Healthcare Information Security

Cybersecurity News

AHA Supports Health Data Sharing Bill, Urges Data Security

By Elizabeth Snell

- The American Hospital Association (AHA) said in a recent letter to US House Committee on Energy and Commerce Chairman Fred Upton that it supports the recently proposed health data sharing bill, 21st Century Cures.

AHA supports health data sharing bill but also underlines importance of health data security

Not only would the bill eliminate current barriers to information sharing needed in more clinically integrated settings, it will also accelerate the discovery of new cures and improve health care innovation, the AHA said in its letter.

“The AHA supports that the bill would eliminate current barriers to information sharing needed in more clinically integrated settings, such as accountable care organizations,” the AHA stated.

However, health data security is still a critical aspect of the information sharing process, according to the AHA. The Committee’s attempt to “relax” HIPAA will allow greater access to health data for research purposes, but the AHA said this is also concerning because the current draft is “too broad in its use and disclosure of personal health information.”

“We urge the committee to ensure an appropriate level of protection for the security, integrity and accessibility of these data,” the AHA explained. “Hospitals take seriously the trust patients place in them to maintain confidentiality.”

Currently, HIPAA regulations state that PHI can only be used or disclosed for another hospital’s or health care provider’s health care operations only when both entities have – or have had – a relationship with the particular patients whose information is shared. Even then, PHI can only be disclosed and used for activities that expressly qualify as quality assessment and improvement, the AHA said. Greater flexibility in HIPAA is needed, according to the AHA, so healthcare reform can properly take place.

The AHA went on to explain its support:

The AHA supports the elimination of the current rule’s requirements that would prevent or inhibit undertaking robust population-based analyses in a clinically integrated setting that are essential to improving the quality of care, creating better patient outcomes, and making health care delivery less expensive, more efficient and easier to navigate for patients and providers alike. We believe that the HIPAA medical privacy regulation should permit PHI to be used by and disclosed to all participating providers in an integrated care setting without requiring that individual patients have a direct relationship with all of the organizations and providers that technically “use” and have access to data that meets the rule’s definition of PHI.

There must still be a necessary protection level to ensure that as patient data is exchanged, it remains intact and secure, the AHA added.

“If it is determined that there is a need in limited special circumstances to ensure greater confidentiality and privacy protection for an individual patient’s information, the PHI used and disclosed in an integrated care setting could be stripped of all direct individual patient identifiers,” the letter stated.

Even with its overall support of the draft, the AHA explained that the bill is too broad when it describes how patient-specific data can be accessed. This could potentially undermine the relationship between providers and patients.

“The bill’s endorsement of researchers’ access to PHI remotely comes at the expense of unnecessarily increasing cybersecurity vulnerabilities and risks for the information systems of covered entities and significantly raising liability exposure for covered entities,” the AHA said.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks