as you protect PHI.”
Blockchains could be the record-sharing solution healthcare providers have been looking for. A blockchain is a growing list of records, called blocks, that are linked using cryptography. Encryption is at the core of protecting the transactions and records shared through blockchain technology.
HIPAA requires that identifiable health information be encrypted, so that only those authorized to read it can do so. Thus, blockchains make sense as an answer.
Daniel Newman, principal Analyst FuturumResearch, explains how blockchains have the potential to solve frustrations in patient file sharing. “With [blockchains], that whole outdated process has the potential to become a distant memory, as [blockchains have] the potential to automatically provide the allowed doctors and specialists with a complete medical history so you can get the care you need,” Newman says.
Circling back to the case of wearable tech, blockchain technology would come in handy. Ideally, if the patient is wearing a device meant to inform the healthcare provider, they would submit data that is then blockchain-encrypted, summarized and moved into the practice’s EHR software.
Setting communication boundaries is a simple way for healthcare providers to avoid HIPAA compliance violations. Being cognizant about what can and cannot be discussed over the phone is a good place to start. In instances like telehealth, where sharing confidential information is unavoidable, it’s important to use secure platforms.
The HIPAA Journal advises that healthcare providers not use SMS, Skype or email for telemedicine. Here, it’s beneficial to revisit the idea of covered entities. “When ePHI created by a medical professional or a healthcare organization (covered entity) is stored by a third party, the covered entity is required to have a Business Associate Agreement (BAA) with the party storing the data,” the authors write.
Because communications sent through SMS, Skype or email remain on the servers of service providers and contain individually identifiable healthcare information, the HIPAA Journal states it would be necessary for the covered entity to have a BAA with (for example) Verizon, Skype or Google in order to be compliant with the HIPAA guidelines on telemedicine.
There are telehealth tools built with HIPAA compliance in mind. In most cases, the provider of the platform (i.e., video conferencing provider) would be required to enter into a contract with a HIPAA-covered entity before its service can be used with ePHI. That contract, a Business Associate Agreement, serves as a confirmation that the technology platform provider is aware of its responsibilities with regards to the privacy and security of PHI.
HIPAA rules were originally designed to put the patient in control of their data. However, in many instances the rules have made things harder for patients to access information. One of the ways to navigate these privacy roadblocks is by simply empowering patients.
David Harlow, healthcare attorney and founder of The Harlow Group LLC, believes that we should be relying more on patients themselves. Because HIPAA makes it hard to get information from healthcare providers, Harlow explains that those interested in analyzing PHI for both individual care needs and population health management could consider patients as the main source of information.
In Harlow’s ideal scenario, it would be possible for patients to be more specific about who gets what information. For example, a person could share de-identified data for research purposes that interest them. Or they could share encrypted personal data when they need personalized care.
Information is power, and it seems fitting that that power is given to the patient. Though this shift seems simple, it challenges most traditional healthcare models. “Health information technology is a key part of enhancing health and health care, and empowering patients to be first-order participants in their care,” says Douglas B. Fridsma, president and CEO at the American Medical Informatics Association.
The Outlook for Healthcare Technology
The safeguards that exists, while challenging, have done well in ensuring patient privacy. The need for new technology is growing, and HIPAA provides an important framework for regulation.
“We’re heading into the post-digital era where healthcare organisations will need to adopt new and emerging technology,” Sam Shah writes at Healthcare IT News. HIPAA will continue to be instrumental in shaping how that adoption will play out.
Images by: Cathy Yeulet/©123RF.com, Pop Nukoonrat/©123RF.com, primagefactory/©123RF.com