Growing List of What Isn’t Under HIPAA Creates ‘Tensions,’ New Oversight Potential

When employees are required to show their employers proof of a positive COVID-19 test before they get sick leave or a vaccination before returning to work, the implications are profound—but they don’t enter the realm of the HIPAA privacy rule.

“It has nothing to do with HIPAA,” said attorney Kirk Nahra, partner with WilmerHale. “HIPAA is not an overall health information privacy law. There have always been gaps in what was covered by HIPAA,” which have become more apparent with the advent of mobile apps, wearables and patient support sites.

The success of the health care system depends on data and protecting its privacy, but organizations are running into complicated situations that weren’t anticipated by the 2003 HIPAA privacy and 2005 security regulations. Although hospitals, insurers and clearinghouses are “reasonably comfortable with HIPAA rules,” he said, “we are seeing tensions.”

One of the tensions involves patients’ access to their own data. For example, when patients receive information about their medical records and it moves from the provider through a mobile app, it’s not regulated by HIPAA. “We have this tension in making it easier for patients to access,” which may dilute the security, and “so far the decision has primarily favored access over security, but we are trying to make sure it’s not a zero-sum game.”

This document is only available to subscribers. Please log in or purchase access.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field