HIPAA & Health Information Portability: A Foundation for Interoperability

Kathryn Marchesini, J.D. and Timothy Noonan, J.D. | August 30, 2018

Twenty-two years ago this month, the U.S. Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The federal Privacy, Security, and Breach Notification Rules implemented under HIPAA, and administered and enforced by the HHS Office for Civil Rights (OCR), continue to serve as the national foundation of protections for individually identifiable health information, and of individuals’ rights with respect to their information, including the right to see and obtain copies of their health information from their healthcare providers and health plans. In addition, HIPAA covered entities and their business associates continue to use the required HIPAA electronic transactions and code set standards to exchange health information for essential administrative purposes, such as submitting insurance claims.

As the Office of the National Coordinator for Health Information Technology (ONC) and OCR work toward achieving the individual access and interoperability promises of the 21st Century Cures Act (Cures Act), we reflect on the fact that the “P” in HIPAA stands for portability. While the portability provision in HIPAA refers to the portability of health insurance coverage for individuals and their families, today we want to talk about the “P” in HIPAA also signifying the secure portability – or the flow – of health information across the health ecosystem.

HIPAA Supports Data Portability

HIPAA recognizes the importance of providing individuals with portability of their data. With limited exceptions, the HIPAA Privacy Rule provides individuals with a right, upon request, to see and receive copies of information in their medical and other health records (a “designated record set”) maintained by a HIPAA covered entity, such as an individual’s healthcare provider or health plan. At the direction of an individual or personal representative, a covered entity must transmit health information about the individual directly to any person or designated entity within 30 days (with the possibility of one 30-day extension). Covered entities are strongly encouraged to provide individuals with access to their health information much sooner, and to take advantage of technologies that enable individuals to have faster or even immediate access to the information.

ONC and OCR recently began a campaign encouraging individuals to get, check, and use copies of their health information and our two offices offer training for healthcare providers about the HIPAA right of access. OCR and ONC have developed guidance to empower individuals to take more control of decisions regarding their health and well-being through easy access to their health information. These guidelines include access guidance for professionals, HIPAA right of access training for healthcare providers, and Get It. Check It. Use It. resources for individuals.

HIPAA also supports the sharing of health information among healthcare providers, health plans, and those operating on their behalf, for treatment, payment, and healthcare operations (TPO) purposes, and provides avenues for transmitting health information to loved ones involved in an individual’s care as well as for research, public health, and other important activities.

Technology Facilitates Portability – Past, Present, & Future

To further promote the portability of health information, we encourage the development, refinement, and use of health information technology (health IT) to provide healthcare providers, health plans, and individuals and their personal representatives the ability to more rapidly access, exchange, and use health information electronically

Now, more healthcare providers and health plans are offering individuals electronic access to their health information. In addition, the Cures Act directs HHS to address information blocking and promote the trusted exchange of health information, which will further promote the portability of this information.

HHS and its components like the Centers for Medicare & Medicaid Services (CMS) and the National Institutes for Health (NIH), along with the White House Office of American Innovation, are working to support the portability of health information and encourage the growth of a health ecosystem that encourages healthcare providers, health plans, and individuals to share health information electronically.

Health IT can improve the portability of digital health information and facilitate the HIPAA individual right of access.

Health IT can improve the portability of digital health information and facilitate the HIPAA individual right of access. For example, healthcare providers using Certified Electronic Health Record Technology (CEHRT) certified to the 2015 Edition of standards, implementation specifications and certification criteria (2015 Edition) adopted by HHS for ONC’s Health IT Certification Program have view, download, and transmit (VDT) technical capabilities. These capabilities support individuals’ ability to use internet-based technology to transmit their health information to a third-party, directly from the provider’s technology (such as through a patient portal or personal health record) to any email address, as requested by the patient. In the 2015 Edition, the “application access” certification criteria requires health IT developers to demonstrate that the health IT can provide application access to a common set of patient clinical data via an application programming interface (API). An API is technology that allows one software application to programmatically access the services another software application provides, including supporting the sharing of electronic health information.

OCR’s health app developer portal offers resources for health IT developers and others interested in the intersection of health IT and HIPAA privacy and security protections, including those wanting to build  privacy and security protections into technology to enable individual choices for secure health information access and sharing. Assistance is also available at www.HHS.gov/hipaa.

The Cures Act builds on the capabilities of the 2015 Edition by calling for the development of APIs that enable the user to access and use health information “without special effort.” As we focus on accelerating individuals’ ability to access, share, and use their health information on their smartphones or other mobile devices, APIs should increase data portability and serve as a technology to further implement the health information portability concept. For example, we are currently looking at how developers and users of health IT enable individuals to use an API to make a request to exercise their HIPAA right of access and to request that their health information be transmitted to a designated third-party, like the All of Us Research Program.

Looking Ahead

HHS’ guiding principle is to make policy choices that will give consumers, healthcare professionals, and innovators more options for getting and using health information. Our interoperability efforts focus on improving individuals’ ability to access and share their health information to better enable them to shop for and coordinate their own care. We are dedicated to putting patients first, allowing them to be empowered consumers of healthcare by making the information they need to be engaged and active decision-makers in their care available on their smartphones or other mobile devices.

As HHS continues working toward achieving the interoperability priorities of the 21st Century Cures Act, HIPAA puts us one step closer to doing so. Now, twenty-two years after it was enacted, and at a time when the European Union’s General Data Protection Regulation (GDPR) includes data portability as a fundamental right of individuals, HIPAA still serves as a nationwide foundation for portability of electronic health information as well as its privacy and security.