HIPAA 2.0: Doctors in the Digital Age

Digital innovation can revolutionize health care—but we need the policies that will allow it to do so. The latest in our series “Our Digital Future.”

By Bob Kocher, MD Pat Basu, MD

Tagged Health CaretechnologyThe Internet

At 8 p.m. one cold winter evening just outside Chicago last February, Jennifer Murphy and her husband, Mark, worried about the worsening fever of their seven-year-old daughter. Their doctor’s office was closed. They contemplated returning to the ER where the previous month they had waited four hours, were told to follow up with their pediatrician—and were billed $1,000. The day before, Jennifer had heard about a telehealth visit and decided to try it. This time, from the comfort of their home, the Murphys used an app on their mobile phone to connect instantly with a board-certified physician. Through a video visit, an Illinois physician examined their daughter, diagnosed her illness, and e-prescribed a medication to their nearest pharmacy. The family saved hundreds of dollars, a great deal of time, and incalculable stress. Moreover, their daughter avoided spreading her untreated illness to others or potentially contracting a new infection in a clinic waiting room.

This type of video visit, an element of the larger telehealth movement, has the potential to increase access to quality care for millions of Americans while saving tens of billions of dollars in health-care costs. More than one million video visits will be done this year in the United States, and many hospitals and doctors believe that more than 35 percent of all health-care visits will be converted to virtual visits in the next decade. This bodes well for the companies that provide the software to support this transition. (We are both involved with one of these companies, Doctor On Demand.)

The Murphys’ story is just the tip of the iceberg. Teleradiology has enabled CT scans to be diagnosed faster, more accurately, and more affordably. Telestroke programs are saving brain tissue and lives by enabling stroke specialists to remotely diagnose and treat patients more quickly. And live video teletherapy visits are expanding access to mental health professionals at a time when it is desperately needed.

The Benefits of Digital Health

The benefits of digital health care are numerous and substantial.

Expanded access. With respect to primary care medicine, telemedicine increases the affordability, convenience, speed, and availability of medical visits. The benefits of telehealth have often been described only in the context of helping rural, inner-city, or other populations with well-documented access shortages. But in fact, the expanded access is nearly ubiquitous. The average wait time to see a physician in the United States is more than three weeks. For many conditions, this is simply too long to wait to receive appropriate care.

The advantages are even more striking when it comes to mental health. Mental illness is among the most prevalent medical conditions in America, affecting up to 20 percent of Americans. Common mental health issues like depression and anxiety are some of the most underdiagnosed and undertreated conditions. And yet the average time to see a psychiatrist is greater than five weeks. With teletherapy, a patient can usually see a psychiatrist within minutes. The potential exists to reduce not just cost, time, and distance, but also the stigma some patients feel with regard to a traditional visit to a therapist.

More than 35 percent of all health-care visits will be converted to virtual visits in the next decade.

Lastly, telehealth provides a form of triage for our health system: By treating the patients who can be treated via video, the cases that actually need to be seen in person can be seen more quickly and with more attention. Telehealth can also help address the physician “shortage” problem, which exists not because there aren’t enough physicians, but because available physicians can’t see patients in need because of time and space constraints. Telehealth also permits physicians who are working reduced hours—those nearing retirement, mothers caring for young children—to see patients in this flexible format, increasing the supply of physicians and helping to reduce the maldistribution problem in many regions that have few physicians willing to work in rural and lower-income areas.

Decreased cost. Ample data demonstrate the significant savings achieved through telehealth. First, there are the direct costs. By eliminating overhead, increasing efficiency, and reducing waste and knee-jerk testing, telehealth visits are orders of magnitude cheaper than the office visits (which can run at least $100 per encounter), urgent-care trips ($200), and ER visits ($1,000) they replace. Studies show that the vast majority of ER visits do not require emergent therapy or inpatient admission and therefore could be done by video.

Of the 1.3 billion outpatient visits in the United States annually, approximately 350 million are acute in nature. In the acute-care field alone, each video visit can save an estimated $120, which could reduce health-care spending by billions of dollars. In the chronic-care field, where visits are more frequent and more expensive, the savings by converting even a small fraction of in-person visits to virtual visits are dramatic. Public and commercial payers had previously been worried about telehealth overutilization and additive visits. However, data show that telehealth visits are indeed substituting for the more expensive alternatives.

But there are also indirect savings from telehealth. It’s estimated that the average doctor’s visit takes more than three hours from the time a patient leaves to when she returns to work, resulting in a cost to the economy of more than $50 billion. In addition, the productivity loss alone from untreated depression issues is estimated at more than $50 billion. Finally, keeping sick patients at home and having healthy patients avoid unnecessary contact with the sick could reduce some proportion of the millions of infections contracted by patients in hospitals and other facilities.

Improved quality. The evidence is strong that telehealth offers increased quality. The reason is simple: It gives patients the ability to see a high-quality provider who might be anywhere in the country instead of being forced by time or geography to see the only doctor available. Similarly, gains in quality can be achieved by giving a patient access to a specialist instead of a generalist.

A second improvement in quality stems from the instant and ample opportunity to generate quality metrics in a digital world. For example, instantaneous patient scores, wait times, prescribing data, and other outcomes can be quickly aggregated, analyzed, and acted upon. Finally, telehealth offers better care coordination by creating more opportunities for both provider-to-patient and provider-to-provider consultation. By using telehealth to coordinate care, the Veterans Health Administration (VHA) recently reduced inpatient hospitalizations and readmissions and increased patient satisfaction.

Increased value and competition. Mobile technology has helped increase competition and value in almost every sector except for health care and education. But finally, telehealth introduces choice and increased competition into the traditional health-care marketplace. By increasing the level of service and decreasing cost, telehealth helps improve the value delivered by the system. This change is a dire need for a system that consumes nearly a fifth of U.S. GDP with limited access and inconsistent quality.

The Digital Landscape

For any health-care policy proposals to have a meaningful impact, we first must address the need for reform in our overall digital policy architecture. We see five broad national digital priorities as foundational:

  • The federal government must continue its efforts to build out broadband that is accessible to all Americans.
  • The federal government must continue to invest in improving bandwidth to accommodate the rapidly increasing demand for video and data-intensive technology applications.
  • The federal government should substantially increase its investments to make the Internet stable and secure so it is less vulnerable to cyberattacks, data breaches, and congestion.
  • Government at all levels should change default policies so that all data sets are made readily available to all, in machine-readable formats, and at the lowest possible cost. Data should be held back only when privacy or security are at risk. An independent party should determine when data should be protected. The Freedom of Information Act should remain, as it is today, as an additional check and balance.
  • State and federal government regulators should also exercise antitrust enforcement to limit data monopolies that harm consumers and customers, such as the problem of electronic health-records companies charging doctors exorbitant fees to access their own data.

We believe that these overarching digital policies can unlock substantial economic value and, working together, will unleash a great deal of innovation and private-sector investment. The Affordable Care Act (ACA), the HITECH Act (part of the American Recovery and Reinvestment Act of 2009), and the 2010 Health Data Initiative launched by the Department of Health and Human Services (HHS) illustrate the relevance of these digital policies for the health-care sector. Those reforms have gone some way toward subsidizing broadband access for U.S. health-care providers, creating security standards and protocols for sharing patient data, liberating tremendous amounts of high-quality data sets, and changing the defaults for how HHS manages its data. This in turn has contributed to a massive increase in venture capital funding and new company formation. Over the last five years, more than $10 billion of venture capital funding has flowed into health-care IT, leading to the creation of 500 new companies—more than double the rate of capital flows and company creation a decade earlier.

Digital Health Policy Recommendations

Despite the tremendous benefits offered by telehealth, significant barriers to adoption remain. There are three significant areas where policymakers should focus their attention: coordination of interstate policies, reimbursement of telehealth, and updating of the Health Insurance Portability and Accountability Act (HIPAA).

Coordination of State Policy and Interstate Commerce

On the subject of health-care regulation, we truly have a Disunited States of America. At the federal level, the Centers for Medicare and Medicaid Services, the Health Resources and Services Administration, and the VHA have differing definitions and policies with respect to telehealth. The lack of clarity in policies among and even within states is even greater. It would be unrealistic to expect all the states to share identical laws, but there are several areas where even minimal coordination and clarity across state lines would increase quality, efficiency, and affordability.

For one, the ability for a physician to treat a patient is contingent on establishing a physician-patient relationship. Some states have not clarified whether a live, face-to-face video connection establishes this relationship, which is a basic tenet of telehealth. Although most states have moved to try to clarify this, some have either obfuscated the issue or blatantly endorsed protectionist policies for underperforming incumbent providers. Policymakers can increase the adoption and benefits of telehealth by clarifying this murky issue.

Another area that needs greater attention revolves around state medical licenses. Although a urinary tract infection in Virginia would be treated identically in North Carolina, a physician in Virginia would be unable to treat a patient in North Carolina. In some states, obtaining a state medical license can take up to 12 months and cost $1,000. This creates a significant barrier to achieving some of the benefits of telehealth. Furthermore, there is no clinical rationale for these barriers. We believe that if you’re licensed in one state, you should be able to practice in the other 49 states.

Medicare and Medicaid Reimbursement of Telehealth

Often, the private insurance market lags behind Medicare and Medicaid in terms of adapting to medical innovations. But with telehealth, the opposite is the case. About half of U.S. employers have begun to cover video urgent-care visits for their employees. However, in contrast to their privately insured counterparts, Medicare and Medicaid beneficiaries are not being reimbursed for video visits as an alternative to expensive ER and urgent-care visits.

A major reason for the paucity of reimbursement is the requirement that patients must be present and physically on-site at an approved clinical location for the visit. In other words, the patient cannot be at home, work, or any other location that would obviate the need to physically drive to a brick-and-mortar location. Obviously, having to come in to a physical clinical location erases virtually all of the value derived from a telehealth visit. This legislation was penned in an era long before the widespread adoption of mobile video conferencing from smartphones and tablets. Congress needs to update this requirement.

With respect to Medicaid, there is a big need to get more doctors to see Medicaid patients. Because Medicaid pays only a fraction of what commercial insurance pays, most doctors, especially specialists, see Medicaid patients only when they have no other higher-paying patients to see. This leads to long waiting times for patients. 

Thanks to telemedicine being so much less expensive, Medicaid programs can afford to pay the same price as Medicare and commercial insurance, which means that Medicaid patients should be just as profitable and attractive for doctors as all other patients. For Medicaid, the benefits of adopting telehealth are even greater than for commercial insurance companies, since a larger proportion of Medicaid patients resort to ERs for routine care because they are unable to access most outpatient doctors.


HIPAA was a bipartisan bill sponsored by Senators Ted Kennedy and Nancy Landon Kassebaum that was passed by Congress in 1996 and signed into law by President Clinton. At the time of passage, the law was lauded as a major improvement in protecting access to employer-sponsored insurance when employees change jobs, have preexisting conditions, or get sick. The law reduced waiting periods for coverage and exclusions of preexisting coverage, and it precluded dropping patients when they get sick (the ACA extended many of these provisions to the individual market).

Title II of the HIPAA law, “Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform,” little noticed at the time, has become the most important aspect of the law. This section gave rise to the Privacy Rule, which in turn gave rise to all those forms patients fill out and the resultant confusion over how we govern and protect patient health-care data. While most doctors and hospitals have been implementing electronic medical records, the time-honored waiting-room forms and clipboards have stubbornly persisted. One of those papers is almost always a HIPAA consent form. While few patients are likely to read the fine print, if they were to do so, they would learn that it requires that health-care providers get patient consent before using or sharing a patient’s “protected health information” for anything other than the patient’s care.

We all like privacy, especially where our medical histories are concerned. But it’s also a fact that Title II of HIPAA has resulted in two contradictory outcomes that increase cost and reduce efficiency. On the one hand, providers ask for blanket consent from patients to use their data. And patient data are routinely accessed by health plans for risk adjustment, case management, and other reasons. An industrial complex of care-management companies, pharmaceutical companies, pharmacy benefits managers, and health-care IT companies accesses patient claims and in some cases electronic health-care data. This happens at scale, in the background, and with little knowledge by customers, except when there are data breaches that affect patients and providers.

Hospitals and doctors often use HIPAA as a scapegoat to refuse to share data and to innovate in care delivery.

On the other hand, despite these treasure troves of data flowing in the background, hospitals and doctors often use HIPAA as a scapegoat to refuse to share data and to innovate in care delivery, when in reality they are simply trying to protect their balance sheets by creating barriers for patients so they don’t switch plans. This practice contributes to increased time, cost, and repeated testing. The fear of failing to be in compliance with HIPAA has been a major impediment to our health-care sector adopting email, text messages, telemedicine, and improving the basics of the patient experience, such as by having other clinicians in a health system know your preferences and health-care needs. Worse, when health-care professionals have adopted modern communication tools—for example, hospital patient portals and electronic health-records portals—they have done so in ways that are so cumbersome, in the name of HIPAA compliance, that patients have failed to engage.

Like all other technologies, HIPAA should evolve. Just as Google, also created in 1996, has made thousands of refinements to make its product work better and continue to be relevant in a world where most of the Internet traffic is now mobile, HIPAA needs to be both updated and designed to evolve as technology evolves. A modernized HIPAA should accomplish four goals:

  • It should reward providers for patient engagement, by using the communication tools that patients want and making it as easy to view and share medical data as it is to do mobile banking.
  • It must promote efforts to improve patient experience in much the way that hotels, restaurants, and retailers have adapted their consumer experiences to anticipate customer needs and preferences.
  • It must manage the explosion of patient-created data that can inform health-care delivery, just as consumer Internet companies do to improve their product and recommendations to consumers. These data have huge potential to improve care because the way a patient feels between doctor visits is much more informative than how he feels during the 15 minutes he sees a doctor.
  • Finally, like the rest of the U.S. economy, it must encourage the adoption of mobile technology by both patients and providers. This will remove lots of administrative waste and improve the reliability of everything.

A reformed HIPAA must also break down the silos of patient data that exist across providers so patients can easily assemble all their electronic data in structured formats rather than PDFs. Right now, under current law, a cancer patient who wants to have a second opinion has to go to her doctor’s office, hospital pathology department, outpatient imaging center, and genetic testing lab to get her records; a reform would eliminate that hassle by requiring all of these disparate providers to have application program interfaces (APIs) that could assemble all the relevant patient data automatically. This would allow our health system to achieve the elusive goal of “interoperability.” It would also free patients to get care from any providers they desire without fears of data being compromised, tests being duplicated, and clinical learning lost.

HIPAA 2.0 would also encourage providers to adopt the communications tools preferred by patients. Current law requires patients to download applications with limited usability and with passwords that are incomprehensible and overly complex. Instead, providers should be permitted to use whatever technology tools patients prefer—even if they are not as secure. In practice, Facebook and Google have been much better at security than health systems and health plans. Imagine if you could use Google Docs to organize your data and Facebook to share your care instructions with your family and ask questions of your doctors as they arise.

Providers should also be permitted to use patient data to conduct research. They should be able to create de-identified patient data (data sets that delete or randomly change data so patients cannot be re-identified) for research purposes without having to secure the consent of patients, as long as the data are never re-identified. Finally, providers, payers, and others who create patient data sets should be able to sell de-identified patient data sets for commercial uses such as creating new drugs, helping health plans understand clinical quality, and identifying new clinical guidelines.

Commercial data sets could greatly speed drug development, make it a lot easier for people to find the right doctors and treatments, and perhaps create more useful mobile applications for understanding your medical data. However, such commercial activity should have a caveat. For their data contributions, patients should be paid an amount that is proportional to the value of their data. This will not only increase transparency regarding the fact that this is occurring but will drive more patients to want to contribute their data to de-identified data sets. It will also add additional accountability on the part of those who create and purchase data to manage access carefully and to remember that the value they are deriving comes from patients who in many cases suffer from serious diseases and bear large financial burdens.

More needs to be done to protect privacy going forward. For instance, two-factor authentication—requiring both a password and a text message—on both the patient and provider end could mitigate damage done from a breach. However, it may be technically impossible to assure privacy in the future as data scientists and hackers get more and more creative and capable at combining data sets to identify individuals. For this reason, penalties for re-identifying patients or misusing identifiable patients’ data should be changed from civil violations to criminal penalties. Violating privacy should lead to significant monetary penalties, jail in serious cases, and, most importantly, a ban on both the individual and the corporation from accessing all forms of patient data, de-identified and identifiable, for a decade.

To keep HIPAA 2.0 current and to get us to HIPAA 2.1, we should empower the Office of the National Coordinator for Health Information Technology at HHS to incorporate annual HIPAA updates into its annual electronic health-records standards rules and meaningful-use programs. A safe harbor should also be created for providers to hold them harmless for violations made by technology partners that patients choose to use.

The Future of Health Care

The United States has the opportunity to be a world leader in the creation of a digitally improved health-care delivery system and to be the place that figures out how to apply technology to an area of the global economy that has historically been slow to adopt and benefit from technology. Embracing these changes will lead to both lower costs and much better patient experiences and outcomes.

Working together, the policies we outline here will create innumerable opportunities for both new entrants and existing health-care companies. They will also lead to even more venture capital and entrepreneurs being drawn to an important sector of the economy. These policies will help unlock the long-awaited promise of “precision medicine” and personalized treatment plans, give us better communication tools, and speed the development of remote monitoring and sensors. Not least, there’ll be fewer of those forms and faxes, and we’ll finally start moving toward a future where our technology can contend with the complexity of our massive health-care system.

Read more about Health CaretechnologyThe Internet

Bob Kocher, MD is a Senior Fellow at the USC Schaeffer Center for Healthcare and Economic Policy, a Partner at the venture capital firm, Venrock and formerly Special Assistant to the President for Healthcare and Economic Policy.

Also by this author

The GOP Health-Care Shadow Show

Pat Basu, MD is chief medical officer of Doctor On Demand. He previously served as chief operating officer of Virtual Radiologic Corporation (vRad) and is a former White House fellow.

Click to

View Comments

blog comments powered by Disqus