Ever since the updated HIPAA rule took effect last March, some hospital IT departments see themselves as “the HIPAA police,” clamping down in ways that the rule doesn't require, says one industry expert. 

“Suddenly everybody is a judge, and that’s very dangerous. It’s a huge obstacle, and it slows down progress,” says Abraham Gutman, founder of AG Mednet, the provider of software used by more than 17,000 customers in 60 countries to automate the process of quality control, including pixel de-identification and DICOM de-identification.

[See also: HHS makes sweeping changes to HIPAA.] 

“It’s not so much that the new HIPAA regulations are more stringent; they are more structured,” says Gutman, an industry expert in the de-identification of patient information specific to clinical trials. “The new HIPAA is like a river. All data should be allowed to flow, as long as it stays within the banks of what HIPAA allows.”

Gutman says the updated HIPAA regulations make patient privacy more important than ever, especially for all outside partners involved in the clinical trial process.

Surprisingly, a large percentage of clinical trial sites still rely on manual efforts to de-identify patient data before they send it to the core lab, which not only creates the opportunity for HIPAA breaches, but creates delays in the clinical trial process when errors are detected.

“In essence, there are some differences between old HIPAA and new HIPAA, but the spirit is exactly the same,” says Gutman. “Patient medical records are protected information, and we want to make sure that no protected information escapes a chain of custody that exists between service providers, hospitals and doctors.”

What’s most important about the new HIPAA regulations are the constraints on medical records, Gutman explains. “What HIPAA isn’t saying is don’t collaborate. This is the first thing going by the wayside,” he says.

[See also: Get set: New HIPAA has teeth.] 

Gutman urges providers to focus on what HIPAA allows, which he says includes the sharing of medical information within a provider’s “chain of custody,” as defined by business associate agreements.

IT departments should publish guidelines of things that an organization can do to stimulate HIPAA-allowed information exchanges. The guidelines should encourage doctors to get second opinions from colleagues outside of the hospital and allow the development of applications that connect to the hospital systems that allow exchanges of information from multiple centers, Gutman says.