On August 21, 1996, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law by President Bill Clinton. The original purpose of the Act, which amended the Internal Revenue Code of 1986, was to improve the portability and continuity of health insurance coverage, combat waste, fraud, and abuse, promote the use of medical savings accounts, improve access to long-term care services, and simplify the administration of health insurance.
At the time, there were no such things as electronic medical records (EMR), electronic Health Information Exchange (HIE), Covered Entities or Business Associates. Healthcare administration and patient privacy was complicated by varying rules and regulations across states, and a lack of uniformity at the federal level. Experts recognized the need to standardize regulations, better protect patient privacy and allow employees to retain health coverage when leaving their jobs. They also recognized the increased use of technology, and foresaw its coming impact on the healthcare industry.
The First HIPAA Rules
Although HIPAA was passed in 1996, it took almost seven years for the initial Privacy Rule to take effect. After congress failed to meet a 1999 deadline to enact privacy legislation, the task fell to the Department of Health and Human Services (HHS). Between 1999 and 2002 Privacy, Security, and Transactions and Code Set standards were published, and then republished for public commentary after significant delay and revisions with the transition between the Clinton and George W. Bush administrations. In 2003, the Privacy Rule finally took effect, and four more rules followed, one a year: the Transaction and Code Sets Rule in 2004, the Security Rule in 2005, the Enforcement Rule in 2006, and finally the Unique Identifiers Rule in 2007.
A Slow Start
Prior to 2009, the Transactions and Code Sets and Unique Identifiers rules became industry norms, while implementation and enforcement of the Privacy and Security rules lagged behind. Thousands of privacy violations by healthcare organizations were reported, but no sanctions were levied. There seemed to be a lack of coordination between the Office for Civil Rights (OCR) which enforced the Privacy Rule, and the Centers for Medicare & Medicaid Services (CMS), which enforced the Security Rule.
Along Came HITECH (and the Final Rule)
Along Came HITECH (and the Final Rule)
The enforcement of HIPAA Privacy and Security rules were bolstered by the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009. While ARRA promoted the meaningful use of health information technology, the HITECH Act addressed the privacy and security concerns that came along with this increased focus on health IT.
The Omnibus, or Final Rule, was issued in 2013 after much anticipation. It finalized most of the modifications to HIPAA Privacy and Security rules mandated by the HITECH Act. It also made Business Associates directly liable for HIPAA compliance in addition to Covered Entities. Prior to this, Business Associates were only liable through their contractual relationships with Covered Entities. Now Covered Entities and Business Associates must execute Business Associate Agreements, and any organization that handles protected health information (PHI) is subject to the same HIPAA rules – and the same penalties for violations.
Enforcement Ramps Up
Easily the most impactful change under HIPAA since 2009 has been the increased authority of the OCR, which is now responsible for implementation of both the Privacy and Security rules. With this increased authority has also come an aggressive enforcement policy. According to the Department of Health and Human Services (HHS), as of July 31, 2016, the OCR has settled 37 cases of noncompliance for a total of almost $40 million dollars. And, the infamous “Wall of Shame” now tracks all breaches affecting more than 500 individuals. Gone are the days of lax enforcement.
The OCR has also implemented an audit program to evaluate organizations’ HIPAA compliance. During 2012, pilot audits were conducted with approximately 120 Covered Entities to assess their overall HIPAA compliance, especially with the revisions proposed under the HITECH Act. The first phase of audits were conducted onsite, and the results aggregated to give the OCR a better idea of what type of technical assistance was needed to promote increased compliance.
After much anticipation, phase two of the OCR HIPAA audits has recently begun. This time, both Covered Entities and Business Associates are eligible for selection, with primarily desk audits expected. Again, the OCR states it plans to use audit results to improve its technical assistance resources. The OCR also hopes to use results from both phases to develop a permanent audit program.
Although HIPAA has increased awareness of personal privacy and data security and largely standardized healthcare transactions, significant challenges remain. While the HIPAA Privacy Rule was originally intended to protect the privacy of individuals’ health data, it’s often cited and misinterpreted by providers and healthcare institutions when prohibiting the sharing of information with family and caregivers in legitimate circumstances.
The Pulse nightclub shooting in Orlando earlier this year is just one of many such situations. In the aftermath of the shooting, there was confusion about whether information about the victims could be released to friends and family. Orlando Mayor, Buddy Dyer, even contacted the White House to seek a HIPAA “waiver”. However, no waiver was necessary. The HIPAA Privacy rule allows for disclosure of health data in the best interest of a patient who is incapacitated, or to locate significant others to share information about their condition.
The health IT environment is evolving at breakneck speed. Compared to 20 years ago when electronic health records were almost non-existent, today the vast majority of protected health information (PHI) is generated and stored electronically. But has the ability to secure electronic protected health information (ePHI) kept pace with the ability to generate and store it? What about the ability to exchange ePHI in a meaningful way between healthcare providers?
According to the OCR, there were over 250 healthcare data breaches of 500 records or more in 2015 affecting over 110 million people. The largest, by far, was the Anthem breach which totaled close to 79 million records. And while hackers accounted for the most records breached, loss or theft of unencrypted portable devices, such as laptops, tablets and USB drives, accounted for the highest number of breach incidents. Clearly, there’s plenty of room for improvement when it comes to securing data.
The meaningful exchange of ePHI is still a challenge as well. While electronic medical records (EMR) are common in your physician’s office, the ability to share your health data, even across providers within the same health system as part of an electronic health record (EHR), is far from seamless. Currently, there is a wide variety of health IT systems in use, not to mention wearable medical devices. And while the Transaction and Code Sets Rule established standards for claims transactions, there is still a lack of standardization with how other health data is stored and transmitted, including medical procedures, treatment notes, prescriptions, imaging, and discharge information.
The Office of the National Coordinator (ONC) has been charged with developing standards for health data exchange. Earlier this year, the ONC published its most recent Interoperability Standards Advisory. However, these standards are currently non-binding. The finalization of a single set of standards is likely years away, if it is achievable at all.
The Next Twenty Years
What will the next 20 years bring in the life of HIPAA? The answer remains to be seen. As far as data privacy, a better balance of individuals’ health data disclosure and protection, particularly pertaining to mental health, substance abuse and HIV/AIDS treatment, would allow for more comprehensive and integrated treatment for individuals, and improved population health in general. And an improved understanding, especially among clinicians, of when it is appropriate and permissible to share information is important in advancing population health while still maintaining individuals’ health data privacy.
As far as data security, reducing incidents of hacking is critical. Efforts in this area may include enacting additional standards around the use of encryption, especially for portable devices, or at the very least making the encryption of portable devices mandatory rather than addressable. Better workforce training would also promote awareness and likely reduce incidents of hacking. We are responsible for many security breaches ourselves through responding to phishing emails, clicking on infected links and unwittingly infecting our computers and networks with malicious software.
HIPAA has come a long way in 20 years, but there’s still a very long way to go.