How HIPAA Has Spurred the Evolution of Health Informatics
In 1996, just as the digital revolution was getting underway, the Health Insurance Portability and Accountability Act (HIPAA) was passed into law.
At the time, Congress recognized that advances in communications technologies would be transforming the healthcare industry, and in particular healthcare data and patient records. HIPAA was intended to protect the privacy of patient medical records and comprehensively overhaul the way healthcare data was stored, processed and transacted on a national level.
Since then, some advances have been made—but on the whole, progress has been uneven.
The question today remains fundamentally the same as it was then: What does HIPAA mean for the expanding field of health informatics (HI)? How do companies develop healthcare technologies that are HIPAA-compliant and that help healthcare providers, clearinghouses and other entities provide streamlined care?
At heart, HIPAA protects Personally Identifiable Information (PII), which includes:1
- An individual’s past or present medical history
- Records of healthcare provided to the individual
- Payment history for healthcare services
Any of the above that identifies the individual or contains information that could reasonably be used to identify them, such as a name, address, birthdate or social security number, is protected information under HIPAA.
PII cannot be disclosed by healthcare providers, insurers, or any clearinghouses or claims processors without patient consent. These organizations can disclose information to each other, but only in the necessary capacity of providing healthcare to the patient.
HIPAA applies to all entities operating in the traditional healthcare sector—such as providers, labs, doctors, and hospital groups—as well as the vendors that providers use.2
What does HIPAA Mean for Healthcare Information Technology (IT)?
First and foremost, protecting patient data means that encryption must be a part of any healthcare IT solution. Ordinary SMS, video calling and email providers are not secure, since messages go through servers over which medical organizations have no control.3
To determine how communication technologies can exchange patient data securely, HIPAA’s Security Rule outlines several specifications required for compliance.3 Protected Health Information (PHI) in patient records must be encrypted both in transit and storage.
Further, all medical professionals authorized to access PHI must have a unique identifier, so that all distinct actions taken with the PHI can be tracked to specific users. And lastly, any technology used to access PHI must have an automatic log off so that there is no unauthorized access to HIPAA-protected data.
Room for Improvement in Healthcare IT
Given that encryption is so important for HIPAA compliance, here are three areas in which encryption could be better integrated into information flow.
The bad news is this: Because many healthcare entities rely on outdated systems or a hodgepodge of different systems and vendors, they are particularly prone to data breaches and attacks.4 Some of them allow anonymous access to File Transfer Protocol (FTP) servers, meaning that users (or hackers) can access PII and PHI without identification.5 This is exactly what HIPAA was designed to prevent.
Ransomware has also become a massive problem for the industry. In a ransomware attack, hackers gain access to PHI and PII and encrypt it, holding it hostage for a payout. And they are on the rise.
One report found that 72% of all malware attacks to healthcare systems in 2016 were ransomware, hurtling from the 22nd most common type of threat to the fifth since 2014.4
In fact, the FBI has issued a series of warnings about healthcare operations’ particular vulnerability to ransomware attacks. The WannaCry ransomware attack in May 2017 devastated healthcare systems in the U.K.6 And in the U.S., it’s a question of not if but when.
So what to do? While they might seem safer because data is stored close at hand, storing data locally doesn’t actually give healthcare organizations greater security.7 What matters more is that data is secured using the strongest possible encryption and that employees are trained in HIPAA compliance and know how to handle PII and PHI. Cloud storage can handle this equally well.
- Secure messaging
One major need for the healthcare industry is secure messaging, so that patients can access their records and speak to their doctors over technologies that are HIPAA-compliant.
Some healthcare systems have begun to implement secure messaging, but the system is not perfect. Some secure patient portals used by major hospitals embed “click to read” buttons in emails sent to patients, which allows them to access test results and other messages from their doctors, but savvy patients are likely to be wary of in-email links, as this is how phishing sometimes occurs.8
From a user experience standpoint, there needs to be better secure technologies for doctor-patient communication. In addition to better-designed patient portals, another possibility is secure texting. This can be inexpensive to implement since no new hardware would be needed.9 But it would require a healthcare IT company to use its own secure servers and strong encryption.
- Open access
Lastly, there is the question of how to improve patient access to their own records without losing security. This is a technological as well as a cultural problem: Not only do doctors and healthcare providers need to develop and implement best practices for sharing data with their patients, those patients also need to understand their right to access their own records. Requesting medical records is often needlessly complex.
One hospital director has suggested that patient records should be treated the same way that financial trusts are treated. In other words, while healthcare entities manage patient records, they do not belong to those entities; they really belong to the patients themselves.8 This shift in thinking could help shape better policies and technologies moving forward.
OpenNotes is a movement to make patients’ health records accessible to them by encouraging healthcare practitioners share their notes with patients.10 If the culture can change, the technology will follow.
The Future of Healthcare Records
As much as we believe ourselves to be living in paperless digital times, healthcare systems are not quite there. Patient records are not fully paperless; they can be a mix of paper items as well as files of different types stored in different places.8
The 21st Century Cures Act, passed in late 2016, allows for some funding to help streamline and digitize patient records as part of broader efforts toward “interoperability” (that is, computer systems that work with, instead of against, one another), ideally led by private sector innovation.11
The Act also has the Office of the National Coordinator for Health IT facilitate different partnerships to enable the interoperability of health records.
In reality, the healthcare field still has a long way to go when it comes to digitizing records and streamlining interoperability. One thing is certain: HI practitioners and tech companies must strike a fine balance between open flow of communication and strengthened security protocols to move healthcare into the future.
Curious about the field of health informatics? Check out Kent State’s online Master of Science in Health Informatics and see what it’s all about.
1 Retrieved on August 31, 2017, from hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
2 Retrieved on September 28, 2017, from cmhealthlaw.com/2017/03/bringing-innovative-technology-to-healthcarewhat-about-hipaa/
3 Retrieved on September 28, 2017, from hipaajournal.com/the-use-of-technology-and-hipaa-compliance/
4 Retrieved on September 28, 2017, from fortune.com/2017/05/15/ransomware-attack-healthcare/
5 Retrieved on September 28, 2017, from fiercehealthcare.com/privacy-security/fbi-warns-cyber-criminals-targeting-healthcare-servers
6 Retrieved on September 28, 2017, from fortune.com/2017/05/15/ransomware-attack-healthcare/
7 Retrieved on September 28, 2017, from healthcareitnews.com/news/how-emerging-cyber-threats-are-transforming-hipaa-landscape
8 Retrieved on September 28, 2017, from healthcaredive.com/news/access-to-patient-records-held-back-by-cultural-and-technical-issues/449623/
9 Retrieved on September 28, 2017, from hipaajournal.com/the-use-of-technology-and-hipaa-compliance/
10 Retrieved on September 28, 2017, from opennotes.org/
11 Retrieved on September 28, 2017, from healthcaredive.com/news/21st-century-cures-act-explained/431491/