Healthcare Regulation: Opportunity and Inhibitor for Data Sharing

Personal data protected with health regulations

Matthew Fisher

Follow @Matt_R_Fisher

The reasons for not pursuing innovation in healthcare, especially when it comes to technology-based innovation, can often focus on a few particular themes, specifically privacy and security. Privacy and security issues then go down a level to access to data, restricting sharing of data (whether to the subject individual, other clinicians, or anywhere else), fear of a breach, or some other form of non-compliance with applicable healthcare regulations.

Despite holding up regulations as the barrier to accessing or sharing data, the healthcare regulations, such as HIPAA, do not actually present barriers so much as guidelines or guardrails around the usage of data.

If regulations facilitate innovation, how does such facilitation occur? Understanding the benefit requires first understanding some core principles from HIPAA and the new information blocking interoperability regulations.

Uses and Disclosures Under HIPAA

Privacy and security requirements under HIPAA are often cited as requiring data to be completely locked down and not shared outside of the organization creating the data. The most extreme form of this view even prevents individuals from accessing their own information or throwing up so many restrictions that individuals will give up. HIPAA is not that restrictive though. Getting into the specifics of HIPAA reveals the following:

Organization Uses and Disclosures

Organizations have wide latitude to use protected health information for payment, treatment and healthcare operations. Each of those terms is defined under the HIPAA Privacy Rule with the definitions going to fulfill many basic everyday functions of an organization. Further, uses and disclosures under each category do not require authorization or consent from impacted individuals. Payment and treatment are relatively self-explanatory. Healthcare operations will cover many other aspects.

Individual Access

The HIPAA Privacy Rule gives individuals a hard to deny right to access their own information. The rule creates a couple of narrow exceptions where access can be denied without appeal (psychotherapy notes or connected to actual or potential litigation) and a few instances where denial is appealable. On the whole though, HIPAA is intended to facilitate access, which in turn can support individual use of data and feed into expanded use.

Other Uses and Disclosures

The HIPAA Privacy Rule also identifies other times when use and disclosure can occur without an opportunity to object, with an opportunity to object, or when authorization is absolutely needed. The absolutely category is the smallest, focusing on marketing, sales or fundraising, which are really all instances where some benefit would be derived by the using organization. When use or disclosure benefits the individual or the broader public, then HIPAA becomes a lot more permissive on the use and disclosure front.

Promoting Interoperability and Stopping Information Blocking

Even a cursory review of HIPAA shows how it really enables the use and disclosure of health information. The arguable openness has been around since HIPAA passed too, but has not been followed. Frustrations around the data blocking and unnecessary barriers fed into changes included in the 21st Century Cures Act, which changes have now been expanded upon in the information blocking and interoperability rules. The aim of the information blocking and interoperability rules is to further open up access to data for the goal of driving development and innovation.


Analysis: CMS Interoperability and Patient Access Final Regulation

Analysis: ONC Interoperability and Information Blocking Final Regulation

Patient Access

New rules are intended to facilitate patient access to data through the use of common application programming interfaces (APIs) that should allow easier pulling of data in an easy to use manner for the patient. The goal of the expanded access is that information will be represented in formats similar to non-healthcare settings.

Information Blocking

On top of increased access, information blocking is now defined as any act or practice that is likely to interfere with access, exchange or use of electronic health information. The interference can be against individuals, health information networks/exchanges, developers, or other clinicians. The expansive view of information blocking drives home the intended access to information included within HIPAA and defines more rights that can be enforced to prevent denial of access or exchange.


The new information blocking rules do not mean the absolute access will be given to electronic health information. The rule is designed to co-exist with HIPAA and other requirements. The exceptions fall into two broad categories: exceptions that involve not fulfilling a request and exceptions that involve procedures for fulfilling a request. Even if an exception applies, the ultimate goal is to enable and promote access to data.

Powering Innovation

Leaving aside the actual impact of current and pending healthcare regulations, data are meant to be accessible and used for the purpose of enhancing treatment, operations, payment and any desire expressed by an individual. All of those actions would seem to be perfect catalysts for the creation and growth of new models and tools that result in higher quality, more efficient healthcare.

That is not necessarily the case though. Instead, misconceptions about HIPAA and other healthcare regulations or inattention to the regulations have become common barriers. Coming from that backdrop, the implementation of the new patient access and information blocking regulations offers a prime opportunity for all parties to come to a common understanding and grow from that point.

RELATED: Communication and Collaboration: Key to Advancing Innovation Policy

The first component of the opportunity is taking the time to fully digest new requirements or seek trusted counselors who can help with that process. Beginning or continuing the development process with a healthy understanding of regulatory requirements can result in a better and smoother functioning solution. Such a solution could almost take care of access problems by itself. If a solution can fit into the workflows of a healthcare organization and meet individual desires, the meshing could minimize the likelihood of barriers being thrown up.

The second component is to adopt a position of flexibility. Rigidly pursuing an idea or concept will quickly result in bumping up against ceilings or other potential dead-ends put into place by regulations. The willingness to be flexible with a concept ties into having a solid grounding with the regulations. Since healthcare regulations can be so complex, layered and convoluted, it is fairly common that an unintended path must be followed to achieve a desired business aim. The sooner that regulations are understood and taken to heart, then the sooner that the zigging and zagging needed to achieve desired business goals can occur.

A third component is to incorporate different viewpoints. With the emphasis placed on individual access to their own health information, bringing that viewpoint into planning and development could be powerful. Adding more insights can help to better identify actual issues and/or pain points. A theoretical problem may not be an actual problem or a solution may not actually address a challenge. Adopting new paths can produce unexpected benefits and should not be foreclosed.

Creating Change

Considering the growing definition of goals and platforms, what should come next? Arguably a refined approach to privacy will enhance all of the opportunities and issues identified. Given the numerous complaints about the barriers or lack of protection from HIPAA—which will likely be echoed at some point with the new information blocking rules— now is a ripe moment for rethinking privacy.

The debate around privacy is certainly happening with passage of various state laws (the California Consumer Protection Act being a prime example) and implementation of new privacy regimes around the world (the European Union’s General Data Protection Regulation being the prime example). With those laws and regulations coming to bear, developing a comprehensive framework to capture all areas of the healthcare industry is necessary.

Many new areas of data creation or curation do not fall under the scope of current healthcare regulations. Instead of voluntarily adopting protections though, a haphazard approach is probably taken that meets baseline expectations under unfair and deceptive business practice expectations. Such an approach is not enough.

Identifying appropriate privacy protections and expectations is not something that will occur quickly or without input from all impacted. Further, identifying potential key principles or components is beyond the scope of what can be identified by any one person. It must be a collective effort, which comes back to the theme of innovation. Innovation can be a singular idea, but innovation in privacy and ultimately in healthcare should be the result of a group effort. Kernels may come from individuals, but a collective better whole will likely involve input from many.

HIMSS20 Digital

Experience the education, innovation and collaboration of the HIMSS Global Health Conference & Exhibition with on-demand sessions available as your schedule allows. We’re also supplementing our HIMSS20 programming with critical COVID-19 content.

Be ready for what’s next

The views and opinions expressed in this content or by commenters are those of the author and do not necessarily reflect the official policy or position of HIMSS or its affiliates.