How HIPAA Influences Interoperability

Has any healthcare policy been responsible for more myths than HIPAA? No matter what that chain email says, HIPAA won’t exempt you from mask mandates, nor will it turn your Facebook posts private.

The Health Insurance Portability and Accountability Act is one of the few laws that many people know by its (oft-misspelled) name. HIPAA established that patients are entitled to receive their health records, and it defined what those records are. That same set of records - as of October 2022 - must be electronically shared per anti-information blocking rules.

Where Does HIPAA Address Interoperability?

HIPAA is huge in scope, so we’re narrowly focused on how it changed healthcare information technology.

Before HIPAA, there were no widely accepted set of security standards or even general requirements for the protection of health information in the healthcare sector, which was accustomed to bureaucratic paper processes. When the industry began to transition to electronic records, the potential security risks also increased.

HIPAA required the Department of Health and Human Services (HHS) to develop detailed regulations that protect the privacy and security of patient records. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.

• The Security Rule establishes a national set of standards that protects health information held or transferred in electronic form. It sets out technical and procedural safeguards that organizations must put in place in order to secure electronic protected health information (ePHI) for individuals.
• The Privacy Rule establishes national standards for the protection of health information. We’ll dive into that below.

With HIPAA’s focus on privacy and security, it might surprise you to learn that the intent of the law, according to HHS, was to “support information sharing”, “enable access”, and otherwise drive data portability. Looking back, we can see that HIPAA only made it possible to share patient data. Actually encouraging data sharing is a process that’s still taking place.

HIPAA’s Privacy Rule

HIPAA’s Privacy Rule applies to covered entities who work with patients (like health plans, clinicians and hospitals) along with their business associates (think lawyers, transcriptionists, and pharmacy administrators). It limits the uses and disclosures that may be made of such information without patient authorization. However, note that patients can do what they want with their own records.

The HIPAA Privacy Rule covers:

• What counts as protected health information (PHI), including paper, oral, and electronic records.
• How PHI should be transferred, received, handled, or shared confidentially and securely.
• Who has to safeguard PHI.
• That only the minimum health information necessary can be shared between entities.

What Info Must Be Accessible - the Designated Record Set (DRS)

HIPAA created the idea of a designated record set. Broadly speaking, a DRS includes medical records, billing data, health plan claims information, and a catch-all: any records that are used by covered entities to make decisions about an individual.

Designated record sets are referenced in laws after HIPAA. For example, the Cures Act now requires entities to share records with patients electronically, not just shared on paper, using HIPAA's definition of records.

When Info Can Be Shared - Treatment, Payment, and Healthcare Operations (TPO)

HIPAA’s privacy rule establishes three “core health care activities” where providers can share protected health information without seeking consent from a patient. 

The three activities are Treatment, Payment, and Healthcare Operations - which are relatively self-explanatory.

Basically, your doctor or health system can, under HIPAA, have access to your information if they are using it to treat you, get payment for services, or improve their internal operations. Otherwise, they are out of luck without your explicit permission. There are exceptions of course, but for most part HIPAA makes it so information is only accessible in specific cases with defined reasons.

These activities are relevant to any entity that wants to obtain healthcare data today. They inform the “Purposes of Use” policies on health information exchanges, which inform who can obtain data.

Most health information network participants err on the side of caution when making their data interoperable, and currently only return data that’s being used by a clinician to provide treatment, instead of sorting out whether or not a patient has permission or an organization is using data for valid healthcare operations needs.

Patient Rights and HIPAA

HIPAA gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Under HIPAA’s privacy rule, patients have a right to:

• Ask to see and get a copy of their health records
• Have corrections added to their health information
• Receive a notice that tells them how their health information may be used and shared
• Decide if they want to give permission before their health information can be used or shared for certain purposes, such as for marketing
• Get a report on when and why their health information was shared for certain purposes

Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing these rights either through voluntary compliance or...civil penalties. Quite large penalties.

The problem with HIPAA and its associated regulations is that while they defined all the rights a patient has, they provided no good way for a patient to actually do any of these things.  Have you ever tried to correct your medical records? …Exactly.

HIPAA is ancient as far as health tech is concerned. It was passed in a time when EHRs were basically non-existent. It specifies very little about the format of patient data or how any of this applies to electronic records. Back in the 90s, a provider could comply with HIPAA by faxing thousands of pages to a patient.

More laws, particularly the HITECH Act and 21st Century Cures Act, now overlap with HIPAA to make these rights actionable.