Navigating the Complex Healthcare Data Sharing Landscape: Balancing HIPAA Compliance and Information Blocking 

Updated on February 27, 2024

They say that no good deed goes unpunished, and those focused on interoperability in health care are struggling to balance when, how, and why to facilitate the flow of data. After decades of focusing on protecting patient privacy, leaders leaning too heavily on the Health Insurance Portability and Accountability Act (HIPAA) could soon face consequences for information blocking.  

HIPAA, enacted in 1996, sets the standard for the protection of patient information and provides individuals with certain rights regarding their health information. Compliance with HIPAA is non-negotiable for healthcare entities, as violations can lead to severe consequences, including hefty fines, damage to reputation, and even investigation by the Department of Justice. 

It’s enough to make anyone lock down their data and prevent the release of any information. But that’s not a good idea, either. The 21st Century Cures Act, passed in 2016, aims to eliminate information blocking and promote interoperability among health information technologies. Failure to comply with these regulations can also result in penalties and legal repercussions. 

That leaves leaders at health plans, providers, and digital health companies with the responsibility of balancing the exposure and risk of sharing the right information in the right ways. 

The Conflict: Patient Privacy vS Information Blocking 

The conflict between HIPAA’s emphasis on restricting information and interoperability’s goal of promoting information sharing can pose a real challenge. HIPAA’s primary focus is on limiting access to patient data to authorized individuals, ensuring the privacy and security of sensitive health information. In contrast, interoperability aims to break down data silos and facilitate seamless information exchange for better-coordinated patient care. 

Earlier this year, the US Department of Health and Human Services (HHS) proposed new rules to disincentivize information blocking. The proposed consequences for information blocking by the US Department of Health and Human Services include imposing substantial fines on healthcare entities found guilty of obstructing the exchange of electronic health information.  

Additionally, there may be legal actions taken against organizations that engage in practices hindering interoperability, reflecting a commitment to enforcing penalties that align with the severity of such violations. 

These proposals increase the stakes for hospitals thinking through their data infrastructure strategies. We’ve pulled together some ideas for those looking to increase data flows between organizations. 

Strategies for Striking the Balance: 

1. Granular Consent Mechanisms: 

Implementing granular consent mechanisms allows patients to control the level of detail shared with different entities. This aligns with HIPAA’s emphasis on patient autonomy while facilitating necessary information sharing for improved care coordination. 

2. Role-Based Access Controls: 

Utilize role-based access controls to ensure that only authorized individuals within an organization have access to specific types of patient information. This supports interoperability within the organization while maintaining compliance with HIPAA’s minimum necessary standard. 

3. Secure Cloud-Based Platforms: 

Invest in secure cloud-based platforms that facilitate interoperability while ensuring encryption and other security measures to protect data during transmission. These platforms help healthcare entities strike a balance between sharing information and adhering to HIPAA standards. 

4. Transparent Communication with Patients: 

Engage in transparent communication with patients about the benefits of interoperability, assuring them that information exchange is conducted with their privacy and security in mind. Building trust through open communication addresses concerns related to HIPAA compliance.  What about patient consent and management of access?  Allow patients to control who has access to their data. 

5. Standardization of Data Formats: 

Embrace standardized data formats and interoperability standards, such as Fast Healthcare Interoperability Resources (FHIR). This promotes consistency in data exchange while allowing healthcare entities to maintain control over how information is shared and accessed. 

6. Regular Audits and Monitoring: 

Conduct regular audits and monitoring of data access to identify and address potential HIPAA violations or information blocking practices. Proactive oversight ensures that the delicate balance between security and interoperability is maintained. 

Striking the right balance requires continuous vigilance and a commitment to providing high-quality, secure, and interoperable patient care. By navigating this terrain effectively, healthcare entities can ensure compliance with regulatory requirements while harnessing the benefits of improved information exchange for the betterment of patient outcomes. 

Meghan Quint
Meghan Quint
Founder at Opala

Meghan Quint, PhD is a founder of Opala, a health data management platform for interoperability and real-time data integration. She also currently chairs the board of trustees at Cascadia College outside Seattle, WA. Dr. Quint has a PhD in Organizational Psychology with expertise in organizational effectiveness, leadership decision making, and change management. She is a champion for inclusion at work and lifelong learning for all.