HIPAAcracy: The Real Constraint on Innovation in Healthcare Technology

HIPAAcracy-768x480.jpgThere is a seemingly never-ending opportunity to innovate in healthcare, particularly companies from California founded by technologists who have recently encountered the monolith that is the US healthcare system. Having experienced it once in an up-close and personal way, savvy tech entrepreneurs resemble characters from an Elvis song rushing in to “solve” for the lack of clever mobile apps in healthcare.

When I first began to deploy modern technology in healthcare settings in 1996, technology was the problem, or at least the limiting factor. Trying to deliver board-certified radiology services to consumers in Pahrump, Nevada, DeFuniak Spring, FL, and Houlton, Maine using frame-relay and POTS (plain old telephone system) was exceptionally difficult.

Technology is no longer the issue. Regulation is.

There are dozens, if not hundreds, of very clever technology solutions that could somehow improve healthcare. Now, there are not as many as the entrepreneurs believe, since many of them are trying to solve a problem that does not exist, or perhaps a problem that no one wants to solve yet. But for those that could make a material impact on quality or cost, there is a massive elephant in the room: the Healthcare Information Portability and Accountability Act of 1996.

HIPAA was well-intentioned, if naïve. In 1996, when Netscape and Microsoft were fighting for browser dominance and patient records were kept almost exclusively in paper charts, the only electronic media in use in healthcare settings were digital images for radiology studies. In 2017, post-HITECH, the government has effectively forced 20% of the US economy to adopt electronic medical records. What began as an attempt to stop people from leaving patient records lying around medical facilities has now mushroomed into a punitive system that treats the law as a hammer and every piece of patient data as a nail.

Keeping medical information private seems like a noble ideal, even if apparently every other part of a person’s information is fair game, whether for Facebook or Experian or some 17-year old in the Ukraine.

The result: healthcare providers want to shift an undefinable business risk enforced by the US government to their technology vendors.

The solution: a “safe harbor” for HIPAA like others in healthcare.

Occasionally, people who work for healthcare systems are curious about a particular case or a famous patient, and they inappropriately access that patient’s record. That behavior is obviously wrong, and should be punished. But the vast majority of data breaches are inadvertent or stupid, but not nefarious.

The lack of a safe harbor creates enormous friction costs, in terms of legal fees and extended time to deployment, if at all. Healthcare providers are acting rationally when they ask for unlimited liability from their vendors, though those vendors are ill-equipped to provide that financial reassurance. And, actually, those providers should not want their vendors to have that sort of agreement with any other provider, as a vendor who was subject to unlimited liability for one vendor may be then unable to provide services for other customers who have agreed to something less than unlimited liability.

Although the US government is incapable of preventing bad actors from accessing data that is much more valuable than that of an individual patient or a group of them, the government never punishes itself. Although most data breaches are focused on using PHI for other purposes, such as financial fraud, the US government does not deal as severely with other sectors, such as banks, when customer data is stolen for the same purpose as the theft of PHI.

Even so, the US Department of Health and Human Services has consistently levied massive fines for PHI breaches. In some instances, the actual breach was the fact that data was on a laptop that was stolen. Is it dumb to leave your laptop in plain view in your car? Sure. Is it likely that the people who steal laptops out of cars are looking for PHI? No. If a burglar finds PHI on a stolen laptop, is it likely that they will rejoice over having a copy of someone’s medication history? Doubtful.

The adoption of technology would rapidly accelerate if healthcare providers and their vendors knew that there was a safe harbor for breaches that were not grossly negligent or for some nefarious purpose. HHS has longstanding “safe harbor” regulations for various business practices and relationships that, although they could be viewed as a violation of Medicare and Medicaid regulations, are not.

Why not do the same for PHI breaches?