This blog post is a writing assignment for HIMT 1200: Legal Aspects of Healthcare, part of the Health Information Management Technology (HI13) Associate of Applied Science Degree program at Georgia Northwestern Technical College.
HIPAA originated at around the same time period as the Internet and is now over 20 years old. Many in the healthcare industry want to see HIPAA updated or replaced due to the Internet changing and other technological advances. Mobile devices and apps like electronic health records (EHRs), telehealth, social media, FitBit, and other trackers have surpassed privacy laws. Even the 2009 HITECH update and the 2013 Omnibus Rule changes do not update HIPAA enough to keep up with these advances. A gap exists between national privacy and security law and technological reality (Butler, 2017).
State laws regarding protected health information (PHI) are usually much more strict than federal law. HIPAA is the floor or minimum for privacy protections. Some professionals in healthcare want HIPAA replaced with a broad, overall national privacy and security policy that governs all protected health information. This policy would become a regulation ceiling and would no longer be a minimum (Butler, 2017).
More stringent state laws have helped improve HIPAA over time. State laws led to the 2003 and 2009 HIPAA updates that increased privacy and security protections that were first used at the state level. Without more stringent state regulations, HIPAA would not have breach notifications because the states started them. While some in healthcare want HIPAA to be overhauled, others think that federal preemption of state law should not be allowed because such great ideas originate at the state level. Perhaps HIPAA needs to continue to be updated, but it seems to be important that more strict state laws have a vital role in privacy and security (Butler, 2017).
HIPAA protects patient data and privacy and has some protection regarding de-identified data, including the Safe Harbor and Expert Determination standards. HIPAA considers patient data to be de-identified if it does not contain any one of 18 specific identifiers. A few examples of such identifiers include the date of service, telephone number, and zip code. HIPAA claims that the risk of re-identifying anyone is relatively low, and for this reason, it does not protect de-identified data and allows it to be shared (Simon, 2019).
Re-identification can put patients at risk. Intruders, who re-identify data contained in a database, can identify patients by known identifiers deliberately or accidentally. Intruders can identify someone they know personally or use public information, including data found on social media or sports team memberships or rosters (El Emam, 2009).
Butler, M. (2017, April). Is HIPAA Outdated? While Coverage Gaps and Growing Breaches Raise Industry Concern, Others Argue HIPAA is Still Effective. AHIMA. https://library.ahima.org/doc?oid=302073#.YXYVB7jMKMq
El Emam K., Dankar F. K., Vaillancourt R., Roffey T., & Lysyk M. (2009 July). Evaluating the Risk of Re-identification of Patients from Hospital Prescription Records. NCBI. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2826964/
Simon, G.E., Shortreed, S. M., Coley R. Y., Penfold, R. B., Rossom, R. C., Waitzfelder, B. E., Sanchez, K., & Lynch, F. L. (2019, Mar. 29). Assessing and Minimizing Re-identification Risk in Research Data Derived from Health Care Records. NCBI. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6450246/
Assignment 10.1 - Amy Haisten
Featured Image: Stock Photo, Photo Source: Metro