The ONC has launched a new 4-part micro-blog to help explain that HIPAA doesn't prevent the use of PHI for patient care. The first blog post is titled "The Real HIPAA Supports Interoperability."
They cite the misconception that HIPAA "makes it difficult, if not impossible, to move electronic health data when and where it is needed for patient care and health" as the reason to clear up the confusion.
In their words:
What many people don’t realize is that HIPAA not only protects personal health information from misuse, but also enables that personal health information to be accessed, used, or disclosed interoperably, when and where it is needed for patient care.
I believe that this misconception has been widely spread because the focus of HIPAA training and enforcement efforts have largely been related to the privacy and security components of HIPAA.
Organizations in general, and healthcare in particular, are very good at risk management and avoidance. On the flip side, they are generally bad at sharing because of time, cost, security, and risk considerations. So it shouldn't be any surprise that even though "Portability" comes before "Accountability" in HIPAA the portability part has been neglected in comparison to the accountability part.
We have been involved in many interoperability discussions, including with non-healthcare organizations, and security and risk are always major constraints. Sometimes there is the concern of being able to legally share the information, which this series should help put to rest.
However, many times it is related to concerns over securely sharing the data over a large distributed public network. Cybersecurity knowledge is still hard to come by and costs can be relatively high. Better "safe harbour" guidance and protection would go a long way to help in this area.