The adoption of electronic health records (EHRs) presents doctors with a dilemma when it comes to protecting patient health data.
On the one hand, Medicare provides incentive payments for meaningful use of EHRs, which requires doctors to capture, store and securely share protected health information with their patients and other providers. On the other, HIPAA makes healthcare providers accountable for keeping protected health information (PHI) confidential, delivering hefty fines for those who fail to comply.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 raised the maximum fine per violation to $50,000 from $100, and the annual cap for all violations of a specific provision climbed to $1.5 million from $25,000. Criminal penalties under the HITECH Act also now range from $50,000 to $250,000, with up to 10 years in prison, depending on the degree of negligence.
Fear of being fined is frequently cited by the healthcare community as a leading barrier to EHR interoperability--the ability to exchange and interpret patient health data electronically.
“HIPAA is a great example of the federal government at work where the intention is good, but the outcome in many instances is very bad,” says Michael Mirro, MD, a cardiologist in Fort. Wayne, Indiana, and past chair of the American College of Cardiology’s Informatics and Health IT Task Force. “It strikes fear in the heart of every healthcare worker because they know that even an inadvertent breach can cost them their job.”
Further reading: 10 HIPAA mistakes practices must avoid
According to Mirro, HIPAA and EHR interoperability are fundamentally at odds. But policymakers suggest HIPAA isn’t the problem.
“HIPAA rules and EHR interoperability work very well together actually, “ says Lucia Savage, chief privacy officer for the Office of the National Coordinator for Health Information Technology (ONC), a division of the U.S. Department of Health and Human Services.“We know providers are out there trying to do the right thing, but there is a lot of confusion and misunderstanding about privacy laws.”
In its 2015 report to Congress, the ONC says complaints and anecdotal evidence suggests some health IT developers block or limit the availability of information intentionally for competitive gain, charging fees that are designed to deter connectivity or exchange with competing technologies or services.
Healthcare providers have also been accused of information blocking, the report found, with some hospitals or health systems allegedly seeking to control referrals and enhance their market dominance, despite their claims that they actually constrain access to comply with privacy laws.
To dispel misconceptions about HIPAA limitations and help achieve interoperability, the ONC recently released a “roadmap” to coordinate the exchange of electronic protected health information among hospitals, health plans and providers. It clarifies HIPAA rules, and sets specific goals to catalyze collaboration between the public and private sector.
Further reading: How stalled interoperability hurts patient care
The Centers for Medicare and Medicaid Services (CMS,) notes, too, that HIPAA does not say “don’t share data.” “In fact, HIPAA largely deals with how to protect data in order to be able to share it in many different ways without infringing on the patient’s privacy,” the agency said in a statement, adding that HIPAA even governs that providers must comply and share data upon patient requests. “Not only do these things not contradict one another, they go hand in hand and are inherently related,” CMS says. “Using technology to share data can allow for a whole range of potential protections and security around the movement of data and the storage and encryption of ePHI in ways that paper records and transmissions may not.”
Marla Durben Hirsch, JD, a health law attorney for 30 years and editor of The Health Law Journal, says that privacy rules do not themselves create roadblocks to interoperability, noting HIPAA allows sharing of information for treatment, payment and operations without patient authorization. But there are logistical issues that might. She cites the example of a provider who shares patient data with a health information organization, and the organization experiences a data breach. “Who is obligated to notify patients, HHS and the media about the breach and mitigate damages?,” she asks. “How much control should a patient have regarding the sharing of his or her information? And who owns the data once it’s been shared?”
Such questions complicate the debate. “The bottom line is that the technology is outpacing the law,” says Hirsh. “No one envisioned in 1996 when HIPAA was first enacted, or even in 2009, when HITECH amended HIPAA, how advanced technology would become, how much more difficult it would be to keep data secure, or the massive data breaches and security risks we’re seeing today.”