HIPAA: Reflecting on the Past and Preparing for the Future

When the Health Insurance Portability and Accountability Act (HIPAA) went into effect over 10 years ago, it was met with great apprehension and concern from those in the healthcare industry. Today, it is one of the most important legal and ethical guidelines in the industry. How has HIPAA evolved since its inception? Let’s step back to examine a few key points in its development.

Concern over protecting one’s personal information is not a new idea. By the late 1980s, there were privacy laws protecting cable TV records, school records, and even video rental records. At that time, however, there were no federal laws governing the privacy of health information. Several other issues plagued the healthcare industry prior to HIPAA’s enactment, namely the inefficient methods by which health care records were shared, as well as the inability to transfer health insurance from one company to the next.

In 1996, HIPAA was signed into law by President Bill Clinton with the purpose of modernizing and streamlining the flow of health information electronically. It also established federal rules to limit health plans’ use of pre-existing condition exclusions, provide creditable coverage when moving from one health plan to another, require health plans to offer special enrollment periods due to life events such as the adoption or birth of a baby, and prohibit discrimination on the basis of health factors. While most of us recognize HIPAA today as a privacy and security law, those matters would not be addressed until the early 2000’s.

In December 2000, the U.S. Department of Health and Human Services (HHS) expanded HIPAA’s reach by publishing the Privacy Rule, which set national standards for the protection of certain individually identifiable health information known as protected health information (PHI). The Privacy Rule also regulated the use and disclosure of PHI.

Another key aspect of HIPAA was established in February 2003 when HHS finalized the Security Rule. A counterpart to its predecessor, the Security Rule set national standards for protecting the confidentiality, integrity, and availability of electronic PHI. While the Privacy Rule set standards to protect health information in any form or medium, the Security Rule only established the protection of electronic information.

HIPAA was further bolstered in 2009 with the passing of the Health Information Technology for Economic and Clinical Health Act (HITECH). The HITECH Act greatly increased penalties incurred for HIPAA violations, expanded the scope of those directly accountable to the federal government for HIPAA compliance, created the first federal data security breach notification requirement, and required HHS to conduct HIPAA audits.

Throughout the evolution of HIPAA, technology has advanced at an unprecedented rate. While these advancements have greatly streamlined many aspects of healthcare, they have also raised troubling privacy and security questions given the proliferation of cybercrime. Furthermore, the increasing popularity of mobile devices in the industry has posed an unprecedented challenge to healthcare privacy and security.

While many institutions are working towards stronger security measures, many have not acted soon enough. For example, MedStar Health, a network of 10 hospitals and 250+ outpatient centers, was shut down for days while hackers held their data for ransom. Even more unsettling, a recent study conducted by Healthcare IT News and HIMSS Analytics found that over half of U.S. hospitals have been hit with ransomware in the past year.

Above all, there is no denying that HIPAA has evolved greatly since its inception over 20 years ago, and will likely continue to change. Just as technology will continue to develop over the years, so too will the processes by which health information is protected.