The HIPAA privacy rules have been in the news a lot lately. That’s good, but not when it’s for the wrong reasons or based on a misunderstanding of the rules. I’ve been giving HIPAA 101 speeches for 20 years. It is confusing, but here’s the background and the details of how these rules actually work.
It is important to think about these issues in the context of three scenarios: (1) where the HIPAA Rules apply today; (2) where the HIPAA Rules don’t apply—which is increasingly the area of concern and lots of misinformation; and (3) and what to do about this issue going forward, whether as part of a national privacy law or otherwise. This debate and discussion is particularly important in any analysis of overall privacy issues because appropriate protection of personal health information is key not only for individuals but also for effective operation of the health care system for the benefit of all individuals and society overall. In fact, the broad range of stakeholders involved in privacy interests for health care make it perhaps the most challenging and interesting part of the overall privacy debate.
What HIPAA Is and Isn’t
There’s understandably lots of confusion today about HIPAA—the confusion is part of the discussion and is pretty widespread, but it is important for the public policy debate to get it right.
The HIPAA Statute—the Health Insurance Portability and Accountability Act of 1996—limited the scope of what eventually became the HIPAA Privacy and Security Rules by law based on things that have nothing to do with privacy and security. Note the single “P” in this title—it stands for portability, not privacy, and was the key concern of the HIPAA statute. Portability involves the ability to take employer-based health insurance with you from one employer when you move to a new job. In the 1990s, when pre-existing condition exclusions were common, portability became an enormous concern because of the impact that the health insurance system was having on movement by employees. But when Congress moved from portability to a second issue involving “standard electronic transactions” in the health care industry(such as claims from hospitals), it defined the overall scope of coverage under the HIPAA rules by deciding who would be subject to portability and standard transactions. That meant that when HHS sat down to write the privacy and security rules, it had no substantive instructions on the substance of those rules—but was bound on who they could cover under these rules based on portability and standard electronic transactions. So doctors, hospitals and health insurers were in. Life insurers, workers compensation insurers and pharmaceutical manufacturers were out. And this judgment had nothing to do with privacy interests—it simply addressed who was defined to be in scope for these other issues having nothing to do with privacy.
So we knew about some of these gaps at the time. We knew what was in the scope of HIPAA, and some things that were out of scope. Over time, new business activities have emerged that are out of scope. These activities didn’t exist (for the most part) in 1996 but wouldn’t have been part of the plan anyways. The HITECH law—part of the 2009 economic stimulus legislation—made modest scope changes to the HIPAA Rules to wrap in “business associates, which are service providers to the covered entities. But that’s all HITECH did, leaving these expanding gaps in place. Remember that even these business associates didn’t exist even conceptually in the HIPAA statute—they were invented by HHS as a way to try to protect individual health information once it left a covered entity in some circumstances.
So what we have today is a set of privacy and security rules that work really well where they apply—but that don’t apply at all in an increasing range of situations where health information is collected, created and analyzed, including wearables, mobile applications, community and patient support groups, personal health records and a broad array of “consumer directed” health care activities. This is the result of the US approach to privacy law, focusing on sectors rather than information. It’s different than GDPR in Europe for example, where health information is protected regardless of where it is in the system.
So it is fine to be worried or concerned about lots of unregulated health care information. We should address that issue, whether as part of a general US privacy law or otherwise. But that isn’t the law today. The HIPAA privacy rule today applies (generally) to covered entities and their business associates. It is perfectly normal—and commonplace across the entire industry—to use business associates for all kinds of services, subject to a business associate contract and the existing HIPAA rules (now that business associates have direct HIPAA compliance obligations as a result of HITECH). There are lots of situations where HIPAA covered information can “leave” HIPAA protections, but where the disclosures are permitted for various reasons. You can debate those principles—and try to figure out a way to protect this data—but that isn’t what the law provides today.