In many ways, the U.S. Health Insurance Portability and Accountability Act (HIPAA) was the forerunner of the EU GDRP, and all other comprehensive data protection laws and regulations. While it applies specifically to a subgroup of all industries, specifically healthcare covered entities (CEs) and their business associates (BAs), it truly was the first set of regulations that required privacy protections, technical and non-technical security protections, and breach response requirements.
On August 21, 2024, the U.S. Department of Health and Human Services (HHS) celebrated the 28th anniversary of HIPAA. This took me back in time.
I was given the responsibility throughout the entire 1990s for building and managing the information and computer security program component of the new Risk Controls and Management corporate department at the Fortune 200 corporation where I worked. In the early-mid 1990s, I was given the additional responsibility for privacy.
In 1996, when HIPAA was enacted within H. R. 3103, my employer also asked me to determine what Sec. 264. “Recommendations with respect to privacy of certain health information,” and Sec. 2713. “Disclosure of information,” required, and may require in the upcoming rules that were going to be created, of our organization with regard to security and privacy; long before the HIPAA Security Rule and Privacy Rule were written, let alone put into effect.
At that point in time, there were no legal requirements for organizations to implement security safeguards or privacy protections for personal information in any industry. In healthcare, very few CEs had a formal information/computer security program or privacy program. The protections that existed were often established by the IT team, and they were focused more upon maintaining availability of the network and applications used to keep the organizations running, rather than upon protecting personal data.
In 2003 the HIPAA Privacy Rule went into effect, establishing important privacy protection and risk mitigation requirements, and in 2005, the HIPAA Security Rule went into effect, with additional important protections, for information security. Even after these HIPAA rules went into effect, very few CEs, and generally no BAs, were taking actions to implement comprehensive security and privacy programs. A significant reason for this was because there were not penalties given for HIPAA non-compliance. The HIPAA Enforcement Rule of March 2006 was established but not enforced with penalties or resolution agreements in the early years. The first monetary penalty occurred in 2008; a comparatively small slap on the wrist settlement (similar to a penalty) of $100,000, in addition to requiring a corrective action plan (CAP) to be implemented. Since that time, the monetary penalties/settlements have significantly increased, with the largest to date being given to Anthem, Inc. for $16,000,000 in addition to a detailed CAP and continued ongoing oversight from the HHS for at least a period of two years.
HIPAA Benefits
Ultimately, HIPAA has had a profound impact on healthcare security and privacy, that I believe has improved the protections of patient data within a portion of the millions of healthcare CEs and BAs that were now required to establish security and privacy protections. At a high level, these benefits include:
-
Increased security of protected health information (PHI). This has been accomplished by requiring protections throughout three major domains of the HIPAA Security Rule: Administrative, Technical, and Physical. I know from the direct statements I’ve heard and communications I’ve received from thousands of CEs and BAs who have received my, and my teams’, work, and readers of my HIPAA books and other publications throughout the past 28 years, that the majority of the required protections would never have been funded nor implemented if those entities were not legally compelled by HIPAA.
-
Increased privacy protections for patients and insureds. The Privacy Rule requirements established, long before the EU GDPR, some very important requirements for restricting the use, retention and sharing of PHI. Prior to HIPAA a large portion of healthcare entities, and their associated BAs, were using PHI with impunity to perform research, to use in marketing, to impact decisions for a wide range of insurances and loans, to give to employers and schools, and a wide range of other types of entities. Such practices now cannot occur under HIPAA without consent from the associated individuals (patients and insureds).
-
Increased rights and controls of PHI by the associated individuals. Prior to HIPAA there were no explicitly provided rights for patients and insureds to obtain copies of their health records, to limit how their health data could be used, to correct their health records, to request their health records to be sent to other providers, to limit the use of their health records, and many other rights provided through the HIPAA Privacy Rule. Millions of people have used those rights over the past 28 years.
Areas for improvements
There are still areas where improvements can be made. The updates to HIPAA throughout the past fifteen years, starting with the HITECH Act, have resulted in many security and privacy improvements. In addition to the updates to the original rules, the Breach Notification Rule, requiring BAs to be HIPAA compliant, HHS establishing a HIPAA compliance audit program, giving each of the State Attorneys General offices HIPAA enforcement authority, and many additional rules focused on protecting specific types of health data, such as for mental health data, and reproductive health data in the past few years, have raised awareness and resulted in many CEs and BAs that have also resulted in improved security and privacy for PHI. And it is good to see guidance being provided for securely using, and protecting privacy during such use new technologies, such as artificial intelligence (AI).
However, with all the benefits, there are still many areas where improvements can be made not only to HIPAA, but also for HIPAA compliance.
-
More CEs and BAs need to take actions to be HIPAA compliant. There are still many CEs, and the large majority of BAs, that are far from being in compliance with all the requirements for which they need to be. And quite concerningly, too many CEs, and perhaps even a majority of BAs, have not even yet started trying be meet HIPAA compliance. For example, in 2023, the owner of a 18-employee cancer research clinic (acting as both a CE and a BA), who had owned his very busy practice for 38 years, had never taken any actions to be in compliance with HIPAA. As he told me, “There is a very small likelihood that we will be audited or targeted by a hacker, so why waste my time and money on HIPAA compliance?” And a large portion of BAs have told me that they don’t think they are actually BAs. A very common comment they make is along the lines of, “The data our CE clients give us access to is all publicly available, so HIPAA does not apply to us.” Wrong!
-
More public awareness is needed. The more patients and insureds take actions to ensure their CEs are following HIPAA, the more CEs will realize that they need to do more to be in compliance with HIPAA. They will also then take more actions to ensure their BAs are also in compliance. This makes it important for HHS to take more actions to make the public aware of their HIPAA rights.
-
Attorneys General need to take more HIPAA compliance actions. There is a slowly increasing number actions being taken by state and territory Attorneys General offices; often when working in partnership with other states. However, there are still many areas where Attorneys General should pursue more HIPAA compliance actions. It would be very beneficial for HHS to establish ongoing communications with the AGs, like they did right after AGs were give this authority. It would not only help HHS in their overall goals for HIPAA compliance, but it would provide 56 times more areas for consistently, and on an ongoing basis, enforcing HIPAA, considering that each of the 50 U.S. states, in addition to the District of Columbia, and American Samoa, Guam, the Northern Mariana Islands, Puerto Rico, and the U.S. Virgin Islands have Attorney General offices.
-
Continue updating HIPAA rules with new tech and healthcare practices. It has been beneficial to everyone receiving healthcare services in the U.S. to have the additional HIPAA rules targeted at specific issues and associated risks in the past few years. Making more incremental and targeted updates in this way will help to keep up with all the new risks that continue to emerge throughout all areas of the healthcare industry.
We look forward to seeing the actions that HHS and the State Attorneys General offices take in the coming months for updating HIPAA. We hope to see the actions listed among them.
Stay aware
For help with better understanding HIPAA, more effectively protecting PHI, and being in compliance with all your HIPAA requirements obligations, see our newest course, “HIPAA Basics for Business Associates 2024 Edition.”
Contact us for more information about our courses, for a discount code, and/or to obtain a demo account.