Panel discusses ongoing HIPAA challenges

BOSTON—HIPAA wasn’t crafted to address the volumes of data now in the healthcare system. That was the opinion of panelists during a session at the 2015 Connected Health Symposium, held by Partners HealthCare.

HIPAA was intended to provide portability of medical records, said Mario Gutierrez, MPH, executive director of the Center for Connected Health Policy. But trust is important for successful care, he said. For example, workplace wellness programs are growing in popularity and when people sign up they trust their employer. But, in many cases, the information is being sold for marketing purposes.

The government’s approach and controls are slow, said Gutierrez. “We are trying to keep up with the changes with the volumes of data generated but it really gets down to behavior.” Many times breaches happen because of carelessness.

As a technology entrepreneur, David Albert, MD, said his companies take privacy very seriously. “If I don’t have trust, I don’t have a business. There’s legal trust and then there’s business trust. I generate data that hopefully will help you in your personal care.”

The data his companies collect is very valuable, Albert said. “We have an obligation beyond HIPAA to keep that information as private and confidential as possible. At the same time, we want to utilize anonymized data to improve what we offer. It’s a balance and we fight that balance every day to protect our business and the privacy of people’s data.

People are trying to steal healthcare data because it’s valuable, said Jordan Shlain, MD, primary care physician and founder of Healthloop. His company came up with the idea to send out one-question emails asking patients whether they feel worse, better or the same. “I was convinced it would increase our liability.” His malpractice company did an analysis and found that it actually decreased liability, he said. “The more communication, the happier patients are. Now, they’re offering discounts to people who use our service.”

Providers and consumers alike have to make some compromises, said Gutierrez. “In this day and age, people expect their information will be hacked. Information is shared in many different ways.”

Healthcare has largely left privacy to the terms and conditions vehicle although there’s a question as to whether that’s adequate, said Jennifer Geetter, partner at McDermott, Will & Emery. “We don’t have a consensus about what should be happening with companies in the privacy sector.”

Even free apps aren’t free she said, because they are powered with our data. Users are making a transaction but do they understand that? “Maybe,” she said, “but there’s a gap in how we are navigating the landscape and how it actually works.”

There also isn’t a unifying government actor that can push this forward, Geetter noted.

There’s a real value in using data for population health trends, Gutierrez pointed out. “It’s a valuable source of information so we need to find a balance.”

“At the end of the day, we want our data available whenever, wherever,” said Geetter. “Data is powerful. Information aggregated and understood will help keep us healthier but we’re really struggling to have an honest, thoughtful public policy discussion. We’re going to have to make choices and own those choices.”

Shlain shared his experiences with protecting patients’ privacy even though they were in a life-threatening situation. Rather than breach privacy, “my patient died with his privacy intact. That’s what’s going on right now. We’re not sharing important information because we’re worried the compliance guy is going to come down on me. Then bad things happen.”

Regardless of its original intentions, HIPAA remains challenging. HIPAA follows the entity, not the data, said Geetter. “That’s really, really challenging for everyone to understand.”

And, “HIPAA is only as good as it’s being enforced at the microlevel,” said Gutierrez. Bring your own device are other scenarios are simple but corrupting elements and are where a lot of breaches occur.