Addressing the Inadequacies of HIPAA: Law and Politics Involving Healthcare IT

There have been many technological advances since 1996 when the Health Insurance Portability and Accountability Act (HIPAA) came into effect. While this legislation is still considered the benchmark for protecting the medical privacy of over 300 million citizens in the United States, it is now outdated and inadequate in protecting the privacy of health-related data generated outside of the health care system. The inadequacies of HIPAA regarding IT and electronic records has prompted the need for legislation to protect the privacy of patient data.

What Does HIPAA Still Get Right?

HIPAA still protects most medical providers from sharing protected health information, namely personally identifiable information (PII) that is related to patients’ medical conditions and treatments that could be adversely used against patients. Under HIPAA, it is difficult to share data and do research outside of the provider’s operating environment. Patients must give written consent before their data can be disclosed to others, including their own family members.

What Does HIPAA Get Wrong?

One of the biggest weaknesses of HIPAA today is that it does not protect the massive amount of data that individuals create every day with their use of electronic devices, apps, shopping services, right down to their use of social media. For example, consider how data is being obtained and used by Fitbits, Apple watches, and fitness and fertility apps. This data is not covered under HIPAA and is not protected from being shared with health insurers, life insurance companies, and marketers.

Another weakness is that while health providers cannot sell your data with your PII attached to it, it can share it once your PII is stripped from it. This continually happens with data that is sold to the pharmaceutical industry.

What Is Being Done to Address HIPAA’s Inadequacies?

New legislation and proposals have been introduced to address conditions with IT and electronic records that did not exist back in 1996 when HIPAA was introduced. These new laws include:

  • The American Data Dissemination Act, introduced by Sen. Marco Rubio (R-FL)
  • A proposal by the Information Technology and Innovation Foundation (ITIF) to allow more transparency, data interoperability, and requirements for the opting-in of users before allowing the collection of sensitive personal data
  • Promoted by the INC, the 21st Century Cares Act (Cures Act) is intended to improve the exchange of electronic health information

The laws regarding the protection of patient data need to reflect the changes that have occurred since the implementation of HIPAA. While HIPAA has served its original intent, it can no longer fully protect patients’ medical information to the extent that it needs to be protected.