HIPAA remains in play as technology outpaces privacy protections

Experts assembled on June 6 in Washington for a panel discussion on electronic medical records and privacy noted that HIPAA provides only a minimum standard for safeguards, not a template for best practices. Panelists at the International Summit on the Future of Health Privacy added that the stakes are high when it comes to EMRs and privacy.

"Electronic technology is a game-changer, legally, because the damage that can be done to someone is perpetual and the damages that can be awarded are incalculable," said James Pyles, co-founder and principal of the law firm of Powers, Pyles, Sutter & Verville.

Members of the panel reminded the some 300 attendees of the conference that when HIPAA was written, it was done to help physicians get reimbursement, not necessarily to keep patients' privacy.

"One would think, if you were approaching healthcare privacy policy, the very first thing -- the very top priority -- would be to ask what patients want," Pyles said. "Unfortunately, we have laws on the books that do not put the patient first."

Joy Pritts, chief privacy officer for the Office of the National Coordinator for Health Information Technology, said the main problem is technology is moving faster than privacy laws can be written.

"I approach this in a simplistic way," Pritts said. "I look to see, do you have a right to privacy for your health information? So far, the courts say you do. The tort laws say you do. Standards of professional ethics of nearly every segment of the medical profession say you do. The HIPAA privacy rule does not say that at all."

HIPAA doesn't address the right to privacy, and it doesn't define the word privacy, she said, both of which need to be addressed today.

Marcy Wilder, currently a partner at Hogan Lovells law firm was the lead lawyer for the Department of Health & Human Services on the development of the HIPAA rules. She said the beginning premise of HIPAA was designed to let information flow relatively freely to allow treatment, allow physicians to get paid and put fairly strong restrictions on that data once it starts flowing outside the healthcare system.

"It's true HIPAA is the floor," Wilder added. "There is a regime of laws working toward protecting privacy. Health data is some of the most regulated data in the world."

The goal should be to find a balance between providing patients with privacy rights and helping to build quality healthcare, Wilder said.

Frank Pasquale, a professor of healthcare regulation and enforcement at Seton Hall University, said making new regulations with granularity controls for patients to pick and choose how to share their information would go a long way to helping patients feel safe. If they don't feel safe, they won't willingly share their data.

Even de-identified data poses concerns for many people, Pyles explained. "Some people believe you can re-identify anything. Others think we should be more permissible with it," he said. The litmus test should be this: If a policy makes people more reticent to share even their de-identifed data, then there is not enough protection there.

Privacy rights encourage disclosure, he added.