Healthcare Information Security

Cybersecurity News

Addressing HIPAA as an Obstacle to Health Data Exchange

Provider misconceptions about HIPAA compliance are holding back health data exchange, according to the head of ONC.

By Kyle Murphy, PhD

- In a recent keynote address, National Coordinator Vindell Washington, MD, MHCM, addressed how a law to safeguard health data security and privacy is having an unintended negative impact on health data exchange.

Health data exchange at ONC

“I hear confusion about HIPAA almost everywhere I go in this job,” he told attendees of a healthcare journalism workshop. “People insist that HIPAA makes it difficult, if not impossible, to move electronic health data when and where it is needed for patient care and health. I wish I could talk to every doc and patient in the country to tell them, ‘This just isn’t true.’ But unfortunately, this misconception is widespread.”

According to Washington, HIPAA was in fact intended to do the opposite and still can so long as provider education improves.

"In reality, HIPAA not only protects personal health information from misuse, it also enables the access, use, and sharing of protected health information among and between providers and their health IT systems when and where it is needed for patient care. Interestingly, survey data tells us that consumers already believe this type of information exchange happens as a matter of course. Sadly, it doesn’t," he said."

"These misunderstandings of HIPAA and other business practices are inhibiting us from realizing the true potential for technology in supporting patients and clinicians," Washington continued. "Providing an individual with easy access to their health information empowers them, it helps put them in control of decisions regarding their health and well-being, and it helps them actively partner with their care teams as well."

As the National Coordinator detailed in his subsequent comments, increased patient access to health information has benefits for patient care and outcomes as well as data accuracy and integrity.

To mitigate these unintended consequences of HIPAA compliance, Washington pointed to numerous efforts by ONC to educate providers and payers, namely the federal agency’s work with the Office for Civil Rights to update the HIPAA Security Risk Assessment Tool.

However, the efforts of ONC and its sister agencies go well beyond that. Earlier this month, ONC issued a final rule to update the federal Health IT Certification Program, a major provision of which extends the federal agency’s certification authority to include the direct review of certified EHR technology and other health IT systems.

"More transparency and accountability in health IT is good for consumers, physicians, and hospitals,” the National Coordinator said at the time. “Today’s final rule strengthens the program by ensuring that certified health IT helps clinicians and individuals use and exchange electronic health information safely and reliably.”

Under the rule, ONC has the ability to suspend or terminate the certification of a health IT product if they are unable to fulfill in action the certification requirements they were tested against. The impetus behind the move is to support provider confidence in certified health IT.

Meanwhile, the Centers for Medicare & Medicaid Services (CMS) finalized its rule for the Quality Payment Program, which includes an attestation by eligible clinicians of their willingness to cooperate with ONC’s direct review of certified EHR technology. Additionally, eligible clinicians must attest that they have supported health information exchange and avoided information blocking by knowingly tampering with the health data exchange capabilities of their health IT systems.

Of the five requirements for eligible clinicians to complete the advancing care information performance category of the Quality Payment Program’s Merit-based Incentive Payment System (MIPS), two fall under the objective of health information exchange during the first performance period — sending a summary of care record and receiving/accessing a summary of care record.

Clearly, federal officials are pushing for more meaningful exchange of health information as far as Medicare is concerned.

Dig Deeper:

What Entities Need to Know about Upcoming OCR HIPAA Audits
Potential for Healthcare APIs to Revolutionize the Industry


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...