Federal and state regulations surrounding health data privacy are being revisited, and new ways of thinking about the privacy of one’s data more generally are being developed in an effort to keep up with the challenges that advances in technology present to the public. It has become clear amongst a multitude of stakeholders that the Health Insurance Portability and Accountability Act (HIPAA) statute is not equipped to address the present day issues that covered entities and business associates experience when it comes to patient data privacy in today’s technologically driven world. In addition, as new market entrants enter the health ecosystem, how we think about data privacy broadly needs to evolve. As a result, a lack of clarity in HIPAA’s application and intersection with other privacy regulations may be an unintended barrier for broader information sharing as well as efforts to better engage patients in their own care.
The understanding of what types of health data are protected under law is not evident to the average person. The lack of educational awareness as well as the lack of clarity regarding the scope of HIPAA, who is obligated to abide by HIPAA, as well as how it is interpreted, enforced and intersects with other privacy laws has created significant gaps in compliance and enforcement.
A main area of contention where it is often unclear is what constitutes protected health information under HIPAA and what does not. It is becoming increasingly challenging for regulatory agencies to keep up-to-date with the speed and scale of information shared. This lack of clarity only reinforces the importance of harmonizing HIPAA with other privacy-related laws, both at the federal and state level. The patchwork of existing laws focused on information privacy may lead to an overly broad interpretation of what kind of information is protected.
Federal agencies must work together to foster the development of robust, up-to-date, privacy and security frameworks and guidance to encourage widespread adoption, acceptance, and trust of new, innovative technologies that support the free flow of information between patients and providers. States also have a role to play in how their laws interact with federal data privacy regulations.
This infographic demonstrates HIPAA’s scope and how other privacy laws that intersect with it draw us further away from clarity on when an individual’s data can be shared, and the protections that exist in keeping that information secure. These areas of ambiguity will be highlighted, as appropriate. Overall, health data privacy laws, at the federal and state levels, will need to evolve as the needs of patients shape new ways of delivering healthcare and technology progresses to assist in that transition.
The HIMSS policy team works closely with the U.S. Congress, federal decision makers, state legislatures and governments, and other organizations to recommend policy, and legislative and regulatory solutions to improve health through information and technology.