by Graham Barnes

July 2013 – In March, as required by the HITECH Act in 2009 as part of ARRA (American Recovery and Reinvestment Act), the DHHS (Department of Health and Human Services) finalized the rules for HIPAA (Healthcare Insurance Portability and Accountability Act) Privacy and Security compliance and breach. Covered entities and their business associates now have until September 23, 2013 to comply with all 563 pages of the new HIPAA rules, at an estimated total cost of $110-$225M. The extension of these complex rules (and their direct regulation by the DHHS) to the much wider scope of business associates and their subcontractors has many people worried. How can they possibly comply with all the requirements, the documentation, and the corresponding federal audit liability? Business associate agreements, terms of use, privacy statements and compliance policies are just the first items that will need to be reviewed and updated by anyone involved in HIT (healthcare information technology).

Many believe that HIPAA has restricted healthcare information sharing, rather than being the promoter of information sharing that it was originally intended to be when it was enacted in 1996. HIPAA standards for security and privacy of healthcare data are defined in the Code of Federal Regulations 45 CFR Parts 160 and 164. The majority of these standards deal with the process for managing the security and privacy infrastructure. This infrastructure includes the full suite of security measures and organizational compliance procedures, beyond merely the encryption of electronic protected health information (PHI). Electronic PHI is defined as individually identifiable health information including demographic information, health conditions, healthcare service delivery and payment for care.

HIPAA compliance is all quite similar to an ISO 9000 certification program. Organizations begin with a risk analysis, then manage the disclosure process as authorized for specific uses under contracts to provide care, with tracking and review of activities (e.g. audit logs, access and tracking/monitoring); finally, security reports and workforce reviews are implemented to ensure compliance with all the Federal requirements, and of course appropriate response to breaches.

In the face of this looming challenge, we have seen an understandable tendency by healthcare CIOs to want to lock down as much disclosure and data sharing as possible. Patients are generally neither interested in owning nor in managing their own healthcare data – especially the most vulnerable such as the elderly and those with multiple chronic conditions. Interestingly, HIPAA bypasses the whole murky issue of who owns the data. The real issue has correctly become the process of disclosure or sharing of PHI data outside the entity that is holding the information.

This tendency is music to the ears of large HIT software providers with expensive, closed integrated solutions. Healthcare data disclosure – or lack of it – can effectively lock patients into payer and provider networks. For many patients, the convenience of selecting an out-of-network provider, even one with potential cost and quality benefits, can be outweighed by the daunting challenge of gaining access to their records and treatment history.

However, there are real issues with these closed platforms. For example, because the complete patient record is not always available, care coordination issues are still widespread. So, despite the difficulty of measuring the ROI (return on investment) of open HIT systems, a significant volume of emerging evidence of the benefits of data sharing is fueling the trend towards open systems, especially under health reform. In fact, interoperability for EHRs (electronic health records) is the theme of Stage 2 Meaningful Use, and the ONC (Office of the National Coordinator for Health IT) has just released the governance framework for HIEs (Healthcare Information Exchanges). Worldwide, a growing number of physicians are using EHRs and HIEs.

Open data is a fundamental enabler of innovation, and examples abound, not just in healthcare. Big data services are helping both commercial and Medicare ACOs with population health management; hospital systems and IDNs are starting to share digestible information with providers in real time at the point of care to improve the health and outcomes of individual patients and reduce errors; patient portals are engaging and empowering patients to share their electronic records with providers and control access to their medical histories; and remote patient monitoring devices in the home are being connected to data platforms being hosted in the cloud.

So, we should be looking for significant developments in healthcare data sharing. A granular, permission-based data sharing capability should form the core of a robust and open HIT system, together with a HIPAA-compliant disclosure infrastructure. HIPAA sets forth a comprehensive framework to facilitate the sharing of healthcare data. Without it, HIT systems will remain closed and insular, either dragging the current burden of double manual entry of data into every new application – or forcing providers to continue their reliance on big vendors and expensive, integrated systems.

About the Author

Graham Barnes is an effective and entrepreneurial CEO. He has been the successful CEO of three VC-funded companies, which included high-growth, multiple-Inc. 500 service provider companies, in healthcare and telecommunications, all with successful exits. Most recently, Graham was CEO of HealthyCircles, a cloud-based, HIPAA-compliant, care coordination platform that was acquired by Qualcomm Life in April 2013. Before HealthyCircles, he was CEO of Concerro, Inc., a SaaS hospital staffing service provider, which was acquired by API Healthcare / Francisco Partners 2012. Prior to that, he was CEO and founder of NextWeb, Inc., the largest broadband wireless provider for business, acquired by Covad Communications, 2006. Graham has a BSEE from Imperial College in London and an MBA from Santa Clara University and was the Ernest and Young, Enterpreneur of the Year Northern California Finalist in 2005 and has passed the ACHE Board of Governors exam.

Graham is also a former publicly-elected School Board officer, a nationally competitive rower and enthusiastic climber. For further details, please visit or the LinkedIn profile


Leave a Reply