Understanding the Role of HIPAA in Healthcare Innovation

As the healthcare industry has transformed throughout the years, the use of healthcare data has evolved as well. The Healthcare Leadership Council recently hosted a webinar entitled, “The Past, Present, and Future of Health Privacy Policy,” featuring a panel of legal experts who were able to provide a glimpse into the world of how privacy laws play a role in conducting research and collecting mass amount of data for purposes such as predictive analytics.

Erin Geygan, senior privacy counsel at Johnson & Johnson, explained that the organization is comprised of three segments – pharmaceutical, medtech and consumer health, which have invested $14.6 billion in research and development. Johnson & Johnson’s data privacy and security program identifies federal, state and global requirements around accountability and innovation, cybersecurity included. Erin noted the lack of harmonization with state laws on medical information privacy and other federal laws governing health information outside the scope of the Health Information Portability and Accountability Act (HIPAA). She also discussed the need to address the challenges facing data sharing for innovation, such as technical restraints, intellectual property risks and exclusive access. Johnson & Johnson believes that public policy on data privacy and protection should seek to provide appropriate protection and empowerment to consumers and patients while also ensuring innovation and provision of healthcare products and services are not impaired.

Jessica Kelly, legal counsel at Mayo Clinic, focused on the intersection of research and privacy and confidentiality. The road to research begins with preparatory activities such as recruitment, where data is needed to determine potential candidates for a possible study. Contacting those candidates for enrollment involves use of protected health information (PHI). She went into detail regarding authorizations to use PHI for current and future research as well as the use of waivers of authorization, which can be provided by institutional review boards when consent has not been obtained by the individuals and there is minimal risk to the privacy of those individuals. In closing, Jessica described two methods to achieve de-identification of PHI in accordance with the HIPAA Privacy Rule. Once the numerous identifiers have been removed from the data it is no longer subject to HIPAA.

Amanda Reese, healthcare regulatory and privacy counsel for Epic, highlighted the health grid of services that use data from Epic products across the industry, spanning from real-time prescription benefits, to retail clinics, rehabilitations centers and specialty diagnostics just to name a few. Amanda spotlighted Epic’s new life sciences program working to unify clinical research with care delivery, matching participating providers with clinical trial opportunities and supporting clinicians with point-of-care insights and predictive modeling. Regarding HIPAA, Epic is a business associate of its U.S. customers and therefore designs its software in ways that consider privacy throughout the data life cycle. Epic works with limited data sets per data use agreements and deidentified data through COSMOS, which is a program that involves data from more than 135 million patients used for research, public health and healthcare operations.