Health IT

Is HIPAA…passé? AHIMA digs deeper

Mary Butler, associate editor of the Journal of AHIMA, explores whether HIPAA is still adequate or if it’s in dire need of renovation.


HIPAA: the Health Insurance Portability and Accountability Act. Although it has morphed through the years due to updates and rule changes, it was initially passed in 1996.

More than two decades have gone by since HIPAA came into existence. Has it become passé, necessitating a facelift? Or is it solid enough as it is? In a recent article in the Journal of AHIMA, associate editor Mary Butler weighs in on whether HIPAA is outdated.

For starters, Butler outlines why HIPAA isn’t necessarily what the general public thinks it is. Many people see it as a general healthcare privacy law, that wasn’t entirely its initial purpose. Instead, HIPAA “was intended to make it easier for healthcare providers to transmit healthcare claims to health plans and clearinghouses using common standards.”

“When HIPAA was being written, Congress took the position that if the law was going to facilitate greater electronic sharing of health information, there should be better privacy and security requirements that go with it,” Butler wrote.

But with the rise of mobile devices, telehealth, EHRs and wearables, HIPAA has become less and less all-encompassing, even with supplements like HITECH. Does it need additional updates? Or does it need to be completely scrapped and revamped?

There’s not a single consensus. But experts on the matter seem to be in a few different camps.

More updates

Elisa Gorton, director of corporate responsibility and privacy officer at Bridgeport, Connecticut-based St. Vincent’s Medical Center, thinks HIPAA could use an upgrade. “It could probably be refreshed, because now you have telehealth going on and more patient portals, and more interactive types of care and communication done electronically,” she said, according to Butler’s article.

A more inclusive law

HIPAA is a federal law with which all covered entities must comply. Yet many states have even stricter rules surrounding patient information. Therefore, some — like Nancy Davis, director of compliance and safety at Sturgeon Bay, Wisconsin-based Door County Medical Center — advocate for a more comprehensive law.

“I would relish one set of laws,” she said, according to the article. “In a perfect world, HIPAA would be the end-all — no separate set of rules for minors or mental health.” But she isn’t sure anything like it lies in the near future. “I don’t see that happening because there are a lot of political issues,” she added.

Let innovators take the lead

Lucia Savage, former ONC chief privacy officer and current chief privacy and regulatory officer of Omada Health, said a viable option for improving security without altering HIPAA is to leave it to innovators. “I think, to me, the best course is to really have competition for the best in class and let the consumer pick what’s right for them,” she said, according to the article.

Photo: themacx, Getty Images