HIPAA and Digital Health Mistakes: An Interview With Shannon Hartsfield

Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @DarshanTalks or the show's website at darshantalks.com. Darshan: Hey everyone, welcome to DarshanTalks. We have Shannon Hartsfield with us and Shannon is a privacy attorney, but I wanted to let Shannon talk a little bit more about herself before we delve into some really interesting discussions around privacy and digital health and more. Shannon, could you tell us a little bit more about yourself? Shannon: I'm Shannon Hartsfield. I'm a partner with Holland and Knight. I am based in Florida. I'm board certified in health law by the Florida bar. I've been practicing for about 25 years and I'm a co-author of a book that just came out in January, published by the American Bar Association called, HIPAA: A Practical Guide to the Privacy and Security of Health Data. Co-authored with June Sullivan who practices in Massachusetts. I'm excited to talk to you today. Darshan: That's awesome. First of all, this may be the first time someone's actually plugged a book here so I love it. Shannon: Have to get that in. Darshan: That's awesome. I ended up writing a book as well for the ABA and I loved the process of it. I'm glad you've rewritten several. You've written this one for sure. And I got to make sure I get a copy and read into it and we'll probably have you back after I finish reading and I have questions. But here's a sort of jump off point for you because you can tell us a little bit more about HIPAA. When I go onto Twitter, when I talk to people, everyone's talking about how digital health is the new, well, it's really where everything's going. Whether you're talking about telemedicine, you're talking about FDA regulated apps, digital health becomes really critical. But then everyone says that HIPAA prevents us from really doing much. In your experience, is HIPPA everything that stops progress? What is your take on it? Shannon: Actually, I think it's very rare that HIPPA is an impediment to anything that legitimate actors need to do with health data, with respect to treatment, payment and healthcare operations. As you probably know, HIPAA doesn't even require a patient's authorization in order for a covered entity, which are most healthcare providers and plans, to use and disclose protected health information or PHI for those purposes, treatment payment, healthcare operations. Now in the digital health era, it's interesting because people think that HIPAA applies to all health data. They kind of use the word HIPAA like we use the word Kleenex when we're talking about tissue. It's become sort of a generic moniker for all health data. But the reality is that a lot of times in the digital health world, HIPAA may not apply at all. For example, the health data that you collect on your personal devices or that you share with certain websites and things like that, may not be protected under HIPAA. Now where we sometimes do see what I would call potential roadblocks in terms of sharing data, typically arises in state laws. State laws that were drafted long before digital health was contemplated in some cases, and those state laws are pretty short and sweet and say, "You can't share health information without the patient's authorization." Or, "You can only share it for treatment." Or something like that. And so these old state laws that don't fit really well with what we have today. On the other hand, HIPAA, the drafters of HIPPA thought long and hard about a lot of the common situations where we might need to disclose health data for public health, for example and all sorts of other types of uses. In the digital health era, one of the first questions you have to answer is does HIPAA eve...