The existing regulatory framework is “not adequate because HIPAA was originally designed to facilitate the sharing of health information and … since that time there have been multiple updates to HIPAA to reflect the changing landscape (but) we don’t see that health information is flowing as needed, even with patient consent,” said former CMS official Lisa Bari, a consultant and interim CEO of the Strategic Health Information Exchange Collaborative, which includes 81 HIEs nationwide.
She noted that Congress ordered regulators to create new rules on interoperability and information-blocking in the 21st Century Cures Act to make it easier for providers, insurers and patients to exchange health data—mostly by requiring providers and insurers to adopt standardized application programming interfaces that connect IT systems like electronic health records with third-party apps. “That seems a little ridiculous. Doesn’t it? That you would have to pass a different law and write different regulations to stop something that, on its surface, should be facilitated by HIPAA. It’s not meeting the needs of today and what’s happening on the ground,” Bari said.
The new interoperability, info-blocking and HIPAA rules are an opportunity to make healthcare more data-driven.
But as more and more data begins to flow, policymakers will have to figure out how to regulate patient health information as it moves in and out of HIPAA-covered entities, such as when a patient connects their EHRs to an app like Apple Health.
Once that information leaves a HIPAA-covered entity, the Federal Trade Commission is mainly responsible for making sure it’s not misused.
Dr. Kenneth Mandl, director of the computational health informatics program at Boston Children’s Hospital, said the agency could enforce an app’s terms of service and end-user license agreement to privacy. But it might be challenging for regulators to take action since those terms aren’t standardized across apps and offer varying degrees of consumer protection.
Insiders are also concerned about personal health information losing its HIPAA protection once it’s stripped of all personally identifying information because there’s a substantial risk that someone could still identify patients using sophisticated techniques like combining anonymized health records with other data sets. There are no clear consumer protections against re-identification in the U.S., except in California.
HIPAA also doesn’t safeguard health-relevant data created outside the healthcare system. For example, people with poor credit histories are less likely to adhere to their medication regime than people with good credit profiles. Providers, insurers or third-party apps could use such information to help people better adhere to their medications. But an accountable care organization or Medicare Advantage plan could use that information to exclude some people “because they’re not going to provide the outcomes that you’re hoping for from a healthcare or financial perspective,” Mandl said.
Experts worry that regulators won’t keep up with enforcement as more and more people share their personal health information with an ever-growing number of apps. Agencies like the FTC often lack the resources needed to enforce the rules, an issue that seems likely to intensify.