Hacking HIPAA

Join me in attacking an endemic problem in health care today by Hacking HIPAA. I am crowdfunding the development of a new legal form to be used on and after September 23, 2013 to allow patients to opt-in to easier health care communications – a Common Notice of Privacy Practices that is patient-focused. (Text me, please! Email me, please! etc.)

Depending on how much support this project garners, we can attack some related problems as well. Contributions at any level are welcome; contributions at the levels designated on the Hacking HIPAA Medstartr page get you a seat at the virtual table, voicing your concerns that need to be met in the CNPP and in follow-on projects.

I’m working on this project with two leading health care open source software developers, Ian Eslick and Fred Trotter. Check out Fred’s video intro to the project on the Medstartr page – you can find Ian and Fred online via the links on the project page, too.

Here’s an excerpt from the crowdfunding project page:

The Problem

Right now we have the worst of all worlds with regards to patient privacy in healthcare. Patients are frequently subject to sub-standard security and privacy practices AND healthcare innovators are unable to deliver solutions that would be useful to patients because their technical approaches are uncomfortably novel for health care bureaucrats. Patients end up getting poor security and no innovation, the worst of all options. This problem is going to get worse before it gets better, since the new Omnibus HIPAA Rule will make cloud hosting of health care projects untenable very soon. 

How to Solve it

We need a way to provide meaningful privacy choices to patients, while enabling technical innovators to offer services using modern technical infrastructures. In order to do that, we need to hack the document that dictates the core relationship between patients, clinicians and innovators. That document is the Notice of Privacy Practices (“NPP”) that patients sign when they first start engaging with a particular provider.

Our Project to Deliver a Solution

The goal of this project is to fund the creation of a universally accepted NPP for health care providers to share with patients — one that recognizes current realities of data storage and transfer, explains these realities to patients, and obtains their consent to use, transmit and store data in a private and secure manner using cloud storage and computing, secure email, email, two-way video systems and text messaging. These are all standard technology approaches that patients use to work with their own health care data every day. But regulatory compliance makes it difficult to work connect with their doctors using these technologies. HIPAA and the HITECH Act — the Federal health data privacy and security laws — govern the use, transmission and storage of personally identifiable health data, and define the parameters for the NPP. However, there is no standard form NPP in use. This means that technologists have to adapt to a plethora of scenarios created by multiple NPPs, none of which is drafted with technical requirements in mind. The law of unintended consequences yields problems for patients and providers as a result of this technology blind spot.

The CNPP will be delivered to project supporters at the $1000 level or above before the Omnibus HIPAA Rule compliance date (September 23). It will be made available under a Creative Commons license on or about November 1, 2013.

I encourage you to read the rest of the Hacking HIPAA project description, and to support this project.

Any comments or questions – Please use the commens section on the project page.

Finally, please share this post liberally with anyone who may be interested in this issue and may be interested in supporting our efforts to Hack HIPAA.

David Harlow writes at HealthBlawg, a nationally-recognized health care law and policy blog, where this post first appeared. He is an attorney and lectures extensively on health law topics to attorneys and to health care providers. Prior toentering private practice, he served as Deputy General Counsel of the Massachusetts Department of Public Health.

2 replies »

  1. Very interesting project. I’ve shared this out with several individuals and look forward to seeing how the project goes.

  2. Excellent and informative post. This is a great idea.
    Can you tell us a little bit more about HIPAA rule changes for the cloud are going to affect people? I don’t think people understand this is coming…