The HIPAA Privacy Rule 15 Years Later: What’s Next?

On December 4th, FPF, Intel, and Duke in DC hosted “The HIPAA Privacy Rule 15 Years Later: What’s Next?” The event brought together stakeholders across the health data ecosystem to explore the current challenges related to the Health Information Portability and Accountability Act (HIPAA) Privacy Rule. Specifically, the discussion focused on solutions to mitigate restrictions to data sharing in clinical care and research due to administrative burdens, while at the same time maintain the privacy of protected health information (PHI).

This event follows the release of a Department of Health and Human Services’ (HHS) request for public comment regarding potential revisions to the HIPAA Privacy Rule. HHS seeks the public’s views regarding how the rules could be updated to encourage coordinated care and case management among hospitals, physicians, payors, and patients. The agency will also ask stakeholders to identify regulatory burdens that may impede value-based health care without providing commensurate privacy or security protections for PHI. HHS has the authority to modify HIPAA privacy standards – experts expect the agency’s request for comment to be the first step in a comprehensive reassessment and revision of health privacy rules. Comments are due February 11, 2019.

Health privacy experts highlighted several issues during the panels, including: the current administrative burdens that the notice of privacy practices and the accounting of disclosures requirements place on covered entities; the benefits of HIPAA privacy boards; and the opportunity to align the Common Rule with the HIPAA Privacy Rule.

Below we describe in further detail the panel discussions topics:

Panel Discussion 1: Reducing Burdens and Enhancing Care

The HIPAA Privacy Rule was developed to safeguard the privacy of personal health information while improving the quality of patient healthcare. The rule came into effect in 2003, and the last major amendment to the rule occurred in 2013 with the Omnibus Rule. Some believe HIPAA imposes burdens that hamper coordination and delivery of care and the transition to value-based care. Technologies like the internet of things, electronic health records, and cloud services are transforming how care is delivered. Health technologies that fall outside the scope of HIPAA – such as mhealth apps and wearables — are increasingly used by patients. These developments put pressure on the balances struck by the US health privacy regime. Some challenges related to HIPAA and clinical care were discussed by panelists, who argued that:

  • There is a need to make the notice of privacy practices requirement simpler and less burdensome.
  • The Breach Notification Rule requirements discourages companies from entering into business associate agreements (BAAs) due to complexities of complying with state laws in addition to the federal law.
  • Harm standards could be added into the Breach Notification Rule to align with state laws.
  • There is uncertainty regarding where an individual right to access and correct their designed record set and derivative data begins and ends.
  • The accounting of disclosures requirement could be revised to be less burdensome for covered entities.
  • The perceived presumption of guilt built into the Security Rule and Breach Notification Rule deters data sharing by physicians.
  • Physicians need further guidance and best practices on implementation of the Security Rule.

Panel Discussion 2: Enabling Research and Maintaining Privacy

Today, the average person generates over 1 million gigabytes of health-related data during a lifetime. New data types are expanding beyond the traditional healthcare setting and beyond HIPAA–such as real world evidence (RWE) and big data–and are being used for healthcare purposes. Researchers also are developing novel techniques–including AI, machine learning, and big data analytics–that were not anticipated when the HIPAA Privacy Rule was written. These advancements are prompting stakeholders to reconsider whether the status quo under the HIPAA Privacy Rule and the Common Rule is sufficient to protect privacy, address the evolving health data ecosystem, and harness the benefits of health data for patients and society. Challenges related to the intersection of HIPAA and medical research were discussed by panelists, who observed that:

  • There is a lack of clarity around who is an “expert” when it comes to the Expert Determination Method. Further guidance could help to ad
  • The Common Rule could be better aligned with the HIPAA Privacy Rule.
  • The use of identifiable records in research is of a different nature than research that physically or psychologically touches human subjects, and this poses a problem since institutional review boards (IRBs) tend to be focused on, and have expertise about, only the latter. This could be addressed by exempting records research, training IRB members on privacy, or producing standards for review.
  • Standards for waiving authorization for research could improve IRB transparency and consistency.
  • De-identified PHI could be subject to data use agreements that prohibit re-identification to ensure that data is not misused once outside of HIPAA protections.
  • The propriety of permitting disclosure of data for research without consent, and with appropriate protections, could be treated in a similar way as treatment, payment, and healthcare operations (TPO).

Panelists also discussed how HIPAA might be addressed by any comprehensive federal privacy legislation, and whether or not exemption from such a law would be the right path forward.

This article was recently featured here.

The article was republished under Creative Commons Attribution 4.0 International (CC BY 4.0)