Following HIMSS16 it was widely stated that no major new healthcare buzzwords were produced. However, the conference did produce clear themes to track in the coming year(s). One of the primary themes, falling within my focus area of privacy and security, is the need for better education and informed awareness. Speakers from various parts of the government, including the Department for Health and Human Services (“HHS”), the Office for the National Coordinator for Health Information Technology (“ONC”) and the HHS Office for Civil Rights (“OCR”), hammered home the need for all connected to the health IT industry, and really the whole healthcare industry, to better understand applicable legal and regulatory requirements.
The concern stems from issues identified by the government that lack of understanding is negatively impacting the development and implementation of health IT solutions and tools. Too often misunderstandings or misapplications of the law, primarily HIPAA, prevent full and effective use of new technology and hinder access to and use of information, among other issues. Based upon frequent statements and recent guidance, the government is fed up with this situation and expects major change to come about quickly.
Sylvia Burwell, Secretary of HHS, set the tone in her opening keynote address to HIMSS16. Secretary Burwell identified a three part strategy to transform healthcare, which included a key element of unlocking data. Unlocking data is needed because, from the government’s perspective and frequently the patient’s too, it is not always available. For instance, there have been many (though disputed) reports of information blocking in the healthcare industry. Subsequently during HIMSS16, the reality of information blocking would be questions, though this may be moot given the government’s concern. Secretary Burwell, in a well-received statement, also suggested that a common set of interoperability standards would release data and avoid the need for cumbersome legal arrangements. Common standards would remove potential arguments of perceived HIPAA barriers. Turning to protection of the data, Secretary Burwell then alluded to a newly mandated health care cybersecurity task force. Cybersecurity is clearly a backbone to the other issues because data must be kept secure regardless of the use. The breadth of Secretary Burwell’s speech served as a roadmap for subsequent speeches and sessions from others within the government.
The major focus on education really kicked off with a panel discussion from ONC luminaries, National Coordinator Karen DeSalvo, Chief Privacy Officer Lucia Savage, Office of Standards and Technology Director Steve Posnack, and Acting Director of Policy Elise Anthony. The ONC panel highlighted many new initiatives, including a new challenge to spur app development and a proposed rule concerning reliability, transparency, accountability and safety of certified health IT. Despite these announcements, much of the discussion on the panel came back to ensuring that the healthcare industry understood applicable regulatory requirements. Using the app development challenges as an example, the panel emphasized that there is synergy between the desired functionality in the apps and patient access to medical data allowed by HIPAA. The concepts are complementary, not contradictory. In order to develop an effective app, whether for provider or consumer use, it is necessary to appropriately follow HIPAA requirements. Proper HIPAA compliance is a key feature of reaching the desired future of a friendly health IT world, which is bolstered by recent app specific guidance issued by OCR (alluded to in the session). Without acknowledging that HIPAA is not meant to block the flow of information, but encourage it, no app or other health IT solution will meet expectations. That was the message the ONC panel preached.
The ONC panel’s message was followed by a standalone session from Lucia Savage that focused on privacy and security in an app enabled world. Savage’s presentation, picking up on the earlier announcement of the app development challenges, centered on dispelling common myths surrounding HIPAA. For example, the provisions of HIPAA, such as permissive use and disclosure for health care operations, were emphasized as well as individual rights of access. The entire point of Savage’s presentation was to promote the message that HIPAA is not a barrier to the goals of free movement of data. The impassioned delivery showed that ONC does not believe people are paying appropriate attention. This in turn results in the need to re-explain long standing components of the law. Additionally, even though HIPAA pre-dates much of the technology being used now, Savage explained that it is still flexible enough to apply. HIPAA sets basic standards that are adaptable.
Savage’s message was even more poignantly delivered during a small roundtable discussion that I had the privilege of attending. The purpose of the roundtable was to hold a frank discussion with a group of attorneys and solicit the aid of the private bar in delivering both ONC and OCR’s message about the “real HIPAA.” Savage wanted to ensure that everyone was on the same page. Savage reiterated the guidance contained in recent publications, but also to obtain input from those around the table as to their experiences. The views of other attendees were very informative. One attorney indicated that conflicting guidance and outcomes from different government agencies makes it difficult for organizations to know what to do. For example, a notice of privacy practices may be acceptable to OCR in terms of laying out use and disclosure of information in compliance with HIPAA, but the same notice may be deemed insufficient by the Federal Trade Commission. Inconsistent and contrary views are detrimental to compliance. From a practical point of view, private attorneys have and still interpret HIPAA the same way as the government. This can be done as it always has, but may not address all of the concern. The real issue is the vast number of organizations that do not seek assistance at all. Those organizations either feel they can handle their obligations, understand HIPAA and other laws, are ignoring their obligations, or any other number of explanations. It is those organizations that really require education to ensure that they correctly and accurately implement legal and regulatory requirements. The outstanding, and difficult, question is how to reach those organizations.
Conversations with individuals throughout HIMSS16 reinforced the belief that education is needed and in high demand, though for many reasons. For one, new solutions are being developed that are pushing boundaries and require a detailed knowledge of HIPAA and other applicable laws. For another, new players are coming into the health IT field that need to be brought up to speed. If new players do not comprehend what requirements apply to them, it can lead to exposure appoints. This relates to a discussion about cybersecurity that I had with Mac McMillan from Cynergistek. Threats, such as hacking and ransomware, are increasing. If people do not stay up to date, then those threats cannot be mitigated or reduced. This goes to the need to be educated on a variety of fronts.
With the recognition that education is essential to both full awareness and understanding of HIPAA requirements, what is next? Expect the government to continue producing guidance aimed at both individuals and healthcare organizations. The message on that front is well timed. The industry will not be left without support because too much is at stake. If information continues to be held up unnecessarily, then the promise of so many health IT innovations and, more importantly, value based care will be in real danger.
The time is now to be sure that all requirements are understood and internalized. The day is likely coming soon when ignorance and/or disregard for compliance under HIPAA, or related laws, will not be tolerated. While fines and penalties have been infrequent to date, that will change. The government is playing nice for now with its educational efforts, but that cannot last. When public attention is brought to bear on an issue, a loud and just as public response is soon to follow if a problem has not been remedied.