As a software developer working in the health care industry I often find myself in discussions with folks who believe HIPAA is holding them back. They argue that the rule is inflexible when it comes to technology and woefully out-of-date with its roots going all the way back to 1996. A recent post by Keas CEO John Stevens sums up that argument quite nicely. Stevens suggests that HIPAA doesn’t fit the social atmosphere of 2014 and that it prevents the sharing of data that could lead to better health for all of us. Further, he suggests that “HIPAA doesn’t accommodate for advances in technology, regardless of if it is hardware or software” and calls for an overhaul or annulment of the rule.
While I respect the frustrations felt by Stevens and others trying to drive innovation in health care, I believe they’re misdirecting their contempt. HIPAA is a pain and compliance is tedious, but it’s not the problem. People who don’t understand the rule, and use it as an excuse to silo their data, are the ones holding us back.
HIPAA Doesn’t Prevent the Sharing of Data – It REQUIRES It
The director of the Office of Civil Rights (OCR), Leon Rodriquez, wrote the Right to Access Memo - informing patients that under HIPAA they have the right to get a copy of their records from their provider, as well as their health plans. Patients have access to their records. Period. The fact that some providers make you jump through hoops to get it shouldn’t be blamed on HIPAA. Take HIPAA away and these same providers may not give it to you at all.
White House Senior Adviser, Ryan Panchadsaram, gave a powerful talk at TEDMED 2013 explaining how HIPAA frees the data and the HIPAA requirement to make our data available has already led to key innovations like Blue Button, which will give millions of Americans immediate and secure online access to their medical records.
HIPAA is Flexible
HIPAA doesn’t reference a single specific piece of hardware or software. In fact, it’s designed to be flexible to meet the needs of any particular organization. Since I’m discussing technical innovation, let’s focus on the Security Rule, which governs the handling of Electronic Private Health Information (EPHI). The rule is broken up into 18 Standards with 42 Implementation Specifications (i.e. the things we need to address when handling EPHI). Of those, only half are required and they cover what amounts to basic IT governance that any technical solution should follow (risk assessments, data backups, disaster recovery, access controls, etc.). The remaining 21 controls are classified as “addressable,” meaning we must implement them only if it’s reasonable and appropriate to do so. HHS states, “This decision will depend on a variety of factors such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.” You can read the full breakdown here.
HIPAA was designed to account for the vast differences in size and structure of the covered entities and this fact makes it particularly open to incorporating new and innovative technology.
HIPAA Requires Us to Keep Up With The Times
In order to remain HIPAA compliant, organizations will often decide to upgrade systems sooner than they otherwise would have. For example, Windows XP will no longer be supported with security patches after April 8th, 2014. This has led to many organizations evaluating their use of the OS in their environments. If their assessment identifies that the machines put EPHI at risk, then they’ll be compelled to upgrade those systems to a supported OS. This has a nice side effect – these upgraded systems are more likely to be supported by, and capable of running, the new and innovative technologies that we want to bring to the table.
That’s just one example, but the point is this: HIPAA requires an ongoing program of due diligence that will keep many organizations’ infrastructures more up-to-date than they otherwise would be. Outdated systems lead to downtime, band-aids, fires, and other things that tie up IT resources. Up-to-date, smooth-running technical infrastructures are very good for innovation.
How to Move Forward with HIPAA?
HIPAA makes data available and requires us to practice good IT governance and due diligence. Yes, there’s a policy and paperwork burden, but don’t you want to sit down and spend time reviewing your business on a regular basis anyway? I know I do – and I want my providers to do so, too.
So, let’s stop blaming HIPAA for stifling innovation. It’s a cop out and usually based on fear induced by not understanding the rule. In fact, if everyone embraced HIPAA as a whole and properly implemented all of its controls, I’d bet we’d actually grease the wheels of innovation. Our systems would be reliable and available when needed. IT personnel would spend less time fighting technical fires and more time innovating. Our staffs would spend less time waiting for systems to respond and more time taking care of patients. Most importantly, we’d know that we could trust sharing our data with other organizations because we’d know they were doing their due diligence, too. By embracing the HIPAA rule and truly understanding its meaning we can stop fearing what might go wrong and, instead, start dreaming about what might go so right.
“Inaction breeds doubt and fear. Action breeds confidence and courage. If you want to conquer fear, don’t sit a t home and think about it. Go out and get busy.” – Dale Carnegie