Updating HIPAA for a Modern Time
By Patrick W. Dunne
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 by President Bill Clinton.
HIPAA restricts who gets access to a patient’s private health data. This allows Americans to keep their health status and identity a secret from unwanted third parties.
However, the law has not been without its share of critics. One is Dr. Fred H. Cate, a professor and vice president for research at Indiana University in Bloomington. As an expert in privacy and security laws, he has much to say about HIPAA.
Why does the government need data on coronavirus patients? Does HIPAA help?
The government doesn’t collect data from HIPAA.
It’s a law that helps protect an individual’s health data and largely from corporate and private-sector access, but it also protects it to some extent from government-sector access.
If you’re trying to find out how broad the spread of this pandemic is, you need to be able to share granular data on a personal level.
You can use this data to see if the outbreak has hit specific blocks, cities, or businesses.
In fact, HIPAA explicitly permits sharing data for public health purposes.
Does HIPAA interfere with the government’s ability to collect data anyway?
I wouldn’t say that. One thing I’m seeing is that states are trying to do contract-tracing — but they can’t get patients’ names, because officials don’t want to violate privacy.
Sometimes, the mystique of HIPAA becomes a bigger challenge than the actual text itself.
I hear all the time stuff like, “I can’t share that information because of HIPAA.”
Actually, HIPAA doesn’t say that at all. Companies and health-care providers may be risk-adverse because there are penalties if you get it wrong.
But I don’t actually think HIPAA’s been much of an impediment on the tracking and tracing side.
So, maybe the problem isn’t HIPAA itself, but rather those that don’t want to accidentally break the law and get in trouble? Is that correct?
Exactly! This is especially true if you’re a health-care provider, because those fines can be enormous.
Plus, there’s the loss of credibility. I mean, who wants to go to a hospital that’s been found to violate your health privacy?
Most of the time, workers are doing their best and may make a mistake. But those mistakes come with big fines — and those fines can impede data usage for innovation or research.
HIPAA was signed into law more than 20 years ago. Does it need to be updated?
Yes, I’d say it desperately needs to be updated for all sorts of reasons, some of which have nothing to do with COVID-19.
For example, HIPAA’s done a lot to restrict health research. It was sort of an unintended consequence.
When drafters were working on this regulation, they came up with a bunch of things you can do either with no consent or only with opt-out consent.
Somehow, nobody thought to put research on that list.
Yet, marketing is on that list. Companies can market with health data using only opt-out consent, but research has much higher consent requirements.
I think it just wasn’t thought through. It’s not so much that times have changed, it’s that they made a mistake and they need to fix it.
What are some of the issues with HIPAA’s consent requirements?
I am critical and I’ll tell you exactly why.
It’s not that I don’t believe in consent. It’s that the way that HIPAA consent is usually carried out is kind of meaningless.
I’ve been in many settings where they say, “Will you sign here saying you received the HIPAA notice?”
I’ll say, “I haven’t received the HIPAA notice.”
Then, they’ll reply, “Well, it’s up on the wall over there if you want to read it.”
We’ve all seen this. It’s not just HIPAA. Companies love giving us huge consent statements we’ll never read.
You shouldn’t have to talk about consent when it’s logically necessary or in situations where most people would give consent.
For example, most people would be OK with governments using their data for research.
On the other hand, many people don’t want companies to use their data to market products to them. That’s one place I would say you need opt-in written consent.
You should only need consent if health-care providers are doing something shocking or dangerous with your data.
Another example is that HIPAA lowered the standards for law enforcement to obtain data. They made it easier for an officer to walk in, show their badge and get someone’s records.
It’s fine if you’re asking during a convenient time and you can make a choice.
For example, my iPhone will tell me if an app is tracking my activity and allows me to opt out. That method is extremely convenient and relevant.
But let’s say that you’re going to the emergency room and the workers hand you a bunch of insurance and disclosure forms. There’s no way anyone would read all those documents.
We could do a lot to fix this issue. We could use polling or focus groups to find the norms about what people accept and expect when it comes to health data.
I’m for consent when it’s for something meaningful. I just don’t like consent when it’s a waste of time.
What might happen if HIPAA isn’t updated?
There are two major risks.
One is that we don’t protect privacy well enough.
For example, HIPAA doesn’t apply to iPhone apps or Google searches. Most people generate most of their health data every day through online tools or devices.
For example, I’m a diabetic and wear an insulin pump. HIPAA covers the pump, but not the iPhone I use to measure my blood glucose.
The other risk of not updating HIPAA is we leave too much stuff out in the wild and unprotected.
Last year, I read a lot of stories about a fertility app that uses personal information to find out when expecting mothers will give birth.
None of this information is protected by HIPAA.
On the other hand, HIPAA can be over-protective and impede research and the creation of innovative treatments.
We’re constantly treading that middle ground. We want to facilitate innovation while retaining privacy.
In 20 years, we’ve learned a lot about HIPAA — and there’s been a lot of technological change.
It’s a lot to think that the people who first drafted it got it right.
Patrick W. Dunne is a California writer.
Sources (external links):