By John Schneider, chief technology officer, Apixio.
Signed into law nearly a quarter century ago, the Health Insurance Portability and Accountability Act (HIPAA) has not aged well in the information technology world. HIPAA itself is largely misunderstood. I don’t know how many times I’ve heard someone tell me about the “Health Information Privacy Act.” However, it’s easy to understand where the confusion comes from. Who hasn’t heard a story about a ransomware attack, data breach, or privacy violation in the news? And it’s not just happening in the healthcare domain—it’s happening everywhere.
The truth of the matter is that security and privacy breaches in healthcare and other industries are a common occurrence. This has resulted in an unhealthy preoccupation by the healthcare community with the security and privacy provisions in the HIPAA legislation that fall under Title II Administrative Simplification. This too is easy to understand—unlike other industries that seemingly get off Scot free after a breach, the healthcare industry is held to an actual standard, and there are penalties for not meeting this standard that can be reputationally and financially ruinous.
To fully understand the healthcare community’s preoccupation with the HIPAA Title II provisions, we need a little background on what HIPAA is. HIPAA has five provisions called Titles. The two key provisions are Title I, HIPAA Health Insurance Reform, and Title II, HIPAA Administrative Simplification. All of the security and privacy regulations stem from Title II, but “Administrative Simplification” doesn’t exactly shout out “security and privacy” (although the Privacy Rule and Security Rule are 2 of the 5 sections in Title II). Title II doesn’t even provide regulations—it simply hands that responsibility off to the Department of Health and Human Services (HHS) to create such regulations as it sees fit, so ultimately, these are the regulations that we’re contending with and are driving behavior that’s limiting the value of data we’re collecting in healthcare.
Let’s first look at the two types of regulations that cause the most adverse behavior.
- Sharing Constraints: There are a number of requirements in privacy regulations that constrain sharing, and many are common-sense business-use rules that protect patients effectively. There are also some regulations that state that covered entities (regulation-speak for providers) should only share data they have with other business associates that are directly participating in the care and management of the patient. These effectively prevent the use of healthcare data to create new and innovative products because product development isn’t related to patient care or management.
- Punishments for Breaches: Breaches can be financially painful or even ruinous for a business. The penalties associated with breaches make executives think twice about the use of the data they have, even with business associates helping them manage care, because the risk to them is very real. What this means in the real world is that it can take a long time for a new business with a good idea to improve healthcare delivery to gain traction because the holders of data are reluctant to give these businesses the data they need.
These issues are real and are having negative effects in the healthcare industry. However, these same issues are not impeding innovation in other industries that have just as much (or more) private information. What gives here? Healthcare isn’t getting a fair shake.
There are a number of inequities in healthcare that we should take issue with:
There’s an uneven playing field. Think about where the data is in healthcare. It’s largely in the hands of the providers. They effectively own this data, even though technically it belongs to patients. Small startups have no access to this data. They have to hunt for providers willing to share. Often, the cost of sharing are onerous business terms. The larger the cache of data, the more advantaged you become, and in an industry like healthcare that is ostensibly rallied around social good, this should not be okay.
If you do get data, you might become a target. There are many examples where companies (for example, Google this past year) are harassed for doing innovative research for no other reason than they’re visible and have deep pockets. The problem is that we have obsolete regulations that are being used to make a point that isn’t valid in our modern context.
Most of the data we’ve accumulated isn’t used for innovation. The data outlook in healthcare has come a long way in the last ten years since the HITECH act was passed. Electronic medical records have gone from being sparsely used to nearly universal, but most of this data goes unused beyond the walled gardens of the medical record systems they live in. Artificial intelligence and machine learning applications depend on large, real-world datasets and could be put to use to build technology and resources to identify distinct risk profiles, analyze the effectiveness of treatment protocols across specific patient populations, or surface insights that can dramatically improve the speed and quality of care. But only the few commercial entities that have access to data can play in this space.
Focusing concern over security and privacy in healthcare may be irrelevant. Protecting patient data and privacy is important, but HIPAA was written during the era of paper records where a breach might mean losing a piece of paper, not being looted by hackers. Privacy regulations were meant to direct organizations on acceptable business use and guardianship of private health information. The truth of the matter is that healthcare data is boring. There’s really no commercial value to a hacker for your blood pressure readings. If they hack your healthcare provider, its likely to see if your credit card info is on file or to ransomware them. We’re trying to erect high walls around the wrong cache of data. Credit scoring companies and social networks know more about our private lives and our conditions than our healthcare systems do. We’re putting an undue burden on healthcare providers to protect information that is already out in the wild largely due to breaches on the parts of other industries and the nature of how private information can be inferred by commercial entities.
Information is being accumulated at rates never before imagined. Not to mention, the rate at which private information seems to leak out of systems that contain it give people and institutions cause for concern about the security of their private information. However, despite all the good intentions, HIPAA security and privacy regulations do very little to protect patient data in the modern age. It hasn’t kept pace with modern information technology, and it is creating an atmosphere where we are less likely to use the data we’re collecting.
Data security and personal privacy are society-wide concerns, not the sole responsibility of the healthcare industry. The regulation of data used in healthcare should be removed from HIPAA or its successor legislation to allow the industry to decide for itself how it should use the data riches it has accumulated to provide better care. We should invest in building an agency tasked with overseeing data security across all industries. Just as the NHTSA and FAA oversee automobile and airline safety, the healthcare industry should have an agency that oversees the protection and use of data and provides funding and leadership to help players across industries (health, financial, social networking) be better stewards of these assets.
While virtually every other industry is running as fast as they can with innovative technology, healthcare is being held back from advancements that would improve the quality and efficiency of care because of HIPAA’s provisions. Overhauling HIPAA to make it relevant in the era of information would allow us to leverage the invaluable data we’re collecting to improve healthcare.