HIPAA: the Blu-Ray player of healthcare regulations
“I'm from the future. I came here in a time machine that you invented.”
- Marty McFly, Back to the Future
Back to the future
In the summer of 1996 President Bill Clinton signed the Health Insurance Portability and Accountability Act of 1996 (HIPAA.) A few years later in 2003 the HIPAA Privacy Rule went into effect, protecting 18 specified identifiers of a person’s identity from being released without consent. Since 2003 the HIPAA rules and requirements have not changed a whole lot. But the world sure has.
In 2003 there was a new thing called social media lead by something called MySpace. Early adopters were super excited about this new, cool device called a BlackBerry. People went home after work and watched network television coverage of the NASA Space Shuttle Columbiadisintegrated upon re-entry and the US Army chasing down former Iraqi President Saddam Hussein. Or they turned on their brand new Blu-Ray player to watch the newly released Terminator movie starring some former body builder with a German accent.
And today innovators in the healthcare space jump through hoops to improve care delivery and patient experience constrained by a law enacted before many founders and leaders were out of grade school or even born.
The 18 special data points
The HIPAA Privacy Rule addresses the sharing of protected health information (PHI) in healthcare settings, as well as payment and administrative functions, by virtually any type of business operating in the healthcare market: providers, insurers, employers offering health insurance and vendors supporting those entities.
· Names | · Account numbers |
· Geographic data | · Certificate/license numbers |
· Dates (other than year) | · Vehicle identifiers |
· Phone Numbers | · Device identifiers |
· Fax numbers | · Web (URLs) |
· Email addresses | · Internet Protocol (IP) addresses |
· Social Security numbers | · Biometric identifiers |
· Medical record numbers | · Full face photographic images |
· Health insurance information | · Other unique identifiers |
The law has been interpreted to include genetic information and excludes use of that data when underwriting health insurance. To date the prohibited use of genetic data has not been applied to life, disability and long-term care insurance.
But in the real world of 2024
Imagine your kid breaks their arm playing a weekend soccer match. You take her to the nearby General Hospital emergency room where she receives great treatment from a friendly, helpful team of nurses and doctors. You are appreciative and snap a photo with your smart phone of your daughter and a couple of the nurses. You post the photo to your daughters’ Instagram account adding a note about how great the team at the General Hospital is, and naming the two nurses - Brenda and Glenn – in the post.
All good, except the social media algorithm will now add the image via facial recognition to its data base, linking the identities of all three people to the General Hospital emergency room with time, date and rich metadata. You pay your daughters’ copayment as you leave with your Flexible Spending Account card that operates on the Visa platform. That transaction is added to your profile in the Visa database, a database leveraged by third parties including AI platforms. On the way home you stop at the Walgreens pharmacy to pick up some prescription medications for your daughter. The name of the drug, the proscribing provider, the time and date of the transaction are all recorded in both the Walgreens customer database and the Visa database. While your daughter is going to be fine, there is a rich trail of electronic data documenting the events of the day, much of which resides outside the realm considered by HIPAA in 2003.
What does this mean?
The question is not whether protecting personal health data is critical or not, it is. But using a law crafted when MySpace and BlackBerrys were the leading technology of the day is a fool’s errand. Implementing all aspects of HIPAA, including the launch of electronic medical records, has been estimated to have cost the healthcare industry more than $22B. 20-years later it is worth asking if consumers and providers continue to get their money’s worth.
HIPAA has created an enormous administrative burden across the industry. It is also clear it has created constraints on new market entrants and start-ups looking to move the industry forward. A 21st Century healthcare industry needs a privacy law written in the 21st Century, not a law from two decades ago. It is past time for US Department of Health and Human Services to get us into the current century.
Copywrite 2itive 2024
2itive is a Portland based consultancy founded by Erik Goodfriend, offering a unique combination of market intelligence, knowledge of healthcare payment systems and creative business strategy insights. Feel free to contact us at info@2itive.com
Comments