HIPAA Modernization Needed, Experts Say

Wednesday, December 5, 2018

AMIA, AHIMA issue joint recommendations to modernize document-centric HIPAA for data-centric world

(WASHINGTON, DC) — Modernization of the 22-year-old Health Insurance Portability and Accountability Act (HIPAA) would improve patients’ access to their health information and protect their health data in a burgeoning app ecosystem, said experts from American Medical Informatics Association (AMIA) and American Health Information Management Association (AHIMA) at a briefing on Capitol Hill today. The briefing included a panel of health informatics and health information management experts discussing how federal policies are impacting patients’ ability to access and leverage their health data.

The session, “Unlocking Patient Data – Pulling the Linchpin of Data Exchange and Patient Empowerment,” noted that access to information and the ability to integrate and use information has changed how individuals book travel, find information about prices and products, and compare and review services. Despite these advances, healthcare has not been able to create a comparable patient-centric system.

“Congress has long prioritized patients’ right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles,” said AMIA President and CEO Douglas B. Fridsma, MD, PhD, FACP, FACMI. “But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined.”

“AHIMA’s members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape,” said AHIMA CEO Wylecia Wiggs Harris, PhD, CAE. “The language in HIPAA complicates these efforts in an electronic world.”

Specifically, AMIA and AHIMA recommend that policymakers modernize HIPAA by either establishing a new term, “Health Data Set,” which includes all clinical, biomedical, and claims data maintained by a Covered Entity or Business Associate, or by revising the existing HIPAA “Designated Record Set” definition and require Certified Health IT to provide the amended DRS to patients electronically in a way that enables them to use and reuse their data.

A new definition for “Health Data Set” would support individual HIPAA right of access and guide the future development of ONC’s Certification Program so individuals could view, download, or transmit to a third party this information electronically and access this information via application programming interface. Alternatively, a revision of the current DRS definition would provide greater clarity and predictability for providers and patients.

The groups also noted that a growing number of mHealth and health social media applications that generate, store, and use health data require attention as part of a broader conversation regarding consumer data privacy.

AMIA and AHIMA said that Congress should “extend the HIPAA individual right of access and amendment to non-HIPAA Covered Entities that manage individual health data, such as mHealth and health social media applications. The goal is uniformity of data access policy, regardless of covered entity, business associate, or other commercial status.”

Beyond HIPAA, panelists discussed the success of efforts to share clinical notes with patients during visits, including the successful OpenNotes initiative, and recommended that federal officials look for ways to encourage more providers to share notes with patients through federal policies, such as Medicare and Medicaid payment programs.

“More than two decades after Congress declared access a right guaranteed by law, patients continue to face barriers,” said Thomas Payne, MD, FACP, FACMI, Medical Director, IT Services, UW Medicine. “We need a focused look at both the technical as well as social barriers.”

Additionally, AMIA and AHIMA recommended federal regulators clarify existing regulatory guidance related to third-party legal requests, such as those by attorneys that seek information without appropriate patient-direction.

“HIM professionals continue to struggle with the existing Office for Civil Rights guidance that enables third-party attorneys to request a patient’s PHI,” said Harris. “We recognize there are necessary circumstances in which a patient has the right and need to direct their health information to an attorney. However, AHIMA members increasingly face instances in which an attorney forwards a request for PHI on behalf of the patient but lacks the information required to validate the identity of the patient. As a result, the HIM professional is challenged as to whether to treat it as an authorization or patient access request, which has HIPAA enforcement implications.”  

For more on the briefing and for additional resources, click here.

###

AMIA, the leading professional association for informatics professionals, is the center of action for 5,500 informatics professionals from more than 65 countries. As the voice of the nation’s top biomedical and health informatics professionals, AMIA and its members play a leading role in assessing the effect of health innovations on health policy and advancing the field of informatics. AMIA actively supports five domains in informatics: translational bioinformatics, clinical research informatics, clinical informatics, consumer health informatics, and public health informatics.

The American Health Information Management Association (AHIMA) represents more than 103,000 health information professionals in the United States and around the world. AHIMA is committed to promoting and advocating for best practices and effective standards in health information and to actively contributing to the development and advancement of health information professionals worldwide. www.ahima.org