When you ask anyone about health care privacy, HIPAA will ultimately come up in the conversation. HIPAA refers to the Health Information Portability and Accountability Act. But most people don’t understand what HIPAA is. Many think HIPAA is broader than it is, ensuring privacy of all of your health information. Many don’t realize they need to or don’t want to be compliant with HIPAA or how to do so. Then there is the ultra rhetoric that every last bit of information should be private. So what is HIPAA? What does privacy mean with regards to health care? And what is on the horizon as the world changes to incorporate more technologies in health care?
For full information about HIPAA – go to the Dept. of Health & Human Services, Office of Civil Rights website.
There are 2 parts to HIPAA
- The Privacy Rule
- The Security Rule
These rules apply to “covered entities” which include health care providers, health plans, or health care clearinghouses and their “business associates” or people that do work on behalf of the covered entity (e.g. billing). Covered entities must comply with federal rules and regulations to ensure the privacy and security of “protected health information” (PHI) and to give patients rights to access their health information. PHI is broad and covers almost all of the information associated with your health care you can think of. To comply with HIPAA Covered Entities must have policies and procedures in place to train their staff and volunteers on both privacy and security. They have to name a Privacy Officer and a Security Officer to report breaches of privacy to. They have to be able to account for each disclosure of information of a patient’s health information if asked. They have to have certain technologies on their computers to ensure data can’t be hacked (basically). They have to have to notify individuals and in some cases the Secretary of HHS of privacy breaches. And if they have Business Associates, they have to get assurances that the Business Associate will have their own policies and procedures for keeping PHI safe. And many more requirements. Otherwise they face steep fines (up $1.5 million annually in civil penalties and up to $250,000 and 10 years imprisonment in criminal penalties) (Blue Cross Blue Shield of Tennessee just settled a privacy breach case).
HIPAA was further strengthened and expanded by the Health Information Technology for Economic and Clinical Health (HITECH) Act of the American Reinvestment and Recovery Act (“Stimulus” bill) that was passed in 2009. HITECH strengthened sanctions for HIPAA violations (to the extent listed above) and expanded requirements for the interactions between Covered Entities and Business Associates
What is private?
Most people think HIPAA covers all of their health information, but it doesn’t. Privacy is up to the discretion of anyone who is not a Covered Entity or a Business Associate. For instance, a website or phone application that tracks certain health information. Or a personal health record stored online
There are other organizations that don’t think they have to comply with HIPAA because they don’t realize they are business associates and thus don’t have the proper policies in place and can’t keep your PHI safe or privat.
As such, when giving your health information to anone, and you want to keep it private, ask about their privacy policies and/or training procedures. Then decide if you want to share that information. Training for organizations should be intensive and all incorporating. Policies should be clear and posted on a website or easily accessible when asked. After you have this information, consider what you do/don’t want to share
The Future of Privacy
The future of health technologies is incredibly exciting. I was thrilled to get to go to the Health 2.0/StartUp Health party at SXSW in Austin this week where I met a whole crowd of innovators – engineers, software developers, students, professors, venture capitalists, designers. How incredible to hear what the future of health care might look like! The ideas are boundless and will surely empower patients to and engage doctors in improving health.
But as I told many people there, they shouldn’t necessarily worry about current policies regarding privacy and security of health information, but policies to come. These companies and entrepreneurs will have to set the standards for this field which will be intensely scrutinized as more people explore where their information is going and what that means. Currently, there are very few guidelines as to what needs to be kept private and how to do so and the consequences for breaches of privacy in health information. Electronic Health Records are maintained by providers and thus will be subject to HIPAA, and HIPAA along with HITECH is probably sufficient to keep PHI private. Even then there is a lot of discussion of whether more regulation needs be in place
What about other applications and websites. There are some pretty impressive ones out there. Microsoft Health Vault has a great way to create a personal health record. Simplee.com helps individuals understand their health care expenses – making the Explanation of Benefits (EOBs) you get in the mail understandable. There’s Ginger.io that turns your mobile data into health insights such as behavioural patterns. And there’s Medify whose mission is to help “people managing important health situations discover what works for people like them, and to get help from those they trust most.” At SXSW, I met people from Solvable.co, MedTouch, Learn It Live, a bunch of innovators who have worked with StartUp Health, and many others. I didn’t even touch. But my favourite new website is PatientsLikeMe which allows you to track symptoms of your conditions, give feedback on treatments, and talk to others who have similar conditions or use similar treatments. Yet with all of these ideas, and more coming each day, where does privacy stand? As I said, it’s up to the developer or company. And it’s up to you.
Should it all be private?
Should all health information be private? PatientsLikeMe proposes an interesting idea of openness. Yet most people want to keep their information private at all costs. This is understandable – having your information released can affect many aspects of your life from employment to purchasing life insurance (luckily under the Affordable Care Act pre-existing conditions won’t matter) to lawsuits to relationships. Health conditions come with stigmas whether physical or mental unfortunately which negatively impact many peoples’ lives.
But what if we were more open about that information? Some worry about others obtaining their genetic code – but what would we do with all that information? Maybe we fear too much. And if we are all more open, could we bring down the stigmas that hold us back? And if we are more open, will we improve health care? To that last point, PatientsLikeMe thinks we can. They have an interesting “Openness Philosophy.” I myself was tentative as I explored the website, but it truly is the most integrative site I’ve seen and perhaps one of the most useful that’s come out. But a lot of the information is public. So each individual has to consider whether they want to be open. I have shared some, but am I ready to share more? And what privacy will exist when I ask my doctor to see my record? Or when someone wants to talk to me about my conditions and treatments? It’s a scary thought, but I am taking that leap (at least a tiny one) after reading their philosophy…
You see, we believe sharing your healthcare experiences and outcomes is good. Why? Because when patients share real-world data, collaboration on a global scale becomes possible. New treatments become possible. Most importantly, change becomes possible. At PatientsLikeMe, we are passionate about bringing people together for a greater purpose: speeding up the pace of research and fixing a broken healthcare system.
Currently, most healthcare data is inaccessible due to privacy regulations or proprietary tactics. As a result, research is slowed, and the development of breakthrough treatments takes decades. Patients also can’t get the information they need to make important treatment decisions. But it doesn’t have to be that way. When you and thousands like you share your data, you open up the healthcare system. You learn what’s working for others. You improve your dialogue with your doctors. Best of all, you help bring better treatments to market in record time.
PatientsLikeMe enables you to effect a sea change in the healthcare system. We believe that the Internet can democratize patient data and accelerate research like never before. Furthermore, we believe data belongs to you the patient to share with other patients, caregivers, physicians, researchers, pharmaceutical and medical device companies, and anyone else that can help make patients’ lives better.
Will you add to our collective knowledge… and help change the course of healthcare?
Maybe health information shouldn’t be completely private? Maybe we should break the stigmas of our conditions? Maybe we should realize that any policies in place will never truly and completely keep our PHI private and secure? We have HIPAA but many misunderstand it and many don’t use it properly and we don’t know exactly what will come with new technologies on the horizon. So the privacy questions remain – what is privacy of health information? And what will it be?