Changes to the Health Insurance Portability and Accountability Act (HIPAA) that would reduce unnecessary barriers to medical record sharing are long overdue. It is critical, however, that these changes are implemented in a way that facilitates data-driven healthcare innovation while at the same time strengthening privacy and security protections. Quite simply, HIPAA needs to be updated in order to meet the needs of 21st century healthcare. Why we need a HIPAA for the 21st century The whistleblower who leaked the Google project with Ascension created a tectonic shockwave through the healthcare world. With this announcement, the public learned how private entities are using their healthcare data for their own motives. However, despite the uproar, Google’s use of sensitive medical records is likely permissible under the current healthcare privacy law known as HIPAA. This Clinton-era legislation was signed into law in 1996. Under this law, copies of patient records are shared freely among clinics, hospitals, health insurance plans, pharmaceutical developers, and life science companies to perform a wide array of activities unbeknownst to patients. We will surely see more partnerships like Google and Ascension’s in the future. Digital medical data is very valuable to mine for new treatments and insights for better care. But we need to balance data privacy, security, and ownership rights against the enormous benefits gained from this real-world clinical data. We need HIPAA for the 21st century. Who uses the data and for what purposes? Under HIPAA, there are covered entities (e.g. health plans and providers) and their business associates. The latter are defined as organizations that assist with tasks related to treatment, payment, or quality-related activities. Some business associates gain access to medical records to help covered entities determine proper reimbursement. Others use them to coordinate, manage, measure, and deliver care. For these activities, multiple copies of patient records, both fully identified and de-identified, are used, analyzed, and stored electronically by companies. Healthcare data has been shared in this manner with covered entities under HIPAA for decades. But not until recently did any of these entities have the kind of wide reach and computing power of Google, Microsoft, or Amazon. More importantly, who controls the data? Big tech companies already hold lots of other sensitive data about consumers collected from apps, devices, and websites. This data can then be cross-referenced with other types of information for marketing purposes. Imagine a world in which Google has access to your search history, emails, purchase history, whereabouts, exercise patterns, habits, friends, preferences, and now your medical records. What might they do with all this information? The answer is unclear, but patients may not have much recourse to stop it under the current privacy law. Patients who seek care at a doctor’s office or hospital routinely sign complicated forms that authorize the sharing of their data. This paperwork appears to patients to be required in order to get care. Therefore, few, if any, patients refuse to sign them. As a result, patients allow companies to access their healthcare data without understanding who is using it for what purpose. Effectively, the gatekeepers of healthcare data are not the patients themselves but the providers, hospitals, and health insurance plans that hold the information. What if you want access to your own healthcare data? Meanwhile, if an individual patient wants access to their own healthcare data, it is not easy. They must go through expensive and time-consuming hurdles to gather, store, and update medical records from each facility they’ve visited for care. The patient is often missing information—and so are their clinicians, which puts them at a disadvantage. Unfortunately, there are incentives to keep these data silos in place. Even though there are some interoperability standards for data sharing and requirements for electronic record systems to be able to send records to other systems, they are not widely followed. This puts patients at risk just as much as sharing their data with outside organizations for ambiguous business purposes. HIPPA in the age of digital health We are now living in the age of digital health. Increasingly, healthcare is being delivered with the aid of remote monitoring devices, wearables, smartphones, and other connected devices. All these instruments create, transmit, and store large amounts of data. When these data are combined with electronic health records and genetic information, a very rich health profile for an individual can be assembled. If these profiles are combined into large data sets, researchers can discover new therapies and treatments. They can also learn what works in specific populations and even run virtual clinical trials. The FDA is a proponent of using these types of data for studies of drugs and devices both before and after approval. But there is no provision under HIPAA that allows for fully-identified medical records to be shared for research purposes. Medical records stripped of personal health information, such as name and address, could be shared and used by non-covered entities. But even with such de-identified charts, there are proven ways to unmask the patient identity related to a given record. In this case, it is preferred for researchers, academic institutions, or companies to obtain explicit patient approval. HIPAA needs to be updated to meet the needs of the 21st century HIPAA is long overdue for an update to enable medical record sharing for healthcare innovation while strengthening privacy and security protections. Access to patient records should be limited to care providers or health plans for specific purposes–treatment, care management, or payment decisions–as is the case under current law. If these covered entities want to engage vendors and service providers to assist with these activities, then the information should be carefully monitored with respect to access, use, and storage under specific rules of engagement. Individuals should have the ability to obtain a copy of their data retrieved by health plans or providers from their systems to support activities. The next generation of HIPAA should govern the safe and effective use of patient data for research purposes. The research and life science industry should not have to rely on data shared by healthcare organizations for their own enrichment. If healthcare consumers could have easier access to their own data, they could choose to share it more widely. For example, they might elect to share with Google or Amazon, or any number of big tech or life sciences companies to enable new discoveries. They could also help facilitate truly personalized care as a result of data-driven insights. The bottom line Digital healthcare data holds answers to lots of questions about diagnosis, treatment and care delivery. We need to create a regulatory regime that safeguards sensitive information while enabling data availability to unlock innovation. Source