The Healthcare Information Portability and Accountability Act was a piece of landmark
legislation, outlining how healthcare providers store and protect their patients’ confidential health records (1). Although it has undergone several revisions since it was passed in 1996, the bulk of the law remains the same (2). The last update made to HIPAA came in the form of the Health Information Technology for Economic and Clinical Health Act (HITECH), which established more digitally-specific rules (3). However, neither HIPAA nor HITECH tells providers specifically how to handle protected health information (PHI), instead it provides an outline of best practices and leaves it up to each covered entity to maintain their compliance.
As HIPAA was trying to bridge the gap between paper and digital records, digital records
continued to evolve. HIPAA proved to be quite flexible, requiring only one major update in the form of the HITECH Act. But this flexibility came at the expense of having detailed technology specific best practices. Both HIPAA and HITECH take a ‘technology agnostic’ approach, in other words making guidelines that are applicable to whatever technology is used to maintain or create digital records, instead of mandating a specific technology to create and maintain them (4). As new technologies make their way into the healthcare arena, early adopters are tasked with creating their own best practices in line with HIPAA and HITECH to achieve compliance.
This pattern of growth can at times be a bit of a chokepoint for new technologies as established healthcare providers point to a lack of industry best practices as an excuse for not updating old legacy systems (5). This can lead to embarrassingly slow uptake of new technologies under the guise of waiting to see them tested further. This is well documented in the case of enterprise-level data encryption (6).
Even as HIPAA was penned and legislated into law, encryption was a fairly cost effective, time effective, method of protecting digital PHI. But, since enterprise level encryption solutions were still relatively new, and in some fringe larger scale use cases, still prohibitively expensive, encryption was listed as ‘addressable’ under HIPAA guidelines instead of ‘required’ (7). As encryption became the standard across
non-healthcare industries, businesses in the healthcare field were slow to adopt. It took data breach after data breach, costing the privacy of hundreds of thousands, if not millions of patients, before businesses in the healthcare sector decided that it was cost effective to begin encrypting their data (8).
The Office of Civil Rights (OCR), the agency delegated with providing guidelines and clarification on HIPAA rules, can do more to help the healthcare industry to understand emerging technologies. A good place to start would be an acknowledgment of what technologies are on the horizon for future healthcare implementation. For example, the implementation of blockchain has already begun, with almost every major insurance network involved in at least development of a their own internal blockchain infrastructure. 9 But, the OCR has not created any guidelines, or indeed made any mention at all, surrounding implementation of blockchain solutions. These internal blockchains, now in development, are a precursor for the implementation of blockchain-based systems in nearly all corners of healthcare (9). The OCR should begin now laying out its vision for a smart and safe shift to blockchain/distributed ledger systems in healthcare.
Just as encryption was once seen as a futuristic, somewhat unnecessary, precaution, but is now a core tenet of digital security, so will blockchain eventually be standard for removing unnecessary third parties from healthcare transactions. With the help of “smart-contracts”, blockchain allows two parties to conduct transactions based on a shared set of rules, without the need for a third party to verify that all rules were followed. This decreases the amount of time unencrypted PHI is at rest and decreases how many people need access to the PHI in the first place. Blockchain also provides a distributed ledger viewable by all registered parties to examine who accessed what data and if anything from the data was changed,
the blockchain will leave a note for the next party to view the exact changes made. These processes will revolutionize healthcare with more accurate and interoperable data. We hope that data privacy laws will adapt with the technology to make blockchain based products easily accepted and implemented into the medical community.