Understanding the Role of HIPAA in Healthcare Innovation

May 25, 2023
10:56 am

As the healthcare industry has transformed throughout the years, the use of healthcare data has evolved as well. The Healthcare Leadership Council recently hosted a webinar entitled, “The Past, Present, and Future of Health Privacy Policy,” featuring a panel of legal experts who were able to provide a glimpse into the world of how privacy laws play a role in conducting research and collecting mass amount of data for purposes such as predictive analytics.

Erin Geygan, senior privacy counsel at Johnson & Johnson, explained that the organization is comprised of three segments – pharmaceutical, medtech and consumer health, which have invested $14.6 billion in research and development. Johnson & Johnson’s data privacy and security program identifies federal, state and global requirements around accountability and innovation, cybersecurity included. Erin noted the lack of harmonization with state laws on medical information privacy and other federal laws governing health information outside the scope of the Health Information Portability and Accountability Act (HIPAA). She also discussed the need to address the challenges facing data sharing for innovation, such as technical restraints, intellectual property risks and exclusive access. Johnson & Johnson believes that public policy on data privacy and protection should seek to provide appropriate protection and empowerment to consumers and patients while also ensuring innovation and provision of healthcare products and services are not impaired.

Jessica Kelly, legal counsel at Mayo Clinic, focused on the intersection of research and privacy and confidentiality. The road to research begins with preparatory activities such as recruitment, where data is needed to determine potential candidates for a possible study. Contacting those candidates for enrollment involves use of protected health information (PHI). She went into detail regarding authorizations to use PHI for current and future research as well as the use of waivers of authorization, which can be provided by institutional review boards when consent has not been obtained by the individuals and there is minimal risk to the privacy of those individuals. In closing, Jessica described two methods to achieve de-identification of PHI in accordance with the HIPAA Privacy Rule. Once the numerous identifiers have been removed from the data it is no longer subject to HIPAA.

Amanda Reese, healthcare regulatory and privacy counsel for Epic, highlighted the health grid of services that use data from Epic products across the industry, spanning from real-time prescription benefits, to retail clinics, rehabilitations centers and specialty diagnostics just to name a few. Amanda spotlighted Epic’s new life sciences program working to unify clinical research with care delivery, matching participating providers with clinical trial opportunities and supporting clinicians with point-of-care insights and predictive modeling. Regarding HIPAA, Epic is a business associate of its U.S. customers and therefore designs its software in ways that consider privacy throughout the data life cycle. Epic works with limited data sets per data use agreements and deidentified data through COSMOS, which is a program that involves data from more than 135 million patients used for research, public health and healthcare operations.

Cybersecurity in a Highly Regulated Industry

February 27, 2023
6:33 pm

The Healthcare Leadership Council hosted a webinar entitled, “Cybersecurity Playbook for Healthcare,” in conjunction with the Confidentiality Coalition. The discussion brought clarity to the current federal infrastructure around cybersecurity, existing tensions around breach notifications in the healthcare industry, and recommendations to improve cybersecurity practices within and beyond healthcare. Four speakers joined the panel:

  • Marilyn Zigmund Luke, Vice President, AHIP
  • Alicia Bowers, Senior Vice President and Enterprise Chief Privacy and Compliance Officer, Atrium Health (now part of Advocate Health)
  • Todd Greene, Vice President & Enterprise Chief Information Security Officer, Atrium Health
  • Allison Miller, Global Chief Information Security Officer and Senior Vice President for Optum, a division of UnitedHealth Group


The healthcare system is one of 17 national critical infrastructures. As cybersecurity stretches across federal agencies, money is allocated to various agencies to maintain cybersecurity capabilities. Within the U.S. Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), was established to receive reports from critical infrastructure sectors. The public is awaiting future regulations from CISA of how to proceed with that reporting process. The Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group identifies and mitigates systemic risks that affect patient safety, security, privacy, and national confidence in the health system.

The Problem with Breach Notifications

As healthcare is a highly regulated industry, organizations who comply with one law run the risk of violating another law because the federal agencies and states have not adequately communicated with each other regarding the larger operational impact of what they are trying to accomplish. There are unintended consequences to conflicting laws, and the burden of reporting a breach is significant. The panel noted the juxtaposition of portability and security of data, as tension arises between becoming increasingly transparent and connected while protecting patient privacy and securing data.

Breach notification requires contacting both patients and the media. Patients who receive these notifications are either confused or desensitized by the mass mailings, and are generally not concerned unless their social security number was compromised. Media outlets generally go for the more sensational headline and stories are frequently reported inaccurately. Often, the primary organization is named in the breach even though the actual breach involved a business associate or vendor. It has become clear that the majority of patients take no action after a notification, and media coverage actually helps cyber criminals and plaintiff attorneys target an organization that has just been victimized. Healthcare entities are spending more resources on class action defense rather than proactive measures due to the punitive ramifications of how breach notifications are designed.


The majority of breaches are not due to negligence, and the compromised entities are victims of a crime. The “Wall of Shame”, posted by the U.S. Department of Health & Services Office for Civil Rights, should come down. There is stigma associated with this and the primary organization is listed even if a vendor was breached. Healthcare is a complex industry, and multiple vendors are required to fulfill all the responsibilities that come with delivering care. Vendors should be held directly responsible, and other sectors should have the same reporting standards as healthcare.

Reduce the administrative burden and use an exclusive reporting route instead of involving multiple agencies. Avoiding creating duplicative processes and tearing down commodity channels would allow sectors to effectively communicate valuable information about cyber threats and defend against them collaboratively in a timely fashion. An additional approach to reducing the burden of unnecessary notifications is to redefine what is considered protected health information, as routinely disclosed data is easily found online outside of healthcare.


A Public Health Crisis Requires a Roadmap of Solutions

July 12, 2018
2:50 pm

It’s indisputable that the opioid addiction crisis with which America is currently grappling is one of historic magnitude.  We’re losing more than 115 people per day from opioid overdoses.  Families and communities are being devastated and public resources – healthcare, social services, law enforcement – are being stretched thin.

This is a serious problem, but it is not an insolvable one.  Recently, the Healthcare Leadership Council, working with over 70 organizations from the healthcare, employer, patient advocacy, and addiction treatment sectors, released a “Roadmap for Action” consisting of over 30 achievable, high-impact solutions to address opioid misuse and addiction.  The Roadmap is the product of several weeks of deliberations, idea sharing and consensus building and represents a collaboration of unprecedented breadth to address a national public health crisis.

The Roadmap identifies five key priorities as essential, including:

•    Improving healthcare system approaches to pain management
•    Improving current approaches to prevent opioid misuse
•    Expanding access to evidence-based substance use disorder treatment and behavioral health services
•    Promoting improved care coordination through data access and analytics
•    Developing sustainable payment systems that support coordination and quality care

This package of solution addresses both regulatory and legislative priorities but, just as importantly, it includes actions that healthcare leaders should take.  Winning this battle will require a public-private effort.  And the recommendations we’re offering, some of which are detailed in the following paragraphs, reflect this broad-based strategy.

Health sector leaders have a responsibility to improve access to evidence-based, non-opioid and non-pharmacological pain management therapies. (It’s vital to recognize that, in taking on the opioid crisis, we cannot place obstacles between millions of Americans suffering from chronic and acute pain and the treatments they need.) Developing and evaluating these treatments will require long-term evidence generation and data collection, but their proliferation will cut costs and improve outcomes for patients in the long run.

We must also focus on improving data-driven coordinated care, and in order to do this we must create access to real-time prescribing data within the clinician workflow. Improving critical data access must also include legislative action to change a law known as 42 CFR Part 2 to allow confidential information sharing on SUD diagnosis history while still adhering to the Health Insurance Portability and Accountability Act (HIPAA). It is important that patients’ privacy be protected, but it is also vital that care providers understand their patients’ substance abuse histories if they are to provide them with the well-informed care that they need.

And we must develop sustainable payment frameworks that prioritize quality, coordinated, value-based care connecting patients with the medical resources they need, whether that be a pharmacist, primary care provider, nurse practitioner, licensed addiction treatment professional, or certified peer recovery specialist.  In fact, we must engage the full community of medical professionals in coordinated care to treat patients struggling with substance use disorder.

This is just a sample of the comprehensive, multi-faceted plan we’re going to be advancing.  No single organization, regulatory agency or legislative body can solve this crisis by themselves.  Working together, though, we have the ability to save lives and prevent tragedies.  The time for bold and decisive action is now.

Utilizing Technology to Propel Precision Medicine Forward

April 04, 2016
11:18 am

As we’ve seen, there has been a steadily increasing level of discussion and enthusiasm surrounding precision medicine.  The Healthcare Leadership Council (HLC) has remained engaged in this conversation, given the expertise and involvement of its members.  HLC hosted a briefing on Capitol Hill last April on the subject, in which Bio-Reference Laboratories, New York-Presbyterian Hospital/Columbia University Medical Center and Mayo Clinic detailed the benefits that have already been realized, and the potential that has yet to be reached.  They each shared stories of how targeted therapy transformed the lives of patients in ways that conventional medicine could not.  Although the cost of sequencing will continue to benefit and see increased usage from price declines, early genetic testing has allowed for immediate diagnosis and treatment, bypassing the costly trial and error approach.  Our member experts all agreed that one organization alone cannot succeed in integrating genome based knowledge into personalized care.

Last year the Precision Medicine Initiative (PMI) was announced by the National Institute of Health (NIH).  This year the White House hosted a PMI Summit, in which President Obama both participated and partnered with the NIH in an educational tweet chat that answered questions from the public regarding the initiative.  During this chat, NIH Director Francis Collins cited a paradox, “Only by studying populations at scale can you really understand individual differences.”  The PMI Cohort Program is currently working towards collecting one million or more participants that reflect the diversity of our country.

Precision medicine is an area that would directly benefit from the ability to collect, store and share data electronically.  In order to see real success, harmonization of data privacy laws is a necessary next step.  Diverse state privacy regulations regarding patient information accompany HIPAA laws, adding to the complexity of sharing data in a way that would improve the quality of patient care.  Federal rules for research subjects intersect with additional privacy policies that are also burdensome to the healthcare system.  The ability to utilize any data gathered from partnering facilities is an important function, and dialogue between the federal government and states is needed to ensure this is feasible across the country.  This is a field of health policy we have discussed fully in the Healthcare Leadership Council’s recently-released “VIable Options: Six Steps to Transform Healthcare Now” policy recommendations. The U.S. is on the cusp of a new era in healthcare, and the flow of health data is a crucial part of it.

The “Talk to Each Other” Challenge for Healthcare

June 30, 2015
10:36 am

There is an excellent read in the Wall Street Journal today from Susan DeVore, the President and CEO of the Premier, Inc. alliance of 3,000 community hospitals throughout the country.  (Ms. DeVore is also chairman of the Healthcare Leadership Council.)

In her WSJ piece, Ms. DeVore notes that, while other industries have made excellent use of evolving information technologies to improve customer service and strengthen cost-efficiency, healthcare has lagged behind.  Improved data sharing is essential, she writes, “to ensure the right information about the right patient is available at the right time.”  She is absolutely correct in her assertion that making this happen is a responsibility shared by the private sector and public officials.

The DeVore column is below:

SUSAN DEVORE: Imagine what Twitter would be like if you were only able to have and Tweet to one follower? Or if email only worked within the four walls of your organization? Technology has made information sharing seamless and almost limitless for most people and industries. But it hasn’t reached its full potential in health care.

In health care, technology is foundational to drive change and improve the quality and value of patient care. The problem is that important health-care data cannot flow freely among the various health-information-technology systems that hospitals and health systems use. This hinders the ability for providers to connect and easily exchange information across their organizations and with other health systems.

As health systems focus on accountable care and increasingly move toward alternative payment models, the need for interoperable data across all health-information technology systems becomes critical. The ability to seamlessly pull discrete data anytime, anywhere helps to ensure the right information about the right patient is available at the right time. But today, providers are challenged with having to double check data pulled from disparate devices to make sure the information matches, such as dosing and blood sugar levels. Not only is this a step back for efficiency, but it is another manual process that has the potential to create errors and patient-safety issues.

To truly leverage health-information technology’s full potential, diverse networks and systems in health care must be able to talk to each other. To do so, we should require the use of innovative technology solutions such as open application programming interfaces (APIs) and secure third-party applications that connect the data to enable the real-time exchange of information.

Designing and implementing health-information technology that promotes collaboration among all stakeholders would create a learning health system that focuses on improving health-care quality, efficiency, safety, affordability and access. Private-public partnerships on interoperability governance, standards, measures and system transparency are essential to make this work.

A few weeks ago I was watching as my grandchildren were playing with their parents’ smartphones. At their ages, they are only interested in the bells and whistles, but in their little hands were devices probably considered impossible 10 or 15 years ago. Through innovation, ingenuity and necessity, my hope is that the challenge of interoperability becomes an obsolete concern.