While technology has radically impacted healthcare in the United States for decades, COVID-19 is further forcing major restructuring of the healthcare system and impacting the privacy of patient information and IT security. Important changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations1 are desperately needed. A review of HIPAA’s history, and concerns with HIPAA’s current approach, require consideration of new strategies towards privacy and security. They include:
- To the extent possible, incorporating HIPAA into broader privacy and security rules that govern all business entities. Broader scope also would allow eliminating vague and arbitrary distinctions between “covered entities” and “business associates.”
- Addressing the unworkability of determining what information is “identifiable,” and instead looking at information based on its sensitivity and criticality.
- Setting fixed, known standards for security and privacy rather than leaving information at risk under the illusion that a small entity, implementing “reasonable” standards, can sufficiently protect its data.
- Limiting rights of patients in their data (e.g., deletion and access) to large entities and those that process significant amounts of sensitive or critical information.
- Removing redundant notices that regurgitate regulatory requirements.