[ Thursday, July 16, 2015 ]
Good News, HIPAA's designed to do just that
Jeff [2:47 PM]
: John Halamka (
primary draftsman of the original HIPAA regulations
Beth Israel Deaconess CIO) and Deven McGraw (current OCR Deputy Director for Health Information Privacy) have jointly penned a commentary at AHRQ
warning against overly-zealous PHI protection that prevents proper data transfers (to other providers and caregivers) or jeopardizes care (when data protection efforts prevent legitimate patient identification or cause mis-identification).
Covered Entities sometimes hide behind HIPAA and refuse to share data when it can be and should be shared. Sometimes there's an underlying commercial reason to resist data sharing; the current issue of EHR non-interoperability is a good example of that. Sometimes it's well-intentioned overzealousness. Most of those incidents involve someone misconstruing HIPAA's restrictions, and it's led some critics to say that HIPAA needs to "keep up with the times."
As John and Deven point out, though, "HIPAA's framework may need to flex and bend to meet the needs of a new health data ecosystem." The good news is that HIPAA's original and current framework do just that. What's reasonable and appropriate, what's the minimum necessary amount of PHI, what technology is safe and appropriate, and what safegaurds are reasonable all change with the circumstances, including changing technological capabilities, risks, protections, and options.
HIPAA's technological neutrality, scalability, and reasonableness standards ensure that it's always up to date. Be safe, keep your data secure, and err on the side of protecting data, but don't harm your patients or hinder the delivery of healthcare to them. If you think you can't share data, double check that impulse, particularly if there might be an ulterior motive for refusing to share the data.
UPDATE: I brainfarted and conflated John Halamka with John Parmagiani. Fixed above; in the words of my former governor, Oops.
Blogger: HIPAA Blog - Edit your Template