Healthcare IT Consulting Infinavate Texas

HIPAA Compliance: How Privacy Laws Shape Healthcare IT Innovation

The Health Insurance Portability and Accountability Act (HIPAA) protects individuals’ medical records and other personal health information. Though HIPAA was adopted more than 20 years ago, when healthcare tech looked very different, much of the original language of HIPAA remains unaltered. 

Despite the changing technological landscape, HIPAA still covers a great number of diverse scenarios. Whether a hospital is maintaining paper-based patient records or transferring information electronically, the purpose of HIPAA remains the same as it did in 1996.

However, some argue that HIPAA regulations have not kept pace with technological developments. Rafael J. Grossmann, MD, clinical advisor at Magic Leap, explains that HIPAA regulations are very strict and often prohibitive to implementing new digital health solutions. “Anyone who wants to come up with a solution that will eventually have a real effect needs to address HIPAA and the safety of the patient data very carefully,” Grossman says. 

Still, HIPAA continues to determine the trajectory of digital transformation in American healthcare. In this article, we explore where HIPAA is causing headaches, and what solutions are emerging. 

Specific Trends and Challenges

Digital transformation in healthcare means putting technology at the center of all operations. This paradigm shift is disrupting long-standing practices with new processes that are continually evolving.

The ultimate goal is a synchronization of all patient and provider touchpoints. “From search-to-surgery; websites, call center, registration, consultation, billing, admission, inpatient services, pharmacy, cafeteria, discharge and post-discharge follow-ups, and the entire journey has to be taken into account while strategizing towards digital transformation,” explains digital strategist Richard Roy Mendonce.

In 2019, we witnessed a few disruptive healthcare technologies make progress. Unsurprisingly, HIPAA proved to be a challenge for each.

Wearables and Remote Patient Monitoring 

Wearable technology is a rapidly growing market that includes both consumer devices like fitness monitors and medically oriented devices like mobile ECGs. Juniper Research forecasts that 5 million individuals will be remotely monitored by healthcare providers by 2023.

“Both wearable data and voice assistants show promise in passively collecting data that patients previously had to report in a manual mode,” Laura Lovett writes at Mobile Health News. “This could help with both accuracy and ease in studies.”

While there is the potential to improve one’s health with such devices, there are also major privacy concerns. Forbes contributor Mary Meehan is just one of many people with privacy-related questions for the wearables industry. “Our wearables are collecting loads of health-related data on us. Who owns that data? And now that Google has bought Fitbit, what’s that going to mean for privacy?”

HIPAA applies to covered entities like providers, insurers and business associates — meaning vendors. Data gathered via wearables don’t always fall under HIPAA security guidelines. If a person buys a Fitbit and then uses it to track information like number of steps taken per day, calories consumed and heart rate, the data is not protected under HIPAA. That’s because there’s no covered entity or business associate involved. 

Jack Murtha interviewed HIPAA compliance officer Nicholas Heesters to help further explain the nuances that exist wearable tech and privacy. Heesters encourages us to consider the following situation: 

“At the direction of a healthcare provider, a patient downloads a smartwatch app that monitors health data points that are then integrated into an electronic health record. The app developer or marketer, meanwhile, is receiving money from the provider for the digital service. In that case, the developer is generating, collecting, storing and sharing data on behalf of a covered entity — and, as a business associate, it must abide by HIPAA.”

In short, any healthcare provider using wearables to collect and transmit data will need to be careful to protect that data. If they fail to do so, they run the risk of violating HIPAA. As a reminder of just how severe those penalties can be, they range from $100 to $50,000 per violation with a maximum penalty of $1.5 million per year for each violation.

Virtual Health and Telehealth

Physician adoption of telehealth increased 340 percent from 2015 to 2018, according to American Well’s Telehealth Index: 2019 Physician Survey. Additionally, 69 percent of physicians indicated a willingness to try telehealth. The survey estimates that by 2022 as many as 590,000 physicians will be using telehealth.  

Doctors now communicate with patients using email, phone and webcams. In addition to patient communication, physicians are also communicating with each other for easier collaboration and more informed decisions. But it is increasingly important to pay attention to how secure those lines of communication are. 

Timothy M. Hale, Ph.D. and Joseph C. Kvedar, MD explain how the primary security risk in telehealth is that of unauthorized access to data during collection, transmission or storage. Any transfer offers the potential for a security breach. Hale and Kvedar argue that, despite efforts to create secure devices and apps, many contain serious flaws, and hackers and malware pose an increasing threat to the security of telehealth systems.


Contact Infinavate IT Consulting for more details on protecting your business against cyber attacks.

We’ve Worked With IT

We’ve Seen + Done IT All

Use our over 35 years of total Information Technology experience to supplement your team or provide needed expertise.

Leverage our diverse background to adopt today’s technologies and prepare for tomorrow’s innovation. From one-off projects to years-long strategies, our agile teams are built based on your goals and needs. LET’S GET STARTED

Scroll to Top