Image of Title bar alt

Our Perspectives


Photo of Chris Ingrao

Chris Ingrao




Oct 7, 2020

Patient-Centered Information Exchange: Implications for HIPAA

Patient-centeredness is about to finally move from the domains of aspirational user experience and marketing buzz into reality because of the 21st Century Cures Act Final Rule (“21CCA”). The 21CCA does a few important things, including:

  • The rule is designed to give patients and their healthcare providers secure access to health information.
  • The rule includes a provision that patients can electronically access all their electronic health information (EHI) at no cost.
  • The rule implements information blocking provisions designed to prevent organizations from interfering with a patient’s ability to access, exchange, or use their EHI.

While the past 25 years of healthcare interoperability have been largely driven by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the next few decades will become a reflection of the 21CCA. While HIPAA mandated portability of protected health information, as long as individuals lacked the ability to practically take their health information with them (there weren’t smartphones or data plans in 1996), organizations needed to store and share patient information between them on an individual’s behalf. But true portability is possible in the modern era, and the 21CCA supports the idea of a patient’s ability to store and control their own health information.

A few months ago, while sharing this new pattern of patient-intermediated information exchange with a colleague, he replied, “you can’t do that because of HIPAA” and I realized how important it was to get to the bottom of that particular objection.

So, we dug in. We worked with industry leading legal experts on HIPAA, consulted with regulatory and compliance leaders, and confirmed that HIPAA is not implicated in patient centered information exchange . We are working on publishing a more thorough description of our findings and how the Lumedic software provides a patient-intermediated information exchange without violating HIPAA rules, but the short story is this (and it’s ridiculously simple): HIPAA provides guidance for information exchange between organizations, usually classified as either Covered Entities (ie. a payer or provider), Business Associates (ie. firms working on behalf of Covered Entities), or Clearinghouses. HIPAA is not implicated when exchanging information with an individual to whom that information pertains. An individual’s personal health information is not considered “protected health information” (PHI) when the individual is controlling it. This means that you and I can request, obtain, store, and share our health information without causing Covered Entities or Business Associates to violate HIPAA.

This is a very exciting time. With the passage of the 21CCA, we are finally able to deliver patient-centricity in a literal way, which has the potential to reduce administrative complexity and cost while improving an individual’s access to, and control of, their own healthcare information. And in a country where we waste hundreds of billions of dollars per year in healthcare administration, and still confuse and frustrate patients, it’s a good time for a change.

Read Next

Related Articles

Image of Verifier connect blog post image
Photo of Elizabeth Wise

Elizabeth Wise

May 26, 2021

Lumedic Connect Verifier Portal Lets Businesses and People Get Back to Normal

Find out how Lumedic makes it easy for customers and employees to share their vaccination status with a business using simple, secure technology.

Image of Road ahead blog cover image
Photo of Mike Nash

Mike Nash

Feb 4, 2021

The Road Ahead

This week, Lumedic reached a milestone—we began to roll out Lumedic Connect, a first-of-its-kind commercial technology to offer digital vaccine cards to patients receiving COVID-19 vaccinations at sites affiliated with Providence, one of the nation’s largest health systems.

Image of 012021 Lumedic Introducting Patient Era
Photo of Mike Nash

Mike Nash

Jan 11, 2021

Introducing the Patient Era

As we continue to battle a global pandemic, manage the largest vaccination distribution in history, and keep our health systems operational, we find ourselves with the right conditions to move out of the digital era and into the patient era.