top of page
  • Writer's pictureNMSG

Is HIPAA Dead?

Updated: Jan 14, 2020

Startups and larger tech-companies all want your healthcare information. And it's only a matter of time before they figure out how to get it. The question is, how much control will you have over your data by the time they do.

A Brief History

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the "privacy" and "security" of 'certain' health information. In order to do this, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule (or Standards for Privacy of Individually Identifiable Health Information) establishes national standards that protect 'certain' health information.

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establishes national security standards that protect certain health information held or transferred in electronic form. This rule implements protections found in the Privacy Rule by prescribing technical and non-technical safeguards organizations known as “covered entities” must have in place in order to secure individuals’ “electronic protected health information” (e-PHI). However, the environment and tech-landscape in which HIPAA was passed has changed appreciably, and today what actually happens in practice looks a whole lot different.

Current Environment

Hospital executives today are inundated with requests of all kinds from companies who say they want to make medical records more "searchable". Upon closer inspection, this usually turns out to mean an arrangement of some sort that materializes in a product-service business model where patients health data is turned into profit -- fetching as much as $1,000 per record. According to some executives, this is already happening in numerous different ways, especially if a provider's financial position is in dire straits. Tech companies and other whole industries have already made inroads in this regard. Flatiron Health, a Google-backed health-tech company, partners with health systems where it processes patient data, analyzes it for insights, then sells to big pharma.

IQVIA, on its website has said that "it has access to more than 600 million patient records globally that are non-identified, much of which it accesses through provider organizations." Typically, data from health systems is stripped of characteristics that could be used to identify individual patients, like Social Security numbers and dates of service, before it gets shared -- in practice however, things look a whole lot different. According to a group of European researchers, they claim the ability exists to "correctly identify 99.98% of Americans in de-identified data-sets using 15 demographic attributes". Similarly, a study done by Carnegie Mellon University from 2000 illustrated how anonymized U.S. census data could identify individuals just by combining key characteristics: such as 'city of birth' and 'current ZIP code'.

Ramifications and Ways Forward

According to reporting from NPR and ProPublica, nothing would prevent health insurers from using this data to figure out what a potential customer might cost them in order to justify higher premiums. Tech companies such as Google, Fitbit, Apple, Amazon and Facebook already have access to a treasure trove of information about you that is used for their own internal operations. But what happens when they combine their data-sets with those from various third-party healthcare providers? Simply put, until the legislative cavalry arrives, it is up to us to ensure that our Healthcare providers (doctors, dentist, hospitals and clinics) are all protecting the last greatest asset left: our personal healthcare information.

If you are a physician or IT administrator thinking about ways to add extra security around critical (e-PHI), click here to get started.




93 views0 comments

Recent Posts

See All
bottom of page