How HIPAA Myths Block Data ExchangeFormer ONC Policy Leader Jodi Daniel Highlights Need to Overcome Misperceptions
Overcoming misperceptions about the HIPAA Privacy Rule will prove vital to achieving nationwide, secure health data exchange, says attorney Jodi Daniel, who until recently helped developed federal policy.
One of the biggest challenges in easing the exchange of patient data to help improve treatment, Daniels says, "is folks understanding when they can share information, when that's consistent with the HIPAA Privacy Rule, as well as state laws, which may vary from state to state," says Daniel, former policy director at the HHS Office of the National Coordinator for Health IT.
Daniel recently left the Department of Health and Human Services after a 15-year tenure to become a partner at the Washington law firm Crowell & Moring.
"The [HIPAA] privacy rule was designed to enable sharing of information for payment, treatment and healthcare operations purposes, but ... there are still providers nervous about sharing information, even for treatment purposes," she says in an interview with Information Security Media Group.
"There are some electronic health record vendors and others that are trying to make solutions available to support interoperability, to support health information exchange, but I've heard some reports that they are facing challenges from [healthcare] providers who are concerned about violating HIPAA."
And some healthcare providers don't realize that HIPAA allows them to share information with health information exchange organizations, she notes. "So the misunderstanding and confusion about HIPAA, I believe, are often raised as a barrier to the proper exchange of health information," she says. "If we can find ways to help clarify what is permitted, when information can be appropriately shared, when the consumer or the patient has the ability to access that information, and use it for their own benefit, I think we will be able to overcome some of those policy and operational challenges to interoperability."
EHR interoperability and secure health information exchange have been key areas of focus for federal regulators as well as members of Congress. That's because more than $30 billion has been spent so far on HITECH Act incentive payments to hospitals and physicians for making "meaningful use" of EHRs, and Congress has been examining whether taxpayers are getting a return on this investment, such as through easier exchange among clinicians of all relevant data about a patient.
By improving EHR interoperability so that patient data can be securely exchanged among healthcare providers nationally, treatment outcomes, as well as patient safety, can potentially be improved. To help address the topic, ONC also recently issued a 10-year roadmap outlining its vision for interoperable, secure health information exchange (see Analyzing ONC's Interoperability Roadmap).
HIPAA Security Rule
Although some have argued for the updating of the HIPAA Security Rule, which was written before the dawn of sophisticated cyberattacks in the healthcare sector, Daniel argues the rule doesn't need to be revised.
"A key piece of the security rule, as I see it, is the security risk assessment, which is something that's required. If folks do these risk assessments, and do them well, then they can continually adapt their security practices, policies and technologies to reflect new risks as well as new capabilities and technologies that are available to mitigate those risks."
In the interview (see audio link below photo), Daniel also discusses:
- The most pressing privacy and security issues facing the healthcare sector;
- Cybersecurity predictions for the healthcare sector in 2016.
- The projects she's working on at Crowell & Moring.
As a partner in Crowell & Moring's Washington, Daniel is a member of the firm's healthcare group, where she provides strategic advice to clients navigating the legal and regulatory environments related to technology in the healthcare sector. Daniel just concluded a 15-year career at HHS, including a decade at ONC, where she helped lead health information privacy and security policy development .