HIPAA and Protecting Health Information in the 21st Century
Faculty Director I. Glenn Cohen has co-authored a new opinion piece in JAMA that addresses the adequacy of HIPAA in protecting electronic health data in light of the launch of the Trump administration's new MyHealthEData initiative. From the piece:
In March 2018, the Trump administration announced a new initiative, MyHealthEData, to give patients greater access to their electronic health record and insurance claims information. The Centers for Medicare & Medicaid Services will connect Medicare beneficiaries with their claims data and increase pressure on health plans and health care organizations to use systems that allow patients to access and send their health information where they like.
MyHealthEData is part of a broader movement to make greater use of patient data to improve care and health. The movement seeks to make information available wherever patients receive care and allow patients to share information with apps and other online services that may help them manage their health. At the population level, this approach may help identify optimal treatments and ways of delivering them and also connect patients with health services and products that may benefit them. Analysis of deidentified patient information has long been the foundation of evidence-based care improvement, but the 21st century has brought new opportunities. With developments in information technology and computational science that support the analysis of massive data sets, the “big data” era has come to health services research.
For all its promise, the big data era carries with it substantial concerns and potential threats. Part of what enables individuals to live full lives is the knowledge that certain personal information is not on view unless that person decides to share it, but that supposition is becoming illusory. The increasing availability and exchange of health-related information will support advances in health care and public health but will also facilitate invasive marketing and discriminatory practices that evade current antidiscrimination laws.2 As the recent scandal involving Facebook and Cambridge Analytica shows, a further risk is that private information may be used in ways that have not been authorized and may be considered objectionable. Reinforcing such concerns is the stunning report that Facebook has been approaching health care organizations to try to obtain deidentified patient data to link those data to individual Facebook users using “hashing” techniques.
Given these concerns, it is timely to reexamine the adequacy of the Health Insurance Portability and Accountability Act (HIPAA), the nation’s most important legal safeguard against unauthorized disclosure and use of health information. Is HIPAA up to the task of protecting health information in the 21st century?
Read the full article!health information technology health law policy i. glenn cohen public health regulation