The healthcare industry cannot rely on HIPAA alone to ensure patient privacy, wrote Lucia C. Savage, chief privacy and regulatory officer at digital health company Omada Health, in an op-ed for Health Affairs July 5.
Ms. Savage noted the healthcare landscape has changed in the 22 years since HIPAA was enacted in 1996. Today's gaps in patient privacy don't derive from HIPAA, but from "the patchwork" of healthcare privacy rules outside of HIPAA.
"When we think about the task of protecting health information in the 21st century, I do not think it is HIPAA that needs reexamining," she wrote. "Rather, we need an appropriately thoughtful and comprehensive discussion of how best to regulate health information wherever it is collected."
Here are two examples Ms. Savage, a former chief privacy officer at the ONC, outlined as patient privacy issues worth consideration that fall outside the realm of HIPAA:
1. Social media. HIPAA prohibits hospitals from disclosing identifiable health information to a social media company for their business purposes, but the regulations are more lax should a hospital be interested in contracting with a social media company as an analytics vendor for healthcare operations.
As an example, Ms. Savage discussed Facebook's now tabled healthcare project, in which the social media giant had asked several U.S. hospitals to share anonymized patient data for a research project.
"But what if Facebook did in fact carry out such a plan?" Ms. Savage wrote. "There is some irony in that the nationwide protections from HIPAA apply to how the hospital uses data but do not apply to how the social media company uses data."
2. The role of states. States have "wide leeway" to enact healthcare privacy laws for their populations, according to Ms. Savage. For example, these additional laws tend to focus on protecting residents from health status discrimination by adding barriers to ensure the privacy of data related to patients' mental illness or HIV status.
Ms. Savage highlighted that federal law, including HIPAA, does not preempt many of these local regulations.
"This wide diversity in state law is a barrier to nationwide health information exchange. It also results in confusion by medical professionals and hospitals, consumers and even lawmakers," she wrote.
To access Ms. Savage's op-ed, click here.