Ready for HIPAA to be replaced. Let the work begin.
Today in health, it, we are going to look at HIPAA and the quest to replace the aging. Privacy regulation. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health. A channel dedicated to keeping health it staff current and engaged. We want to thank our show sponsors who are investing in developing the next generation of health leaders, Gordian dynamics, Quill health pal site nuance.
Canon medical and current health. Check them out at this week. health.com/today. All right. We have a webinar coming up. Just want to make you aware of it. Owning cloud in your organization. We're going to be talking to two organizations that have moved their EHR workloads into Microsoft Azure. And what they learned, what they went through, how they got it approved and how they made the move successfully. So if you want to be a part of that, February 24th, 2022, 1:00 PM. Eastern time, you can sign up on our website this week. health.com.
It is right there on the right side of the page. All right, let me get to the article. , there's there's so many articles on this. I'm going to go to this one. HIPAA guide.net. But you haven't heard of that one yet. So here we go, legislation introduced to start the process of modernizing us health data, privacy laws.
This was from February 14th, the health insurance portability accountability act HIPAA is more than 25 years old and it was more than 20 years ago that the hIPAA privacy rule was added to limit users and disclosures of healthcare data and better protect patient privacy.
That was the, , intention changes to the privacy rule have now been proposed and are expected to be finalized later this year. But even these changes will not address regulatory privacy gaps. Which could threaten the confidentiality and privacy of sensitive health data. , one of the main issues with HIPAA is it is not a universal law covering all health data, only health data collected, used, stored, and transmitted by healthcare providers.
Health plans and healthcare clearing houses and their business associates. Tampa does does a good job at making sure safeguards are in place to protect patient privacy with respect to these entities. But it does not cover many of the emerging technologies that interact with health data, such as health apps and wearable devices.
While that's true. , I will say that the health systems are starting to use anonymized data to create. Billion dollar entities. So they have recognized that there is there's gold in that data. And they are starting to utilize it to, , to create entities that are billion dollar entities.
And, , and quite frankly, me as an individual who has my anonymized data and several data stores, my data's in Truvada, my data's in IBM's data store. , I'm sure it's in others that I haven't even thought about yet. And being used for the good of mankind for the most part. , but at the end of the day, other people are really making a ton of money, making a significant amount of money from my data amongst others.
, it goes on health apps, collect health data that would be covered by HIPAA. If the health apps were used or provided by HIPAA. Covered entity or business associate, but in most cases, the health data collected, stored and transmitted by those apps and new technologies. It's not protected by the same stringent privacy and security controls. Further regulatory changes have made it easier for patients to request their health information, be transmitted to unregulated health apps by their healthcare providers potentially placing the information at risk.
Okay. So the government is going to help make sure that we don't hurt ourselves and we request our data. It goes into these. , these entities that may or may not be trustworthy. I know that apple is probably the biggest one that falls into this category. We request our data. From a house with some, it goes into the apple repository. , we feel pretty good about apple. Apple sorta has hung out their shingle on the privacy game and they, they, more than any other player out there in the big tech world, , seem to be really living it and providing the consumer the kind of protections that we want.
, But that's not who we're concerned about here. We're concerned about any other person that might come up with an app that you start to transmit the data to a, they're not covered. The government doesn't really have a law or any regulation. Around privacy with regard to that. , bipartisan legislation has now been introduced in the U S that aims to modernize HIPAA and other health data privacy laws.
To better protect the privacy health, the privacy of health data. Modernizing us privacy laws to account for changes in technology is unlikely to be a quick process, but it is important to get that process started. Hence the introduction as the health data use and privacy commission act. I'm going to keep going on. The health data use and privacy commission act was introduced by a Senator out of Louisiana and a Senator out of Wisconsin, home of epic and aims to start the modernizing process by forming a commission to analyze current health data, privacy laws.
And then make recommendations on how to better protect health data. Whether that is through updates to current legislation, the introduction of the new legislation, or to address the privacy gaps using non-regulatory measures. As a doctor of the potential of new technology to improve patient care seems limitless, but Americans.
Must be able to trust. That their personal health data is protected. , , in order for this technology, meet its full potential set. Dr. Cassidy. , HIPAA must be updated for the modern day. The legislation starts this process on a pathway to make sure that it is done right.
The health data, use privacy commission. For the comptroller general to appoint commission members. They will be given six months to analyze current laws and make the recommendations to Congress on the best way to reform streamline, harmonize, unify an augment current laws and regulations relating to individual health privacy. In addition to identifying regulatory privacy gaps and suggesting potential changes, the commission must also provide an estimate of the costs of making changes to the health data.
Privacy laws identify any burdens to propose changes would place on tech firms and healthcare organizations and any unintentional consequences. Quenches from stricter privacy, hus, including if the changes may threaten the health outcomes legislation has attracted strong, early support from healthcare groups and tech firms.
With the Federation of American hospitals, college of cardiology, national multiple sclerosis society association of clinical research organization. IBM and epic systems are any voicing their support. For the health data use and privacy commission act. All right. So,
there are some cynics out there. Here's a LinkedIn post. And it says, this is great news. However, I'm concerned about the names of some of the supporters as they seem to be in direct contrast to the state of concerns. IBM is one of the supporters. I recognize the importance of all stakeholders collaborating to achieve a mutually agreeable common ground. However, IBM just sold a database of 270 million patient records of which I'm one of those records.
, or probably five of those records. If I thought about it to a private equity firm for $1 billion, someone kindly explained and educate me on how they are fit to advocate for the patient and consumer privacy preferences and data uses, , isn't this conflict of interest. It goes on to talk about epic and has a similar comment, , that is, ,
Not kind to, to epic in their support of this as well. , and it goes on from there is. As well. I mean, there's just, there's a bunch of stuff in here. But at the end of the day, here's my, so what on this. You have the lobbying efforts of healthcare, you have the lobbying efforts of big tech and you have the, , lobbying efforts of, , .
The pharmaceuticals, the insurance industry. , but who's lobbying for the individual. Who's lobbying for me. Who's lobbying for you as the individual patient, not necessarily your employer, but for you as the individual patient. , at the end of the day, you know how hospital systems aren't going to want to come down on this because they have now finally figured out how to make billions of dollars from the data that they've been collecting for years.
, big tech is not going to want this privacy. To take hold
because one of their biggest revenue streams is data. Right. And so I think one of the, one of the people who gets cheated here is, , is the individual. , I have been a huge proponent of patient centric, interoperability. And, , I take it to the, to the nth degree here. And I'm going to go through it one more time, which is, I believe I should own my medical record and it should come to me to record about me. So if I go.
, to a hospital system. I see a doctor. , that when I leave there, it should be transmitted to my phone. I should be given the, given the option of having it deleted. From the health systems computer. And that's where I lose people. A lot of times we're like, oh, what about the good of mankind? Look, I'm going to get my record to a lot of different agencies that I think are doing great research, but it's really my choice, right. Record about me, my choice.
, and I understand why this is hard to get your arms around. , for a lot of reasons, not everybody has a phone. I hear that. What about a, if you get injured and your phone's not with you, like we saw these problems, these are , Not hard problems to solve from it. From that perspective.
If I'm injured, we have break the glass. They could go into whatever repository. , that we have out there, or whatever mechanism is set up, it's sort of the 9 1, 1 of patient data. And quite frankly, my records could be more complete because I keep amassing a bigger record. What about the people without phones? Well, there are repositories and we can solve that problem by having a public access, , data repositories for those patients who want to avail themselves of this kind of thing.
I think the other thing you'll see is that the intake process becomes a lot quicker and a lot easier. , and then there's just a whole host of things. I think that can be designed around patient centric, interoperability that work. , I understand why it doesn't work in 49 states. The patient doesn't own the record. So essentially.
, what we're saying is that the hospital should give up the record that they created. To the patient, even though the patient doesn't technically own it. , but if we want to engage patients, , the patients are going to need that data and they're going to need to, , to engage with whatever fiduciary they want to healthcare fiduciaries.
, that are going to help them with their health and their wellness and their social services and their diet and their exercise and all the things that attribute to health and potentially their education. Right. So there's, there's a lot of value to be gained by putting this information in the hands of the individual. And I also believe that to a certain extent.
, it feels like my trust has been violated that my record is being used. , To create a billion dollar transactions within healthcare. And I have not been consulted or , talked with about that. , there's and quite frankly, I am the powerless. Healthcare user, I don't even know who to call at IBM or Truvada to say, I don't want my record in your system anymore.
And, , and I'm not sure they would take it out, even if I did call. So , that's my 2 cents on that. But in terms of taking this policy up, , you know, kudos, they should take it up. It will be a significant battle , between the entities that, , that have money and have the lobbying efforts.
On the hill, but at the end of the day, this thing that does need to be updated. , if nothing else, it needs to be understood. There are so many areas where, , HIPAA is completely misunderstood. I sat in several, had several conversations, a couple of meetings here and there where people would say things and they say, you know, that's covered under HIPAA and I'd look at it. I'm like,
No, no, it's not. As the CIO, I had to really understand HIPAA we need to educate people better on what it just means. So from a, from a starch standpoint, begin with the end in mind, you want everyone to be able to understand what is covered.
And what it's about and how that data gets moved from point a to point B. , successfully and, , in compliance with the law. That it's trying to uphold. All right. I know I rambled a little bit, but anytime you talk regulatory, you ramble a little bit. That's all for today. If you know someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week out.com or wherever you listen to podcasts, apple, Google, overcast, Spotify, Stitcher.
You get the picture. We are everywhere. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, Gordian dynamics, Quill health tau site nuance, Canon medical, and current health. 📍 Check them out at this week. health.com/today. Thanks for listening that's all for now