The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and is the framework on which health data protection has been constructed. The regulation fundamentally acknowledged the value of health data and the need for protections. Despite the almost quarter-century that has passed since HIPAA was first enacted, there is relatively limited awareness of health privacy rights beyond compliance and legal experts.
Many individuals are unaware that the same health data that is protected when held by a covered entity – a healthcare provider, healthcare payer or business associate of one of those parties – is not protected if it is held by anyone else. Recently, the head of the Office of Civil Rights declared, “Buyer beware when it comes to the patient… the individual is the one to worry about what happens to their information when it goes to the third party… All questions are shifted to the consumer.” In this environment, patients must be their own advocates and navigate evaluating privacy and security as they select providers and partners.
Given this complex landscape, what should healthcare providers do?
Providers, payers and their business associates should ensure they are abreast of current discussions about healthcare data privacy and security. Administrative actions include a proposed regulation by the Office of the National Coordinator for Health Information Technology related to healthcare data interoperability and exchange and plans to revisit HIPAA. To learn more, download Ciox’s Guide to the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.