Blog Post

Healthcare Upside/Down: Updating Healthcare Data Management and Privacy

Upside Down Blog Web

ECG’s radio show and podcast, Healthcare Upside Down, offers unfiltered perspectives on what’s working in US healthcare and what’s not. Hosted by ECG principal Dr. Nick van Terheyden, each episode features guest panelists who explore the upsides and downsides of healthcare in the US—and how to make the system work for everyone.

When we talk about healthcare data and protecting it, almost everyone is aware of HIPAA. You can’t interact with any healthcare organization in any way without having that term thrust upon you on forms you must sign—forms that are dense and full of legalese, making them hard to comprehend and certainly not something that’s top of mind for any patient as they navigate what may be a stressful time in their lives.

Our guest on episode 54 of Healthcare Upside Down is Rita Bowen Vice President, Privacy, Compliance, and HIM Policy at MRO.

Listen Now

So what does HIPAA mean and where did it come from? The letters stand for the Health Insurance Portability and Accountability Act of 1996. The term originated with the federal law of the same name, which created a national standard to protect sensitive patient health information from being disclosed without a patient’s knowledge or consent.

Ironically, while HIPAA was meant to protect patients, it’s often had the unintended consequence of preventing them from gaining access to their own health data. To get a sense of how long this has been going on, I carried and sometimes still have to use a memo, issued on September 13, 2013, by Leon Rodriguez, then the Director of the Office of Civil Rights, that detailed my rights to see and obtain a copy of my medical records. It’s proved effective in overcoming resistance to sharing my records, but not before I had been challenged with multiple instances of “I can’t share that, it would be a HIPAA violation.”

Thankfully things are improving, as we have covered in prior shows on information blocking, but the balance between security and privacy is an ongoing challenge.

Rita Bowen is likely one of very few people who can say she provided comment to HHS on both the original version of HIPAA and its most recent proposed changes. She joins us on Healthcare Upside Down to talk about getting HIPAA can function the way it was intended despite a world that has changed dramatically since its inception.

Origin and evolution of HIPAA.

“HIPAA started from the perspective of needing to increase the privacy of health information, since we were moving toward electronic health information when it was released in 1996. But HIPAA hasn’t been really updated since its inception, except for in 2013, when they came out with the Omnibus Rule, which enhanced some things. But most recently, with Biden coming into office in January 2021, they did release a Notice of Proposed Rulemaking with new language to modernize HIPAA. I have taken the time to respond to that, and it’s still not right. There are things that HIPAA does well, and then there are things that definitely need to be enhanced in [the way it’s] currently written.”

Why HIPAA needs an overhaul.

“PHI is an acronym for personal health information or protected health information. We often now say ePHI, because it’s electronic personal health information that’s protected. HIPAA started with a hybrid formation of a record in just the infancy of electronic, and as we have progressed, the whole delivery of healthcare is different. How we receive care, how our caregivers and clinicians work with health information is totally different. And that’s one reason HIPAA needs a facelift.”

On interoperability.

“When the Notice of Proposed Rulemaking was released, I was very excited to see how they tried to modernize [HIPAA]. And they didn’t. What they did is make it more clunky, because now there are things in this Notice of Proposed Rulemaking that actually conflict with interoperability. And in my response back to HHS, I explained that you need to allow interoperability to come to full fruition. And if you do, you don’t need to modernize HIPAA, because it works from a standpoint of data protection for those who are authorized to access that information. Interoperability is going to force the release for those that have a need to know. We should be focusing on information flow for the right reasons—to improve population health—and try to negate bad actors.”

On the podcast, Rita discusses the need for patients to become better-informed decision-makers and partners in the process of controlling their data.

Listen Here

Edited by: Matt Maslin