July 2016

HIPAA Hits 20
By Lee DeOrio
For The Record
Vol. 28 No. 7 P. 3

When constructing a law or doctrine, I imagine it is near impossible to account for sociological and technological changes that may occur years down the road. For example, take the constitutional right to bear arms. At the time, the United States was coming off a nasty battle with the blokes from Britain, leaving the Yanks with the impression that it would be wise if ordinary citizens were permitted to defend themselves—or revolt—against a tyrannical government. Whether that remains the case today is arguable.

Next month marks the 20th anniversary of HIPAA becoming law. To say a lot has changed in the health care industry over that time would be akin to saying Donald Trump is a polarizing figure. From meaningful use and MACRA to ICD-10 and telemedicine, it's been a whirlwind.

HIPAA's goal was undoubtedly noble: While encouraging the increase in electronic health data interchange, protect sensitive patient information from unnecessary exposure. Really, who could argue with that ideal? Sure, health care organizations may have to adjust and tweak a bit, but in the long run patients would be better served, and hard-earned industry reputations would remain intact.

As it turns out, there have been many unforeseen situations and circumstances in which how to apply the law has been the subject of debate and confusion. Prior to 1996, a physician may have thought nothing of sharing a unique case with a colleague not involved in that patient's care. Now, such an exchange is off limits—or is it? And how would that be enforced?

HIPAA factoring into the Orlando, Florida, tragedy left many scratching their heads. Could there really be an issue with hospital officials sharing information with the victims' loved ones? Of course there's not, but that didn't prevent media outlets from surmising that the federal government—at the request of Orlando's mayor—was going to have to step in to allow grieving families to know what was going on.

Social media, mobile devices capable of snapping a photo at a moment's notice, EHRs, e-mail, the growing thirst for research data, and patient portals have reshaped health care's landscape and complicated matters associated with protecting patient information. Has HIPAA adapted accordingly? Do the truths present in 1996 no longer exist? The fundamental aim may remain—the need to protect health information—but perhaps the rules can no longer be applied in the same manner.

Some industry constituents would like to make HIPAA out to be a maze of wrong turns and dead-ends, paralyzing providers to the point that they would rather sit on their hands than release information. But instead of having to master the nuances of law, perhaps it would be better to advise health care professionals to use a different kind of knowledge: common sense.

edit@gvpub.com