Skip to main content

Nation’s clinical informatics professionals highlight opportunities to update HIPAA in an age of digital healthcare delivery

(BETHESDA, MD) — In comments submitted today to the Department of Health & Human Services (HHS) Office of Civil Rights (OCR), the American Medical Informatics Association (AMIA) recommended that the Office ensure that HIPAA both requires and permits information-sharing upon patient and clinician request, as well as robust penalties for failing to deliver data pursuant to the patient “right of access.”

In mid-December 2018, OCR issued a Request for Information (RFI) to identify privacy and security provisions in HIPAA that may impede value-based health care or that limit or discourage coordinated care among individuals and covered entities. This RFI requested information on whether and how HIPAA could be revised to promote these goals, while preserving and protecting the privacy and security of such information and individuals’ rights to it.

AMIA applauded OCR on the “long overdue” public dialogue on the attributes of HIPAA, given the rapid digitization of healthcare delivery over the last decade. In response, AMIA identified three core problems, as they related to promoting information sharing for treatment and care coordination: (1) it takes too long for protected health information (PHI) to be shared for permitted purposes, including with patients under the right of individual access; (2) HIPAA has been misused to restrict sharing of PHI; and (3) HIPAA has been a barrier to sharing mental health data and information.

The group suggested mitigating steps, including that OCR must (1) require timely sharing of information when both the patient consents to it and a treating clinician has requested it; (2) clarify that HIPAA permits the sharing of PHI when the patient requests or instructs that their PHI be shared – regardless of whether the target of this sharing is bound by HIPAA; and (3) elevate the failure to deliver an individual “right of access” to an enforcement and penalty priority on par with data breaches.

To operationalize these steps, AMIA specifically called on OCR to:

  • Work with ONC to ensure that Certified Health IT can provide individuals a complete, electronic copy of their data as part of the HIPAA right of access;
  • Issue guidance or take more binding steps to ensure that lawful requests for PHI under “treatment” be recategorized as obligatory, not simply permissible;
  • Coordinate with the HHS OIG to develop an information blocking rule that will compel sharing of PHI for purposes of “treatment” and require Covered Entities (CEs), Business Associates (BAs), and other non-covered entities (NCEs) that manage PHI, to establish a uniform individual “right of access” policy;
  • Provide formal guidance permitting the sharing of PHI to entities outside the traditional bounds of HIPAA when directed by the individual;
  • Consider classifying genetic data at the genome scale as PHI, not simply health information, regardless of other identifying information; and
  • Revise or clarify that the use of PHI by a CE for observational, data-driven research purposes is permissible as part of HIPAA “operations.”

AMIA emphasized that to provide accountability and oversight in a paradigm that compels information-sharing, OCR should work closely with CEs and BAs to develop IT-enabled audit trails and accounting of disclosures. The group argued that robust means for understanding who was granted access to patient data and for which purpose is the “crux of the trade-off between removing providers from legal uncertainty in sharing data (e.g., force sharing through an information blocking rule or through a revised interpretation of HIPAA), while providing more accountability and oversight for those data that are shared.”

“For too long, HIPAA’s vision to provide patients access to their information has been constrained by our paper-based healthcare system,” said AMIA President and CEO Douglas B. Fridsma, MD, PhD, FACP, FACMI, “Now, we have an opportunity to ensure that this right is supported by health IT and readily available to all patients.”

AMIA recommended that a concerted effort be made at the policy level to enable individuals to access all their information maintained in a CE’s “designated record set,” as a “readily producible” function of certified EHR technology (CEHRT) capability. In support of this recommendation, AMIA pointed to its recent joint recommendation with AHIMA that policymakers modernize HIPAA by either establishing a new term, “Health Data Set,” or by revising the existing HIPAA “Designated Record Set” (DRS) definition and requiring Certified Health IT to provide the amended DRS to patients electronically in a way that enables them to use and reuse their data.

AMIA also called on OCR to coordinate any updates to HIPAA with the recently-proposed information blocking rule to ensure that the policies are mutually reinforcing. This would, AMIA wrote, “compel sharing of PHI for purposes of ‘treatment’ and require CEs, BAs, and NCEs who handle PHI to deliver data pursuant to an individual’s ‘right of access.’”
“OCR should ensure that HIPAA is supported by technology that can advance our shared goals, rather than be inhibited by it,” said Fridsma.

Click here for AMIA’s full response to the RFI.


AMIA, the leading professional association for informatics professionals, is the center of action for 5,500 informatics professionals from more than 65 countries. As the voice of the nation’s top biomedical and health informatics professionals, AMIA and its members play a leading role in assessing the effect of health innovations on health policy, and advancing the field of informatics. AMIA actively supports five domains in informatics: translational bioinformatics, clinical research informatics, clinical informatics, consumer health informatics, and public health informatics.