Major Changes to Health Data Privacy Proposed--And Why Everyone Should Care

The average person can be forgiven for not paying attention to healthcare policy. It's verbose and filled with legal terms. In addition, with the news focused on the COVID-19 vaccine and election results, it would have been easy to miss that a major policy change regarding the Health Insurance Portability and Accountability Act (HIPAA) was dropped on Thursday. It's broad and expansive, and includes a lot of disruptive requirements with the stated intent to "Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens". T

First Things First: Will This Really Take Effect?

Since this is being proposed by current HHS Secretary Alex Azar, there will undoubtedly be major changes; however it's likely at least some of these provisions will stand--and there will be a lot of opportunity for innovation to support them. Here's an overview of the major provisions that will likely survive with few changes.

Electronic Health Records Will Become Accessible--and More Quickly

This rule, for the first time, "officially" defines "Electronic Health Record." It also defines a new term: "Personal Health Application". And it reduces the required disclosure from 30 days down to 15 days.

According to the rule, a Personal Health Application is "An electronic application used by an individual to access health information about that individual in electronic form… provided that such information is managed, shared, and controlled by or primarily for the individual, and not...for a covered entity or another party such as the application developer.

It's hard to imagine that a Biden administration won't prioritize the ability for individuals to have access to their health records in the method they choose.

"Reasonably Foreseeable" Instead of "Serious and Imminent"

Currently, under the regulation, "covered entities" can't disclose health information without permission unless there is a “serious and imminent threat”. The rule proposes that providers are now permitted to disclose if they believe there is a “serious and reasonably foreseeable threat”. It's believed this will enable providers to disclose suicidal tendencies to police without breaking the regulation.

Applicability to Tech Companies, Providers, and Health Insurance

As written last week in the CMS Interoperability Final Rule article, this should accelerate the adoption of the FHIR standard as a way to communicate electronically with the speed required by the regulations. And, interestingly, if this portion of the rule stays largely unchanged, billing and payment information will play a larger role in the standard. And it should attract more startups and innovation for customers.

Where Can I Learn More?

This rule, like all others, can be found on the HHS website. Or feel free to reach out to me directly and I can give one hour overview presentations on demand.