Changes to the Health Insurance Portability and Accountability Act (HIPAA) that would reduce unnecessary barriers to medical record sharing are long overdue. It is critical, however, that these changes are implemented in a way that facilitates data-driven healthcare innovation while at the same time strengthening privacy and security protections. Quite simply, HIPAA needs to be updated in order to meet the needs of 21st century healthcare.

Why we need a HIPAA for the 21st century

The whistleblower who leaked the Google project with Ascension created a tectonic shockwave through the healthcare world. With this announcement, the public learned how private entities are using their healthcare data for their own motives.

However, despite the uproar, Google’s use of sensitive medical records is likely permissible under the current healthcare privacy law known as HIPAA. This Clinton-era legislation was signed into law in 1996.

Under this law, copies of patient records are shared freely among clinics, hospitals, health insurance plans, pharmaceutical developers, and life science companies to perform a wide array of activities unbeknownst to patients.

We will surely see more partnerships like Google and Ascension’s in the future. Digital medical data is very valuable to mine for new treatments and insights for better care.

But we need to balance data privacy, security, and ownership rights against the enormous benefits gained from this real-world clinical data. We need HIPAA for the 21st century.

Who uses the data and for what purposes?

Under HIPAA, there are covered entities (e.g. health plans and providers) and their business associates. The latter are defined as organizations that assist with tasks related to treatment, payment, or quality-related activities.

Some business associates gain access to medical records to help covered entities determine proper reimbursement. Others use them to coordinate, manage, measure, and deliver care.

For these activities, multiple copies of patient records, both fully identified and de-identified, are used, analyzed, and stored electronically by companies.

Healthcare data has been shared in this manner with covered entities under HIPAA for decades. But not until recently did any of these entities have the kind of wide reach and computing power of Google, Microsoft, or Amazon.

More importantly, who controls the data?

Big tech companies already hold lots of other sensitive data about consumers collected from apps, devices, and websites. This data can then be cross-referenced with other types of information for marketing purposes.

Imagine a world in which Google has access to your search history, emails, purchase history, whereabouts, exercise patterns, habits, friends, preferences, and now your medical records. What might they do with all this information?

Related content: Google, Big Data and Public Health

The answer is unclear, but patients may not have much recourse to stop it under the current privacy law.

Patients who seek care at a doctor’s office or hospital routinely sign complicated forms that authorize the sharing of their data. This paperwork appears to patients to be required in order to get care. Therefore, few, if any, patients refuse to sign them.

As a result, patients allow companies to access their healthcare data without understanding who is using it for what purpose. Effectively, the gatekeepers of healthcare data are not the patients themselves but the providers, hospitals, and health insurance plans that hold the information.

What if you want access to your own healthcare data?

Meanwhile, if an individual patient wants access to their own healthcare data, it is not easy. They must go through expensive and time-consuming hurdles to gather, store, and update medical records from each facility they’ve visited for care.

Related content: Three Key Recommendations to Improve HIPAA Compliance

The patient is often missing information—and so are their clinicians, which puts them at a disadvantage. Unfortunately, there are incentives to keep these data silos in place.

Even though there are some interoperability standards for data sharing and requirements for electronic record systems to be able to send records to other systems, they are not widely followed. This puts patients at risk just as much as sharing their data with outside organizations for ambiguous business purposes.

HIPPA in the age of digital health

We are now living in the age of digital health. Increasingly, healthcare is being delivered with the aid of remote monitoring devices, wearables, smartphones, and other connected devices.

All these instruments create, transmit, and store large amounts of data. When these data are combined with electronic health records and genetic information, a very rich health profile for an individual can be assembled.

If these profiles are combined into large data sets, researchers can discover new therapies and treatments. They can also learn what works in specific populations and even run virtual clinical trials.

The FDA is a proponent of using these types of data for studies of drugs and devices both before and after approval. But there is no provision under HIPAA that allows for fully-identified medical records to be shared for research purposes.

Medical records stripped of personal health information, such as name and address, could be shared and used by non-covered entities. But even with such de-identified charts, there are proven ways to unmask the patient identity related to a given record. In this case, it is preferred for researchers, academic institutions, or companies to obtain explicit patient approval.

HIPAA needs to be updated to meet the needs of the 21st century

HIPAA is long overdue for an update to enable medical record sharing for healthcare innovation while strengthening privacy and security protections. Access to patient records should be limited to care providers or health plans for specific purposes–treatment, care management, or payment decisions–as is the case under current law.

If these covered entities want to engage vendors and service providers to assist with these activities, then the information should be carefully monitored with respect to access, use, and storage under specific rules of engagement. Individuals should have the ability to obtain a copy of their data retrieved by health plans or providers from their systems to support activities.

The next generation of HIPAA should govern the safe and effective use of patient data for research purposes. The research and life science industry should not have to rely on data shared by healthcare organizations for their own enrichment.

If healthcare consumers could have easier access to their own data, they could choose to share it more widely. For example, they might elect to share with Google or Amazon, or any number of big tech or life sciences companies to enable new discoveries. They could also help facilitate truly personalized care as a result of data-driven insights.

The bottom line

Digital healthcare data holds answers to lots of questions about diagnosis, treatment and care delivery. We need to create a regulatory regime that safeguards sensitive information while enabling data availability to unlock innovation.




Six-year-old Caleb Sears died after receiving anesthesia for a dental procedure. The oral surgeon was busy operating when Caleb stopped breathing. He was unable to place a breathing tube so that Caleb’s brain could get the oxygen it needed.

After Caleb’s death, his family determined that no other family should have to experience such a devastating loss, worked with the California Legislature to create Caleb’s Law. The original version of the bill would have required:

“all oral surgeons and dentists performing deep sedation or general anesthesia on minors in California have a licensed anesthesiologist or certified registered nurse anesthetist present during the procedure, whose sole role is to monitor the patient.”

As often happens, the law was weakened during the legislative process, but a modified version was signed into law and became effective in California as of Jan 1, 2017. It updated the adverse event data collection, instituted a disclosure that anesthesia in dentistry is practiced differently than in medicine, and asked that the California dental board do a study on the safety for children undergoing anesthesia in dentistry and make recommendations to improve safety.

Related Content: Designing a Safer Breathing Tube for Patients and Caregivers

What has happened since then?

The complete Dental Board met last December and discussed the study and proposed recommendations. One of the recommendations they voted to approve required, for children under age seven undergoing deep sedation or general anesthesia, that there always be a dedicated qualified anesthesia provider who is tasked with the administration and monitoring of the patient through the recovery period.

This anesthesia provider could be another qualified anesthesia-trained dentist, a physician anesthesiologist, or a certified nurse anesthetist. Other recommendations were a requirement that capnography be used to continually monitor the level of CO2 in the child’s blood, a sensitive indicator of whether there is adequate ventilation of the body. The Board also recommended that dentists who want to maintain a permit to sedate children to the deepest levels of sedation should perform a certain number of sedations on young children each year to remain active.

A bill to codify these Dental Board recommendations was introduced by Assembly Member Thurmond this year for legislative session 2017. This bill was sponsored by the American Academy of Pediatrics, CA (AAP-CA) and supported by the California Society of Anesthesiologists and the American Society of Dentist Anesthesiologists.

Simultaneously, the dental lobby, led by the California Association of Oral and Maxillofacial Surgeons, introduced a competing bill that they claimed codified “some” of the recommendations. Notably, the dental lobby’s bill did not require a separate trained anesthesia provider to monitor children, even for the highest risk and youngest patients, ages 0 to 6-years old. Their bill and current practice would continue to allow for an unlicensed dental assistant to monitor patients of all ages.

The dental assistant has many important jobs in the dental office but is not qualified to monitor patients undergoing deep sedation and general anesthesia. A dental assistant likely does not have any formal physiology education and sometimes their formal education stops at high school. They cannot interpret an EKG, recognize when there is an issue arising, or even help to rescue a patient from a pending disaster.

Anesthesia providers know that things can and do happen when people are given anesthesia drugs. Many studies have continued to show that the ability to recognize and to respond to an emerging disaster is the crucial skill needed to avoid adverse outcomes. This is why anesthesia experts throughout the country are pushing so hard to have anesthesia-trained individuals monitoring children undergoing deep sedation and general anesthesia in dental offices.

Although the AAP-CA sponsored bill codified what the Dental Board of California recommended, the dental lobby successfully prevented the bill from passing this legislative session. It will be up for reconsideration again next year. The dentists’ resistance to the bill stems completely from the requirement for a separate anesthesia-trained provider to be required for patients of any age. They claim that having this dedicated trained monitor would not prevent bad outcomes. But, anesthesia experts disagree.

Related content: Continuous Monitoring Could Have Saved This Patient’s Life

The American Society of Anesthesiologists (ASA) which establishes the standards of the medical practice of anesthesiology says in its Standards for Basic Anesthetic Monitoring that:

Qualified anesthesia personnel shall be present in the room throughout the conduct of all general anesthetics, regional anesthetics, and monitored anesthesia care.”


The “Catch 22”

The dentists’ claims rest on the lack of data to support making the change. However, and this is the Catch 22, they are not collecting and tracking the needed data. Further, this claim is bogus because there really are no differences in the drugs that are used in dentistry for anesthesia and the drugs that used in medical settings. The idea that dental anesthesia is somehow different than anesthesia for any other type of surgery—or that dentists know more about anesthesiology than anesthesiologists—baffles most people involved in this legislative battle: The drugs used are the same, they are given to humans. There simply is no difference.

The problem legislatively is that medicine takes a lot of these safety measures for granted. In medicine, we are not doing studies on young children to see whether there are better outcomes when someone trained in anesthesia is dedicated to monitoring them versus the surgeon tasked with performing the procedure and the anesthesia simultaneously.

We decided years ago that it was safer to have a dedicated trained monitor who has the necessary skills to handle recognition of an emerging adverse event and rescue the patient. This is echoed in current practice throughout specialties, like the ASA’s and national policy guidelines published by the American Academy of Pediatric Dentistry (AAPD) and the American Academy of Pediatrics (AAP).

Dental organizations opposing this requirement simply do not have an incentive to do these studies because they do not want to see any change to this aspect of the anesthesia practice. Frankly, they see it as too costly.


Looking back

Looking back, to ensure passage of the stronger legislation, it probably would have been better to start with clear and precise language contained in national policy guidelines and include references to published studies to support the changes we were trying to make. For example, the language in the AAPD guidelines on personnel required for deep sedation and general anesthesia has been recently been updated to include this language:

“Deep sedation/general anesthesia techniques in the dental office require at least three individuals:

  • independently practicing and currently licensed anesthesia provider
  • operating dentist
  • support personnel.”

As we move forward, in the next year’s legislative session, we hope that this crafted language is clear enough so that our legislators will pass this critically important patient safety bill.

Caleb Sears (286 x 365 px)

Caleb Sears (2008-2015)