HIPAA: At what cost?

September 9, 2019

Medicine needs to learn from Amazon that privacy has a price

Amazon.com, on Prime Day this year, announced that customers would be given a $10 credit if they agreed to let Amazon track their browsing data and use these data in the marketing of services or products that may be completely unrelated to those purchased from Amazon. An astonishing 7 million people agreed to the price and handed over their browsing privacy. The logic is simple: privacy has both a value to consumers and businesses. What would healthcare costs look like if healthcare systems offered $10 for every patient that opted out of HIPAA?

In the United States, federal law requires that healthcare information be highly guarded at substantial costs to the healthcare community and taxpayers. HIPAA was enacted in 1996 to ensure insurance coverage for employees (and their families) when they change jobs by preventing disclosure of certain medical information to insurance companies through its privacy rules and security rules. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act substantially expanded the HIPAA privacy and security rules and increased penalties for HIPAA violations.

To cope with the expanded HIPAA obligations, healthcare systems have employed an ever-increasing number of compliance officers and deployed sophisticated technology to safeguard the accessibility of individual healthcare information. At the time of implementation, the Department of Human and Health Services (HHS) estimated that HIPAA would initially cost healthcare systems approximately $113 million with subsequent maintenance costs of $14.5 million per year. The actual costs of HIPAA compliance are estimated at closer to $8.3 billion a year, with each physician on average spending $35,000 annually for health information technology upkeep. The true costs, however, are unknown and buried under layers of purportedly necessary bureaucracy. These costs do not account for the added stress inflicted upon healthcare clinicians and patients struggling to allow each other access to important and necessary healthcare information.

Over the years, HIPAA has become somewhat of a “hippo”. From a distance, hippos often appear to be innocent snouts sticking up out of the water, just as HIPAA seems to have an innocuous purpose. But upon closer inspection, the average hippo is a 3,300-pound behemoth that consumes 150 pounds of grass a day and does very little. Just like hippos, HIPAA’s footprint is massive and its upkeep substantial with few tangible benefits. During implementation of the HITECH Act, HHS claimed that patient privacy is priceless. But compliance with HIPAA privacy rules does have a price: HIPAA has contributed to the unsustainable rising costs of healthcare and lack of interoperability. HIPAA has impeded communication about risks to the public, contributed to inefficient care of patients by limiting physician communication, deterred medical research through the high costs of compliance, and stolen physician time from patients.

HIPAA has also made it much harder for physicians and patients to work with innovators to advance healthcare technology. For example, if a company developed a smart computer algorithm to improve virtual physician-patient visits and wanted to test the algorithm, extensive paperwork would be needed because the company would have access to protected health information during deployment of the algorithm and the test period. Because clinical data within electronic health records contain protected health information, they cannot be shared with third parties, including researchers and innovators, without expensive infrastructure to protect accidental disclosure of health information. Patients, physicians, and others in healthcare have complained about outdated healthcare technology, but the lack of easy access to healthcare data is a major barrier to advancement.

One solution would be to reassess the cost-benefit analysis that once justified HIPAA and to scale back patient privacy protections. HHS, in April 2019, did just that. To promote interoperability of electronic health records, HHS issued Draft 2 of the Trusted Exchange Framework and Common Agreement (TEFCA) for public comment and a final version is in progress.

But a better test of the value of HIPAA would be to place the decision about privacy in patients’ hands by creating an opt-in regime. If patients valued their privacy, they could choose to opt into HIPAA protections, unless there was a pressing safety or public health issue. We would then quickly find out that most folks would likely choose to not exercise the option because most people do not place a high value on medical privacy.

Another way to make the same point would be to create an opt-out regime for HIPAA in which hospitals could emulate Amazon and offer a $10 payment to customers opting out of HIPAA privacy protections. We know that price was more than enough for the 7 million Amazon customers who have already given Amazon full rights to their browsing data. This outcome would likely be even higher if healthcare systems had the opportunity to educate patients about the benefits of being able to share healthcare information more freely.

The plausibility of this solution is illustrated by most individuals’ internet usage. Consumers always have a choice about whether to accept or reject cookies when they use a given website, and a small minority choose to opt into the privacy protections by not accepting cookies. However, most people are willing to forgo these protections in favor of facilitating ease of access to websites. Creating a similar choice for HIPAA would dramatically change the compliance burden on healthcare systems and make it much easier for medical information to be shared in order to improve healthcare provisions for patients and to advance healthcare technology.

No one will argue that privacy is important, but when protection of individual privacy contributes to unsustainable cost burdens or becomes the source of public harm, we must reassess the societal costs and strike a different balance.

Kim-Lien Nguyen, MD, is an assistant professor of medicine at David Geffen School of Medicine at UCLA and a practicing cardiologist. The views expressed are those of the author’s.