Image of Title bar alt

Patient-Centered Information Exchange: Implications for HIPAA


Photo of Chris Ingrao

Chris Ingrao




Oct 7, 2020

Patient-Centered Information Exchange: Implications for HIPAA

Patient-centeredness is about to finally move from the domains of aspirational user experience and marketing buzz into reality because of the 21st Century Cures Act Final Rule (“21CCA”). The 21CCA does a few important things, including:

  • The rule is designed to give patients and their healthcare providers secure access to health information.
  • The rule includes a provision that patients can electronically access all their electronic health information (EHI) at no cost.
  • The rule implements information blocking provisions designed to prevent organizations from interfering with a patient’s ability to access, exchange, or use their EHI.

While the past 25 years of healthcare interoperability have been largely driven by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the next few decades will become a reflection of the 21CCA. While HIPAA mandated portability of protected health information, as long as individuals lacked the ability to practically take their health information with them (there weren’t smartphones or data plans in 1996), organizations needed to store and share patient information between them on an individual’s behalf. But true portability is possible in the modern era, and the 21CCA supports the idea of a patient’s ability to store and control their own health information.

A few months ago, while sharing this new pattern of patient-intermediated information exchange with a colleague, he replied, “you can’t do that because of HIPAA” and I realized how important it was to get to the bottom of that particular objection.

So, we dug in. We worked with industry leading legal experts on HIPAA, consulted with regulatory and compliance leaders, and confirmed that HIPAA is not implicated in patient centered information exchange . We are working on publishing a more thorough description of our findings and how the Lumedic software provides a patient-intermediated information exchange without violating HIPAA rules, but the short story is this (and it’s ridiculously simple): HIPAA provides guidance for information exchange between organizations, usually classified as either Covered Entities (ie. a payer or provider), Business Associates (ie. firms working on behalf of Covered Entities), or Clearinghouses. HIPAA is not implicated when exchanging information with an individual to whom that information pertains. An individual’s personal health information is not considered “protected health information” (PHI) when the individual is controlling it. This means that you and I can request, obtain, store, and share our health information without causing Covered Entities or Business Associates to violate HIPAA.

This is a very exciting time. With the passage of the 21CCA, we are finally able to deliver patient-centricity in a literal way, which has the potential to reduce administrative complexity and cost while improving an individual’s access to, and control of, their own healthcare information. And in a country where we waste hundreds of billions of dollars per year in healthcare administration, and still confuse and frustrate patients, it’s a good time for a change.

Read Next

Related Articles

Image of Hire cho blog post image
Photo of Rebecca Davis-Suskind

Rebecca Davis-Suskind

Jul 14, 2021

Meet our Members: Max Templeton, Principal Architect at Cambia Health Solutions

Max Templeton is the Principal Architect at Cambia Health Solutions, a not-for-profit company dedicated to transforming healthcare by making the health care experience simpler, better, and more affordable for people and their families.

Image of News Digital ID Protects Patients 1000x562
Photo of Elizabeth Kokoszka

Elizabeth Kokoszka

Sep 17, 2020

Digital Identity Protects Patients and Reduces Costs

We are all familiar with the standard check-in process when you visit your doctor. You...

Image of Exchange cover image mastercard resized
Photo of Rebecca Davis-Suskind

Rebecca Davis-Suskind

Aug 9, 2021

Meet Our Members: Stuart Vaeth, Vice President of Digital Identity at Mastercard

Stuart Vaeth is the Vice President of Digital Identity at Mastercard, a technology company in the global payments industry. Mastercard offers a global network that enables advances in the payments ecosystem by leveraging technologies to create stronger bonds while bringing more people into a digital economy.