Two healthcare stakeholder organizations on December 5 told members of Congress that modernizing the 22-year-old HIPAA law is necessary.
Such an effort to update the law would improve patient access to their health data, while also better protecting data in the era of an app ecosystem, the organizations contend.
The American Medical Informatics Association and the American Health Information Management Association updated federal congressional members on how federal policies are impacting patients’ ability to access and use their health data.
“Congress has long prioritized patients’ right to access their data as a key lever to improve care, enable research and empower patients to live healthy lifestyles,” says Doug Fridsma, MD, president and CEO at AMIA. “But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined.”
Specifically, patients face challenges in accessing their data and the language in HIPAA, created in a non-electronic healthcare environment, “complicates these efforts in an electronic world,” adds AHIMA CEO Wylecia Wiggs Harris.
Consequently, the associations suggest modernizing HIPAA by establishing a new term, “Health Data Set,” which would include all clinical, biomedical and claims data maintained by a covered entity or business associate, or revising the current HIPAA “Designated Record Set” definition and require Certified Health IT technology to provide the amended “Designated Record Set” to patients electronically in a way that makes the data usable.
Creation of a new “Health Data Set” via a new definition would guide future development of the ONC certification program for information technologies in a way that patients could view, download or transmit their data to a third party electronically and access the information via an application programming interface.
Further, the growing use of mHealth and social media applications that generate, store and use data will require an industry conversation on consumer data privacy.
Congress, the associations noted, “should extend the HIPAA individual right of access and amendment to non-HIPAA covered entities that manage individual health data, such as mHealth and health social media applications. The goal is uniformity of data access policy, regardless of covered entity, business associate or other commercial status.”
Federal regulators also should look at clarifying regulatory guidance related to third-party legal requests such as those by attorneys seeking information without appropriate patient-direction, the associations say.
“More than two decades after Congress declared access a right guaranteed by law, patients continue to face barriers,” says Thomas Payne, MD, medical director of IT services at UW Medicine in Washington State. “We need a focused look at both the technical as well as social barriers.”
More information including a congressional issue brief is available here.