HIPAA established the baseline expectations for sharing health information, and data interoperability rules build on it today.
Has any healthcare policy been responsible for more myths than HIPAA? No matter what that chain email says, HIPAA won’t exempt you from mask mandates, nor will it turn your Facebook posts private.
The Health Insurance Portability and Accountability Act is one of the few laws that many people know by its (oft-misspelled) name. HIPAA established that patients are entitled to receive their health records, and it defined what those records are. That same set of records - as of October 2022 - must be electronically shared per anti-information blocking rules.
HIPAA is huge in scope, so we’re narrowly focused on how it changed healthcare information technology.
Before HIPAA, there were no widely accepted set of security standards or even general requirements for the protection of health information in the healthcare sector, which was accustomed to bureaucratic paper processes. When the industry began to transition to electronic records, the potential security risks also increased.
HIPAA required the Department of Health and Human Services (HHS) to develop detailed regulations that protect the privacy and security of patient records. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
With HIPAA’s focus on privacy and security, it might surprise you to learn that the intent of the law, according to HHS, was to “support information sharing”, “enable access”, and otherwise drive data portability. Looking back, we can see that HIPAA only made it possible to share patient data. Actually encouraging data sharing is a process that’s still taking place.
HIPAA’s Privacy Rule applies to covered entities who work with patients (like health plans, clinicians and hospitals) along with their business associates (think lawyers, transcriptionists, and pharmacy administrators). It limits the uses and disclosures that may be made of such information without patient authorization. However, note that patients can do what they want with their own records.
The HIPAA Privacy Rule covers:
HIPAA created the idea of a designated record set. Broadly speaking, a DRS includes medical records, billing data, health plan claims information, and a catch-all: any records that are used by covered entities to make decisions about an individual.
Designated record sets are referenced in laws after HIPAA. For example, the Cures Act now requires entities to share records with patients electronically, not just shared on paper, using HIPAA's definition of records.
HIPAA’s privacy rule establishes three “core health care activities” where providers can share protected health information without seeking consent from a patient.
The three activities are Treatment, Payment, and Healthcare Operations - which are relatively self-explanatory.
Basically, your doctor or health system can, under HIPAA, have access to your information if they are using it to treat you, get payment for services, or improve their internal operations. Otherwise, they are out of luck without your explicit permission. There are exceptions of course, but for most part HIPAA makes it so information is only accessible in specific cases with defined reasons.
These activities are relevant to any entity that wants to obtain healthcare data today. They inform the “Purposes of Use” policies on health information exchanges, which inform who can obtain data.
Most health information network participants err on the side of caution when making their data interoperable, and currently only return data that’s being used by a clinician to provide treatment, instead of sorting out whether or not a patient has permission or an organization is using data for valid healthcare operations needs.
HIPAA gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Under HIPAA’s privacy rule, patients have a right to:
The problem with HIPAA and its associated regulations is that while they defined all the rights a patient has, they provided no good way for a patient to actually do any of these things. Have you ever tried to correct your medical records? …Exactly.
HIPAA is ancient as far as health tech is concerned. It was passed in a time when EHRs were basically non-existent. It specifies very little about the format of patient data or how any of this applies to electronic records. Back in the 90s, a provider could comply with HIPAA by faxing thousands of pages to a patient.
More laws, particularly the HITECH Act and 21st Century Cures Act, now overlap with HIPAA to make these rights actionable.
Synthetic data lets developers use artificial patient data that’s generated with statistical realism, and free from sensitive protected health information.
The most full-featured health record API is developer-friendly and promoted by the US government.
What is an API? The answer to what an API does seems pretty obvious, at first glance. However, what an API actually is can be sometimes misunderstood, so we've put together this high-level technical overview to help you better understand both what Particle's API is, and what our API does.