[BreachExchange] HIPAA at 20: Looking back at two decades of patient privacy protections

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 30 19:49:17 EDT 2016


http://www.healthcaredive.com/news/hipaa-at-20-looking-back-
at-two-decades-of-patient-privacy-protections/425378/

More than two decades ago, on August 21, 1996, then-President Bill Clinton
signed the Health Insurance Portability and Accountability Act (HIPAA) into
law. Since then, healthcare has changed a lot and HIPAA has helped guide
those changes every step of the way.

HIPAA's early years

Although HIPAA was passed in 1996, it would take nearly seven years for the
initial HIPAA Privacy Rule to go into effect. As the first federal law to
address the privacy and security of health information, the HIPAA Privacy
Rule was inherently complex. Privacy provisions in the original legislation
signed by President Clinton totaled 337 words. The final rule issued in
March 2002 was around 101,000 words long and spanned more than 500 pages,
according to an October 2003 USA Today article.

“When the HIPAA regulation initially went into effect, it generated
significant skepticism, confusion, and even angst,” Jocelyn Samuels,
director of the HHS' Office for Civil Rights (OCR), told Healthcare Dive.

Criticism of HIPAA came from all directions, Samuels said. On one side,
healthcare providers wondered whether HIPAA might prove to be too
cumbersome and expensive to comply with. On the other, patient advocates
expressed concern that HIPAA wouldn’t provide meaningful protections.

In the early years of HIPAA privacy protections, HHS and OCR, which was
responsible for enforcing the Privacy Rule, seemed content to let
noncompliant healthcare providers slide with a warning. From April 2003 to
2008, around 35,000 HIPAA privacy violations were reported, but not a
single civil fine was levied against a healthcare provider.

HHS said it had worked with around 6,000 providers reported for violations
to help them achieve “voluntary compliance,” according to an April 2008
article in the Wall Street Journal. Their approach was to encourage
“improvements that were constructive and were achieved more quickly than
through imposition of monetary penalties.” This approach would change with
the passage of the HITECH Act in 2009.

HITECH & HIPAA

In many ways, HIPAA was ahead of its time. Although it passed before
widespread adoption of EHRs, HIPAA recognized in 1996 that digitization of
health data was right around the corner. One of its goals was to
standardize the electronic exchange of sensitive health information. HIPAA
laid the groundwork for future efforts to advance health IT and those
efforts, in turn, strengthened HIPAA’s privacy protections.

“HIPAA has transformed healthcare and healthcare delivery over the past two
decades, evolving itself alongside of technology,” Samuels said. “The HIPAA
standards have helped pave the way for the widespread adoption of the
electronic health record and the interoperability of health data.”

When the HITECH Act passed in 2009, it included provisions to strengthen
HIPAA privacy protections and HHS’ ability to enforce them. The HITECH Act
expanded compliance requirements to business associates of covered
entities, required self-reporting of privacy breaches, and increased
potential fines for violations to up to $1.5 million. Later that year, OCR
would issue the first of many multi-million dollar fines for HIPAA
violations.

HITECH changes to HIPAA were finalized in January 2013 with the release of
the HIPAA/HITECH Omnibus Final Rule. “The final omnibus rule marks the most
sweeping changes to the HIPAA Privacy and Security Rules since they were
first implemented,” then-OCR Director Leon Rodriguez said.

Where has HIPAA fallen short?

While patients are technically afforded the right under HIPAA to access
their own personal health information, this is easier said than done. “Far
too often individuals face obstacles to accessing their health information,
even from entities required to comply with the HIPAA Privacy Rule,” Samuels
wrote in a January blog post.

By accessing their own personal health information, patients could better
manage chronic health conditions and help to coordinate their care. While
HIPAA makes this a possibility in theory, it is much more difficult in
practice.

Even worse, third parties often have more access to personal health
information than patients themselves. Anonymized health data may be doled
out for research purposes that do indeed help patients, but it can also be
used for marketing and other commercial practices. In May 2014, the Federal
Trade Commission issued a report showing how much personal health
information data brokers are collecting.

Supposedly anonymized health data can also be used to connect medical
records to the individuals to which they belong. In 2005, Carnegie Mellon
University Professor Latanya Sweeney told the Privacy and Integrity
Advisory Committee of the Department of Homeland Security that she was able
to compare hospital data to voter registration rolls to identify medical
records belonging to former Massachusetts Governor William Weld.

“The public has been misled and most still have no knowledge of their lack
of control over their sensitive health data,” Dr. Deborah Peel, founder and
president of Patient Privacy Rights, told Healthcare Dive. “Today, no
nation has a comprehensive map of all flows of personal health data. How
can personal data possibly be secured, much less private, if we have no
idea where it is or how it’s used?”

HIPAA is an imperfect law, but, at 20 years old, it could mature and grow
stronger. As OCR Director Samuels said, HIPAA has been a blue print for
healthcare reform. At this point, it will likely be a mainstay in blue
prints for healthcare reforms of the future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160830/059312ed/attachment.html>


More information about the BreachExchange mailing list