The Teetertotter Relationship Between PHI and HIPAA

We all know how teetertotters work.  When you add or subtract weight from one end, the other instantaneously feels the exact, but opposite reaction.  This has long been the relationship between the protection of PHI and making it available for use.  There wouldn’t be any problem if the use was always for the good of the patient or in the case of research, for the good of future patients.

There is no more likely place to see human greed than in the news about stolen PHI.  HIPAA was created to set standards of protection and behavior for covered entities.  This is what stands between criminals and protected health information.

No one would argue against the need for medical research.  Important research is often based on historical or existing data and researchers work with greater and greater amounts of data – and they want more – a lot more.  Another teetertotter affect exists between the use of the whole patient record and de-identified data.  Generally speaking, the more data is de-identified, the less value it is to researchers.

Back to the teetertotter… the Federal Government is promoting the idea that patients should have more and easier access to their health information.  Medicare beneficiaries will now have access to claims data and will allow patients to send that data to whomever they would like.  The Federal Government is also putting pressure on healthcare plans and provider organizations to do the same.

Think Facebook and Cambridge Analytica, and it is easy to imagine patient data being misappropriated.  Some would argue that data shared on, and with, Facebook could have been expected to be misused.  I am one of those people.  Nevertheless, a lot of people didn’t think they were exposed, and in a perfect world, they shouldn’t have had to worry about their information.

Since we don’t live in a perfect world, the government plays the role to create expectations for good behavior.  Way back in 1996 the Health Information Portability and Accountability Act was enacted.  Just like with Facebook, the vast majority of people couldn’t see the future and the negative ramifications of using Facebook.  Same with HIPAA – no one could see 22 years into the future and identify the risks that now exist.  That’s why it was revised in 2009 with the HITECH act.  For example, HIPAA only applies to covered entities.  It doesn’t cover inferences that can be made from Amazon purchases or Facebook posts.

Are new rules needed?  Probably, and especially if the government gives unsophisticated Medicare beneficiaries easy access to their sensitive data and are told to share it with whomever they like.  Is it hard to believe patients will be enticed by the greedy element in our society to share that information?  Yes, and potentially to their own detriment.

If you’d like to learn more about how Extract works with medical records, reach out to us today.


About the Author: David Rasmussen

David Rasmussen is the President of Extract. With 30 years’ experience leading software companies, David is driven by the challenge to consistently find groundbreaking ways to solve customer problems. David finds it rewarding to hit the customer’s target and create a great team, build a solid infrastructure, and emerge with a strong value proposition.