By John Schneider, chief technology officer, Apixio.
Signed into law nearly a quarter century ago, the Health Insurance Portability and Accountability Act (HIPAA) has not aged well in the information technology world. HIPAA itself is largely misunderstood. I don’t know how many times I’ve heard someone tell me about the “Health Information Privacy Act.” However, it’s easy to understand where the confusion comes from. Who hasn’t heard a story about a ransomware attack, data breach, or privacy violation in the news? And it’s not just happening in the healthcare domain—it’s happening everywhere.
The truth of the matter is that security and privacy breaches in healthcare and other industries are a common occurrence. This has resulted in an unhealthy preoccupation by the healthcare community with the security and privacy provisions in the HIPAA legislation that fall under Title II Administrative Simplification. This too is easy to understand—unlike other industries that seemingly get off Scot free after a breach, the healthcare industry is held to an actual standard, and there are penalties for not meeting this standard that can be reputationally and financially ruinous.
To fully understand the healthcare community’s preoccupation with the HIPAA Title II provisions, we need a little background on what HIPAA is. HIPAA has five provisions called Titles. The two key provisions are Title I, HIPAA Health Insurance Reform, and Title II, HIPAA Administrative Simplification. All of the security and privacy regulations stem from Title II, but “Administrative Simplification” doesn’t exactly shout out “security and privacy” (although the Privacy Rule and Security Rule are 2 of the 5 sections in Title II). Title II doesn’t even provide regulations—it simply hands that responsibility off to the Department of Health and Human Services (HHS) to create such regulations as it sees fit, so ultimately, these are the regulations that we’re contending with and are driving behavior that’s limiting the value of data we’re collecting in healthcare.
Let’s first look at the two types of regulations that cause the most adverse behavior.
- Sharing Constraints: There are a number of requirements in privacy regulations that constrain sharing, and many are common-sense business-use rules that protect patients effectively. There are also some regulations that state that covered entities (regulation-speak for providers) should only share data they have with other business associates that are directly participating in the care and management of the patient. These effectively prevent the use of healthcare data to create new and innovative products because product development isn’t related to patient care or management.
- Punishments for Breaches: Breaches can be financially painful or even ruinous for a business. The penalties associated with breaches make executives think twice about the use of the data they have, even with business associates helping them manage care, because the risk to them is very real. What this means in the real world is that it can take a long time for a new business with a good idea to improve healthcare delivery to gain traction because the holders of data are reluctant to give these businesses the data they need.
These issues are real and are having negative effects in the healthcare industry. However, these same issues are not impeding innovation in other industries that have just as much (or more) private information. What gives here? Healthcare isn’t getting a fair shake.
There are a number of inequities in healthcare that we should take issue with:
There’s an uneven playing field. Think about where the data is in healthcare. It’s largely in the hands of the providers. They effectively own this data, even though technically it belongs to patients. Small startups have no access to this data. They have to hunt for providers willing to share. Often, the cost of sharing are onerous business terms. The larger the cache of data, the more advantaged you become, and in an industry like healthcare that is ostensibly rallied around social good, this should not be okay.
If you do get data, you might become a target. There are many examples where companies (for example, Google this past year) are harassed for doing innovative research for no other reason than they’re visible and have deep pockets. The problem is that we have obsolete regulations that are being used to make a point that isn’t valid in our modern context.
Most of the data we’ve accumulated isn’t used for innovation. The data outlook in healthcare has come a long way in the last ten years since the HITECH act was passed. Electronic medical records have gone from being sparsely used to nearly universal, but most of this data goes unused beyond the walled gardens of the medical record systems they live in. Artificial intelligence and machine learning applications depend on large, real-world datasets and could be put to use to build technology and resources to identify distinct risk profiles, analyze the effectiveness of treatment protocols across specific patient populations, or surface insights that can dramatically improve the speed and quality of care. But only the few commercial entities that have access to data can play in this space.