Rethinking Patient Data Privacy in the Era of Digital Health

Health Affairs
By Lisa Bari and Daniel P. O’Neill
December 12, 2019

Over the past 10 years, US health care has gradually shifted toward digital record keeping in the professional realm—the world of hospitals, health plans, and physician practices. That transition occurred under the umbrella of privacy and security rules rooted in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law which predates most modern online and mobile services, and explicitly excludes health information created or managed by patients themselves. As federal and state lawmakers look to revamp privacy rules, this post outlines a proposal to adapt and extend the familiar HIPAA framework, and some of the fiduciary principles embedded in that framework, for a new era of digital-first health care. We suggest that Congress could enact a package of incremental reforms to ensure the privacy of health data, while broader debates about online consumer data protection continue.

With rapid growth in the range and volume of patient data, which is available in digital form, the limits of the HIPAA framework—now almost a quarter-century old—merit legislative attention. Without clear guardrails, public trust may crumble in the face of repeated scandals and so undermine the potential for digital health to facilitate an era of more accessible, coordinated, and personalized care.