Much has changed in the years since HIPAA was first passed into law, not the least of which is the use of mobile technology in healthcare. As a physician, patient, and healthcare technology business leader, I have experienced numerous frustrations and inefficiencies resulting from practices struggling to adhere to the letter of the HIPAA law rather than embracing its spirit.
While protection of privacy is obviously important, countless dollars have been wasted implementing and following misguided processes attempting to protect patients that likely led to suboptimal care and stifled innovation. As in all areas of modern life, regulation cannot keep pace with technology advances. Consumers deserve a refresh on HIPAA that offers more immediate and convenient control over how to share their health information, reflecting the broad role of technology without trying to script every possible scenario.
In January 2013, HHS announced the long-awaited HIPAA final omnibus rule. Some critics say the rule doesn’t go far enough to address the security realities and vulnerabilities in today’s mobile health environment. After all, news of prestigious firms with robust security practices suffering breaches are unfortunately becoming commonplace, which underscores the capabilities of the determined parties behind these events. Similar to pace of regulation vs. innovation, security practices face an ongoing challenge to keep pace. As in other areas of healthcare IT, we advocate for consistency from policy makers whenever possible. Regulation should focus on setting acceptable bars of best-practice methodology rather than trying to force specific technologies that will be out of date almost immediately. For example, establish the principles behind dual authentication (including when it is appropriate to use), while allowing innovation to leverage novel advances as they emerge to accomplish the inherent goal.
The HHS Office for Civil Rights (OCR) released a new platform to provide mobile health developers a sounding board to ask questions, voice concerns, and ‘spitball’ ideas about HIPAA and its interplay in the health IT space. One can only hope this was done in the spirit of understanding that innovators are already in tune with a growing demand of caregivers and consumers for more real-time, intuitive, and convenient modalities of care and support – and that our experience with HIPAA to date illustrates why we cannot let the letter of the law get in the way of its true intention.
We live in a world where people trade their privacy for convenience on a daily basis. Let’s face it: the fundamental business model of all internet commerce still comes down to highly targeted advertising that results from data collected on our behavior and preferences. As the business model of healthcare increasingly becomes more about value, risk shifts and spending is increasingly under control of individual consumers. These consumers already show willingness to trade data for convenience and price in many areas of their lives. I think many components of healthcare will be no different.
Blindly applying HIPAA to all things claiming to be healthcare-related would be disastrous. Instead, consumers need easy-to-understand transparency and real-time control over the use of their information. The rest of the world is way ahead of healthcare on this one. If we don’t catch up, we will never be able to achieve the kinds of advances we need on quality, cost, access, and experience.