Although the Department of Health and Human Services (HHS) recently updated the HIPAA privacy rule for the first time in more than a decade, the regulations still are not flexible enough to keep up with the pace of innovation in digital health, according to a newly published commentary in the Journal of the American Medical Association (JAMA). Plus, the authors contend, the new requirement that business associates such as vendors be subject to the same HIPAA requirements as covered entities – healthcare providers, insurance companies and the like – poses a serious threat to startup companies.
"Although there is much interest in potential partnerships between innovative companies and healthcare organizations to leverage new mobile technologies (e.g., smartphones, tablets, mobile monitors), the final rule may impose an unfunded mandate for organizations, which ironically may impede adoption of innovation in mobile health," wrote Dr. C. Jason Wang, Stanford University, associate professor of pediatrics at the Stanford University Center for Policy, Outcomes and Prevention, and Delphine J. Huang, a medical student at the University of California, San Francisco.
One problem is that the original 1996 Health Insurance Portability and Accountability Act (HIPAA) and the privacy rule, in place since 2002, were written with EHRs, not mobile devices and consumer engagement, in mind. "Smartphone applications and wearable remote devices that have diagnostic capabilities are becoming readily available, allowing patients to transmit information, such as electrocardiographic abnormalities or elevated blood glucose levels, directly to a physician," the authors said.
"Recently, there has been interest in devices that move beyond telephones and computers, such as the potential for Google Glass to quickly access medical records and improve health communications. Moreover, as individuals gain more sovereignty over their own health data, they also may perceive the use of passwords and log-off features as a nuisance if they do not see some of their health information (e.g., exercise data, weight) as sensitive," they add.
Although the update is the result of the same 2009 American Recovery and Reinvestment Act that created the Meaningful Use EHR incentive program, the new rules still create a "conundrum" between safeguarding patient privacy and encouraging innovation, according to the authors.
The 2013 HIPAA omnibus final rule creates what Wang described as an "unfunded mandate" on startup companies that may not have the wherewithal to negotiate business associate agreements. Smaller vendors tend to get "stuck" on these negotiations, according to Wang, making it more difficult for new firms to compete against established players, and have reduced the incentive for large companies to innovate.
"[Entrepreneurs] really don't have time [or money] to deal with an institution's lawyers, and the institution's lawyers really don't have time to deal with [all the] innovators," Wang told MobiHealthNews. "The existing players are going to win without doing much," he said.
He and Huang have multiple issues with the new regulation, including the "final" designation that is standard terminology in federal rule-making. "With technology, nothing is final," said Wang, a pediatrician who also holds a Ph.D. in public policy.
In the JAMA paper, Wang and Huang call for additional guidance from HHS on how contracts between healthcare entities their business associates should be construed, as the National Institutes of Health has provided for institutional review boards and drug companies conducting clinical trials. "IRB agreements are standardized," Wang noted. "Business associate agreements are not today."
Also, the commentary said, some companies might not even know they have violated HIPAA until they get hit with administrative fines or even criminal charges, thanks to what Wang and Huang said was "poor guidance on how to become HIPAA compliant."
Wang suggested that HHS could create a "safe harbor" from HIPAA for early-stage innovations, much like the Food and Drug Administration has fast-tracked approval for some experimental medications. "The FDA had a fast track for HIV drugs because people were dying," Wang said.