5 HIPAA myths in the digital age


Truth: Health professionals are obligated to provide copies of health information to patients and that includes electronic copies if practices have such technology. The electronic copy requirement was adopted in 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Despite the electronic amendment’s existence for nearly 10 years, Ms. Savage said she frequently hears from patients about the difficulty of obtaining health information and the extended time and high cost that come with requests.

“[Providing health information to patients] is an obligation,” Ms. Savage stressed. “A 21st century physician might want to be thinking about how to build on that obligation to really engage their patients in a partnership of care. If you give the patient the data, they can actually become a more valuable [participant] with you and engage in self-management.”

More information on HITECH and giving patients access to protected health information can be found here.

Truth: HIPAA is flexible and can adapt to newer technology more easily than many people think, Mr. Fisher says.

“[There is the perception] that HIPAA is archaic and does not fit with modern technology,” he said. “There are a lot of misplaced fears that digital tools cannot satisfy security requirements or will place data where they should not go.”

In actuality, many health care applications enable doctors to satisfy HIPAA requirements, while using updated technology. Secure email to send patients messages is one example, he said, as well as secure text messaging between providers.

At the same time, new technology can often assist health care privacy and advance security, Mr. Fisher noted. Technology solutions frequently automate routine tasks, such as auditing. Tools like machine learning and artificial intelligence can enhance security and catch up with attacker intelligence, he added.

“Technology should be viewed as a means of enhancing and expanding capabilities,” he said. “Using the auditing example, an individual really cannot adequately review all records or access points, but a program may be able to do so and begin to identify small trends that represent a security concern. From this perspective, the technology, as indicated, is about enhancing what can be done.”

Next Article: