Healthcare’s Painful: Is HIPAA to blame?
By Keith LoMurray on 9/23/2018
Working in healthcare technology, I regularly hear painful stories about people’s experiences with healthcare. People will often talk about the great care they received from an individual doctor or nurse, but then mention the challenges of navigating the impersonal healthcare bureaucracy. Coordinating care between clinics, waiting for records, signing the same forms multiple times, scheduling appointments, other tasks that for healthcare organizations do as a normal course of business, often seem unnecessarily burdensome to a patient already dealing with an illness.
Over time you pick up nuggets of information about health care such as the fact that most medical records are still transferred via fax machine or that only one in three hospitals can send and receive medical records for care that happened outside their organization. HIPAA, the Health Insurance Portability and Accountability Act, has a central role in healthcare, which dutifully guards the patient’s right to privacy. HIPAA sets standard for how and when healthcare information can be shared and sets severe penalties for violations. Transferring medical records by individual faxes seems antiquated, but draws the question: how much is HIPAA responsible for this painful process?
Healthcare technology requires additional effort compared to other industries, which results in slower and more expensive processes. A common challenge is around using a web analytics tool for tracking the usage of a website. The two largest web analytics vendors are Google Analytics and Adobe Analytics, which both advertise the simplicity of adding analytic tracking to a website. Both companies leverage the IP address of the website visit to set metrics, a method that is not compliant with HIPAA. Neither vendor supports a configuration that doesn’t read the IP address. As a result, healthcare companies using an analytics solution will either need to find a complaint tool, which presents it’s own challenges, or implement workarounds to Google or Adobe Analytics for HIPAA compliance. Performing this work may be in the best interest of patient privacy, but it requires healthcare companies expend additional resources, time and energy.
Another challenge for a healthcare organization is the need for a “business associate agreement” (BAA) with all vendors that handle medical information. BAA’s are contracts for vendors that specify the safeguards around medical information as well as the liability of each partner involved. In many cases a vendor can’t be used, because they won’t sign a BAA. BAA’s also require determining who is liable for violations and responsible for penalties. This is a good principle, but it is slow, and requires companies to accept the liabilities. Often organizations will decide to avoid explicit risks. Instead organizations will opt to remain on legacy technology, which still have hidden risks but without the explicit assertions of liability within a BAA.
As much as requirements within HIPAA slow healthcare companies and make processes more expensive, healthcare companies also make choices that contribute to the problems in healthcare. Interoperability, the ability to share healthcare records across healthcare organizations, has been a goal of the US government since at least the 2009 HITECH Act that included digital health records and interoperability as core standards.
Many healthcare organizations have adopted digital health records, but interoperability progress has been more limited. Sharing medical data in a secure manner is already complicated, but interoperability is not prioritized for other reasons. There is no incentive to share records when a patient is switching healthcare providers. For hospital systems, reducing the burden of medical record sharing could make it easier to lose a customer to a competitor. HIPAA allows sharing of records across organizations for a patient care. So, the lack of interoperability can’t be totally blamed on HIPAA.
There are many challenges with HIPAA and in many situations it makes healthcare companies move slower and become more risk averse compared to other technology companies. But it also makes healthcare technology companies think explicitly about the risks they take and prioritize strategies to protect a person’s medical data. A challenge is other industries haven’t historically prioritized the protection and securing of a person’s data to the degree HIPAA requires. When protecting personal data healthcare companies are at the forefront, building the technology to support these standards. Compare this to when healthcare companies use technologies such as cloud computing, they are leveraging a second wave technology, which was refined in another area. Perhaps if more companies prioritized protecting user data, they could help healthcare companies fix some of the unnecessary burdens in healthcare that cause patients additional heartache.