HIPAA established the baseline expectations for sharing health information, and data interoperability rules build on it today.
Has any healthcare policy been responsible for more myths than HIPAA? No matter what that chain email says, HIPAA won’t exempt you from mask mandates, nor will it turn your Facebook posts private.
The Health Insurance Portability and Accountability Act is one of the few laws that many people know by its (oft-misspelled) name. HIPAA established that patients are entitled to receive their health records, and it defined what those records are. That same set of records - as of October 2022 - must be electronically shared per anti-information blocking rules.
HIPAA is huge in scope, so we’re narrowly focused on how it changed healthcare information technology.
Before HIPAA, there were no widely accepted set of security standards or even general requirements for the protection of health information in the healthcare sector, which was accustomed to bureaucratic paper processes. When the industry began to transition to electronic records, the potential security risks also increased.
HIPAA required the Department of Health and Human Services (HHS) to develop detailed regulations that protect the privacy and security of patient records. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
With HIPAA’s focus on privacy and security, it might surprise you to learn that the intent of the law, according to HHS, was to “support information sharing”, “enable access”, and otherwise drive data portability. Looking back, we can see that HIPAA only made it possible to share patient data. Actually encouraging data sharing is a process that’s still taking place.
HIPAA’s Privacy Rule applies to covered entities who work with patients (like health plans, clinicians and hospitals) along with their business associates (think lawyers, transcriptionists, and pharmacy administrators). It limits the uses and disclosures that may be made of such information without patient authorization. However, note that patients can do what they want with their own records.
The HIPAA Privacy Rule covers:
HIPAA created the idea of a designated record set. Broadly speaking, a DRS includes medical records, billing data, health plan claims information, and a catch-all: any records that are used by covered entities to make decisions about an individual.
Designated record sets are referenced in laws after HIPAA. For example, the Cures Act now requires entities to share records with patients electronically, not just shared on paper, using HIPAA's definition of records.
HIPAA’s privacy rule establishes three “core health care activities” where providers can share protected health information without seeking consent from a patient.
The three activities are Treatment, Payment, and Healthcare Operations - which are relatively self-explanatory.
Basically, your doctor or health system can, under HIPAA, have access to your information if they are using it to treat you, get payment for services, or improve their internal operations. Otherwise, they are out of luck without your explicit permission. There are exceptions of course, but for most part HIPAA makes it so information is only accessible in specific cases with defined reasons.
These activities are relevant to any entity that wants to obtain healthcare data today. They inform the “Purposes of Use” policies on health information exchanges, which inform who can obtain data.
Most health information network participants err on the side of caution when making their data interoperable, and currently only return data that’s being used by a clinician to provide treatment, instead of sorting out whether or not a patient has permission or an organization is using data for valid healthcare operations needs.
HIPAA gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Under HIPAA’s privacy rule, patients have a right to:
Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing these rights either through voluntary compliance or...civil penalties. Quite large penalties.
The problem with HIPAA and its associated regulations is that while they defined all the rights a patient has, they provided no good way for a patient to actually do any of these things. Have you ever tried to correct your medical records? …Exactly.
HIPAA is ancient as far as health tech is concerned. It was passed in a time when EHRs were basically non-existent. It specifies very little about the format of patient data or how any of this applies to electronic records. Back in the 90s, a provider could comply with HIPAA by faxing thousands of pages to a patient.
More laws, particularly the HITECH Act and 21st Century Cures Act, now overlap with HIPAA to make these rights actionable.
We know what APIs are, and what they do. So why choose an API as a product? APIs have become largely ubiquitous in the tech landscape, and for good reason. While there are alternatives, it's important to understand why we don’t choose them. Check out Part 2 of our three part miniseries on APIs.
Particle Health offers two distinct APIs: C-CDA and FHIR. They both offer the same level of unparalleled access to patient health data, but they differ significantly in how they offer access to that data. Let’s dig into Part 3 of our three part miniseries on APIs.