- HIPAA needs to be modernized to improve patient access to health data and bolster security of the app ecosystem, American Medical Informatics Association and American Health Information Management Association leaders said at a Capitol Hill briefing on Wednesday.
While other industries have made progress improving access to information and the means to shop and compare the cost of products and services, healthcare has yet to catch up with its own comparable patient-centric system, the groups explained.
“Congress has long prioritized patients’ right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles,” said AMIA President, CEO Douglas Fridsma, MD. “But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined.”
“AHIMA’s members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape,” AHIMA CEO Wylecia Wiggs Harris said. “The language in HIPAA complicates these efforts in an electronic world.”
To get there, the groups recommended a HIPAA modernization that would establish a “health data set.” Alternatively, HIPAA’s existing designated record set (DRS) definition could be revised, requiring certified health IT to electronically share the data with patients that would let them see and use their data.
Further, a revision of DRS would clarify the rule for both providers and patients.
The health data set would support a patient’s individual right to access their data while supporting development of the Office of the National Coordinator’s health IT certification program in the future.
The goal, the groups explained, is to let patients view, download, or electronically transmit their data to a third-party and access the data through an API.
Adding to consumer data privacy concerns are the increasing number of mHealth and health social media applications that store, generate, and use health data. The groups argued that Congress needs to “extend the HIPAA individual right of access and amendment to non-HIPAA Covered Entities that manage individual health data,” including those mobile apps.
“The goal is uniformity of data access policy, regardless of covered entity, business associate, or other commercial status,” the groups explained.
“More than two decades after Congress declared access a right guaranteed by law, patients continue to face barriers,” said Thomas Payne, MD, UW Medicine Medical Director of IT Services. “We need a focused look at both the technical as well as social barriers.”
Federal regulators need to clarify the current regulatory guidance around third-party legal requests, the groups recommended.
“Health information management professionals continue to struggle with the existing Office for Civil Rights guidance that enables third-party attorneys to request a patient’s protected health information,” Harris said. “We recognize there are necessary circumstances in which a patient has the right and need to direct their health information to an attorney.”
“However, AHIMA members increasingly face instances in which an attorney forwards a request for PHI on behalf of the patient but lacks the information required to validate the identity of the patient,” she added.
As a result, these IT professional struggle with determining if it’s “an authorization or patient access request, which has HIPAA enforcement implications,” she explained.
Healthcare leaders have been calling for an upgrade on the 22-year-old HIPAA regulation for several years. Currently, the industry is awaiting Office of the National Coordinator’s guidance on info-blocking that was expected in the fall.
ONC last released guidance on common PHI access issues in 2016, outlining resources to help organizations with permissible data sharing.