Sign in

HIPAA Updates are Focus of Proposed Legislation

By: Lisa Marlin

February 16, 2022


What happens online stays online. It’s a fact of modern living. However, when that pertains to patient data, is enough being done to protect who has access to it? At least two U.S. Senators don’t think so. On Feb. 9, 2022, Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced the Health Data Use and Privacy Commission Act to begin the process of modernizing what they call “outdated health privacy laws and regulations.”

Stating the increase in technology companies in healthcare, they claim that health information is expanding beyond the reach of the Health Insurance Portability and Accountability Act (HIPAA), put into law 25 years ago to protect all interactions between patients and their doctors. Several healthcare entities are voicing their support in a letter, calling it a much needed tool to inform perspectives in the ongoing privacy debate.

Dr. Cassidy speaks from his own experience in the medical field. “As a doctor, the potential of new technology to improve patient care seems limitless,” he says. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”

As technology advances, so do the challenges

A recent article points to new challenges not covered by the existing legal framework of HIPAA: the proliferation of digital health data, trends in data use, increased use of telehealth applications due to COVID-19 pandemic and the consumer’s participatory role in healthcare. Additionally, emerging technologies such as genealogical databases, wearable devices and mHealth apps are not covered entities, therefore they are not required to protect the data they collect under HIPAA.

The COVID-19 pandemic has further highlighted possible inadequacies of current privacy laws. While HIPAA disclosure laws in the Privacy Rule remain applicable for sharing of patient data for patient care and public health purposes, the substantial increase of telehealth appointments have posed challenges for HHS.

Up next: research and recommendations

The first order of business for the proposed legislation is to form a health and privacy commission made up of 17 appointed members. They will be charged with researching and then drafting recommendations to include the following:

  • The potential threats posed to individual health privacy
  • The purposes for which sharing health information is appropriate and beneficial to consumers, as well as the consequences of sharing it
  • The effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual health privacy
  • Recommendations on whether federal legislation is necessary
  • Analysis of financial needs for additional regulations
  • The cost analysis of legislative or regulatory changes
  • Recommendations on non-legislative solutions to individual health privacy concerns, including education, market-based measures, industry best practices, and new technologies.
  • Review of the effectiveness and utility of third-party statements of privacy principles and private sector self-regulatory efforts

The last update to the HIPAA Rules was the HIPAA Omnibus Rule in 2013; this introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 that helped health care organizations switch from using paper records to electronic health records (EHRs).

If you have further questions about this or other HIPAA issues, please reach out to us. We’re here to help. Email info@privaplan.com or call 877-218-7707.