Modernization of the 22-year-old Health Insurance Portability and Accountability Act (HIPAA) would improve patients’ access to their health information and protect their health data in a burgeoning app ecosystem, according to two leading health IT industry groups.
During a briefing on Capitol Hill Wednesday, leaders with the American Medical Informatics Association (AMIA) and the American Health Information Management Association (AHIMA), health informatics and health information management experts discussing how federal policies are impacting patients’ ability to access and leverage their health data.
While other industries have advanced forward with digital technology and have improved individual’s access to information, and the ability to integrate and use information, such as booking travel and finding information about prices and products, healthcare has lagged. Healthcare has not been able to create a comparable patient-centric system, AMIA and AHIMA leaders attested.
“Congress has long prioritized patients’ right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles,” AMIA president and CEO Douglas B. Fridsma, M.D., Ph.D., said in a statement. “But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined.”
“AHIMA’s members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape,” AHIMA CEO Wylecia Wiggs Harris, Ph.D. said. “The language in HIPAA complicates these efforts in an electronic world.”
AMIA and AHIMA recommend that policymakers modernize HIPAA by either establishing a new term, “Health Data Set,” which includes all clinical, biomedical, and claims data maintained by a Covered Entity or Business Associate, or by revising the existing HIPAA “Designated Record Set” definition and require Certified Health IT to provide the amended DRS to patients electronically in a way that enables them to use and reuse their data.
According to AMIA and AHIMA, a new definition for “Health Data Set” would support individual HIPAA right of access and guide the future development of ONC’s Certification Program so individuals could view, download, or transmit to a third party this information electronically and access this information via application programming interface. Alternatively, a revision of the current DRS definition would provide greater clarity and predictability for providers and patients.
The groups also noted that a growing number of mHealth and health social media applications that generate, store, and use health data require attention as part of a broader conversation regarding consumer data privacy.
Congress should “extend the HIPAA individual right of access and amendment to non-HIPAA Covered Entities that manage individual health data, such as mHealth and health social media applications, the two groups said. The goal is uniformity of data access policy, regardless of covered entity, business associate, or other commercial status, the group leaders said.
Beyond HIPAA, during the briefing Wednesday, panelists discussed the success of efforts to share clinical notes with patients during visits, including the successful OpenNotes initiative, and recommended that federal officials look for ways to encourage more providers to share notes with patients through federal policies, such as Medicare and Medicaid payment programs.
“More than two decades after Congress declared access a right guaranteed by law, patients continue to face barriers,” Thomas Payne, M.D., Medical Director, IT Services, UW Medicine, said in a statement. “We need a focused look at both the technical as well as social barriers.”
What’s more, AMIA and AHIMA recommended federal regulators clarify existing regulatory guidance related to third-party legal requests, such as those by attorneys that seek information without appropriate patient-direction.
“HIM professionals continue to struggle with the existing Office for Civil Rights guidance that enables third-party attorneys to request a patient’s PHI,” Harris stated. “We recognize there are necessary circumstances in which a patient has the right and need to direct their health information to an attorney. However, AHIMA members increasingly face instances in which an attorney forwards a request for PHI on behalf of the patient but lacks the information required to validate the identity of the patient. As a result, the HIM professional is challenged as to whether to treat it as an authorization or patient access request, which has HIPAA enforcement implications
