constantly experiencing innovation, regulations can quickly become outdated and either prevent the adoption of technologies or no longer address the actual concerns that arguably should be regulated. For example, the primary federal healthcare privacy law, the Health Insurance Portability and Accountability Act (HIPAA), was initially enacted in 1996, and its privacy rule’s effective date was 2003. Even the more recent Health Information Technology for Economic and Clinical Health Act (HITECH Act), incentivizing the adoption and meaningful use of electronic health records (EHR) and outlining certain privacy and usage principles associated with such, is now a decade old. Similarly, most state laws also remain relatively static or struggle to keep up with these rapid changes. Massachusetts last updated its state law governing healthcare privacy and disclosure more than a decade ago, in 2008. Existing laws may have requirements that do not include recent new technologies such as telemedicine or create regulatory barriers to their deployment. They may also fail to deal with emerging technological changes that could contribute to retention, storage, or transfer of data in more secure ways like cloud computing and possibly, one day, blockchain.
In some cases, the pacing problem can be a pacing benefit for innovation by allowing it to emerge faster than it can be regulated away; but in other cases, outdated regulations may prevent innovations like telemedicine from becoming more widely adopted or deter innovators from pursuing certain opportunities or applications for promising technologies. In telemedicine, this can include limitations that prevent televisits with a provider who has not been previously seen or requiring a nurse to be present during televisits. Such burdens can not only discourage the use of telemedicine, but also keep it from being available to any patient, anytime, anywhere.
Policymakers should consider whether additional security requirements are necessary for new health innovations, such as telemedicine. In fact, in some cases, rather than expanding existing regulations to new technologies, policymakers may want to consider whether the old regulations are necessary for currently regulated entities as well. They should also consider how new and old requirements might be able to evolve along with the technology.
The Importance of Precise Definitions and Limiting Unintended Consequences
Most people consider health information, such as information about which medications they take, to be particularly sensitive information and would often be willing to pay a price or make tradeoffs to maintain the security and privacy of such information. Health information is shared in burgeoning technologies, such as fitness apps, social media support groups, and telemedicine. In an environment where data is increasingly omnipresent, it is necessary to be precise about both data and covered entities. Such precision helps ensure that regulations do not frustrate consumer expectations or impede the intended purpose for sharing the information.
In general, existing laws narrowly establish which entities are covered by regulatory requirements. In Massachusetts, for example, hospitals and medical offices are subject to the privacy requirements for PHI and EHR, but the privacy requirements do not apply to the doctors directly. If expansion of these covered entities is necessary to ensure parity in security and privacy for online providers, it should be done carefully and precisely to reflect those providers that are similarly situated.