When Congress passed HIPAA, the Health Insurance Portability and Accountability Act, in 1996, we still had paper medical records, no smartphones, and no cats with Instagram accounts. The world has changed a wee bit in the last 20 years.

Now we keep medical records electronically and those records are poured into vast databases. Both researchers and businesses that barter in your health information mine that data. Genomic research has exploded. And the federal government is pushing precision medicine, connecting disparate streams of patient data to find cures for chronic diseases.

This research offers tremendous hope for human health. It also relies on the use of deeply personal information — information that you’re hoping HIPAA protects. But the law is not perfect, and neither is the balance between privacy and third-party access to patient data. Here are five things to think about as HIPAA approaches its next 20 years.

Your data

is out there

Many consumers think HIPAA ensures that hospitals can’t share patient information except with their insurance company.


In reality, it only protects personally identifiable information. That means hospitals and other entities can, and do, share plenty of data about patients as long as it is de-identified and doesn’t include your name, birth date, and Social Security number. It can still include your diagnosis and other medical details.

This information trade helps to advance research and improve the coordination of medical care. But there’s also a temptation to re-identify information for marketing or other commercial purposes.

“It exponentially multiplies the threat environment for prospectively bad people to get access to this incredibly sensitive data,” said Doug Pollack, chief strategy officer at ID Experts Corp., a Portland, Ore.-based firm that investigates data breaches.

Your data

informs research

Privacy is important, but not sharing anything could stifle medical advances. Some researchers are concerned that fear of data breaches is causing consumers to say no to participating in clinical trials and research studies.

Dr. Robert Green, a medical geneticist at Brigham and Women’s Hospital in Boston, said general anxiety about protecting personal information stymies his work.


“The number one reason people decline to participate in these studies is their fear of privacy issues,” Green said. “People don’t necessarily understand these laws or believe them.”

He said he spends a lot of time explaining privacy laws and data security to potential participants, but he said legal protections offered by HIPAA and the Genetic Information Nondiscrimination Act — which focuses on securing information obtained through genetic research — are only helpful to a point.

“You can’t make progress in genetic research if you can’t reassure people that their information is private and isn’t going to be used against them,” he said. “It totally obstructs participation in clinical research.”

Private third parties have better access

Though consumers have a right to request their medical records, that doesn’t mean they can get them easily, or correct inaccuracies.

“There are companies out there that know more about me medically than I am able to get and aggregate personally,” said Ben Heywood, cofounder of PatientsLikeMe.com, a Cambridge business that allows patients to share information about their conditions to crowdsource effective treatments.

That’s because, despite HIPAA’s protections, there is no standard set of steps consumers can follow to get their information from hospitals, putting them at a disadvantage compared with third parties that can get their records with relative ease and use them for their own purposes.

Heywood said the lack of transparency in how data is used and shared is creating a dangerous imbalance. “It’s not acceptable,” he said. “As a patient trying to get the best care, it’s hard for me to aggregate this data. And yet companies can do it pretty straightforwardly. There is a moral underpinning to that, that needs to be fixed.”


Our expectations
of privacy changing

Heywood said privacy is too often discussed in a vacuum that is sealed off from the practical concerns of patients who are struggling to find the most effective treatments.

“Do we not talk about medical issues because we talk about medical data in such a privacy-restricted way?” Heywood said. “The reality is there are 100 million people in the US with a chronic illness. Everyone’s dealing with someone, or has a friend, or family member. If we were talking more about this, would some of that stigma go away?”

A greater willingness to discuss medical problems might support his company’s business model.

But it also is an appropriate question to ask on a societal level, he said, especially with so much medical information being shared outside the view of the people whom it most directly affects.

Medical identity

theft is rising

A data breach is one concern. Another is the medical identify theft that springs from it. The theft and fraudulent use of patient information results in $80 billion in excess medical costs per year, according to government estimates.

Pollack, the chief strategy officer at ID Experts, said theft is most commonly committed by an unscrupulous medical provider who assumes a patient’s identity in order to bill the government or another payer for services that were never delivered.


For patients, the theft leaves behind a messy medical record that can be maddeningly difficult to correct.

“There are not clear regulatory guidelines that allow you to ensure your records are made correct if they are incorrect,” Pollack said. “We do that in the credit world, but there is no mandated way of doing that in health care.”

As the scope of the problem increases, Pollack said, fixing HIPAA, or coming up with some other regulatory solution will become more important.

“We don’t have a universal system, so my health records are scattered across many different health providers,” he said. “The decentralized nature of the way we deal with it in the US has created a challenge for resolving this.”

Casey Ross can be reached at casey.ross@statnews.com. Follow Casey on Twitter @byCaseyRoss.