To mark the anniversary of the Health Insurance Portability and Accountability Act (HIPAA)—which turned 17 years old this week—three Advisory Board experts shared their thoughts on how privacy and security has evolved since 1996, as well as what the future holds for health information security.
HIPAA Privacy and Security still 'a work in progress' for many
Rebecca Fayed, Associate General Counsel and Privacy Officer
Think back to 1996—most medical records were in paper form, stored in filing cabinets or sitting on shelves in the HIM department, and unauthorized use or disclosure was [seen as] less risky than it is with electronic records.
HIPAA—the gigantic statute itself—addressed several significant and varying issues for the health care industry, including insurance portability, fraud and abuse issues, and significantly, privacy and security of health information. HIPAA also included provisions related to transactions and code sets meant to modernize and standardize the flow of health information electronically. And it was this push to transition health care to the digital age that prompted calls for more defined privacy and security rules.
It is important to remember that HIPAA was initially very bare bones when it came to privacy and security. It was not until December 2000 that HHS published the first final Privacy Rule, and later modified it in another final rule making in 2002, that the privacy provisions of HIPAA were implemented. Significantly, the Privacy Rule set forth limitations on the way covered entities could use and disclose protected health information (PHI), provided individuals with rights to their PHI, and mandated that most covered entities create HIPAA privacy compliance programs by April 2003.
Separately, HHS issued the final HIPAA Security Rule in 2003 that set forth the administrative, physical, and technical safeguards that covered entities must have in place to protect electronic PHI. Covered entities were required to comply with the Security Rule by 2005.
In response to the HIPAA Privacy and Security Rules, covered entities spent significant time and resources implementing privacy and security compliance programs from 2000 through 2005. But as most will recall, there was little government enforcement and little financial risk for noncompliance during this time or years later.
That all changed in 2009. The push for the adoption of electronic health records (EHRs) was accompanied by the realization that without proper privacy and security protections in place, the adoption of EHRs would meet great resistance from providers, patients, and other privacy advocates. In February 2009, the Stimulus Bill—and with it, the HITECH Act—changed the game for privacy and security of PHI. The HITECH Act increased privacy and security obligations - both in terms of what must be done and who must comply, increased penalties for noncompliance, increased oversight and enforcement, and included the first federal breach notification obligation. In a nutshell, the HITECH Act added real teeth to HIPAA making it far less likely that covered entities and their business associates would ignore privacy and security compliance or even make it anything less than high priority.
Finally, in January 2013, HHS issued the final HIPAA Omnibus Rule that implements the HITECH Act's privacy and security provisions, thereby modifying the HIPAA Privacy and Security Rules.
Covered entities and their business associates are required to comply with these new privacy and security requirements by September 23, 2013. That is just a few short weeks away. Are covered entities and business associates ready? Yes and no. Some are and some are not. However, most of those who are not ready are at least paying much closer attention than they were pre-HITECH. But even for those who are ready, it is important to remember that privacy and security compliance is a work in progress, a good compliance program cannot be static.
Going forward, we must continue to identify and address new risks, account for new technologies (e.g., no one was worrying about iPhones, iPads, or the cloud back in 1996, were they?), and continue to be vigilant in implementing policies and procedures to address these new issues and train those who have access to PHI. Despite being placed on the back burner for a few years, privacy and security of PHI is most certainly a front burner issue now and for the foreseeable future.
- HIPAA Implementation Toolkit: The IT Strategy Council offers a decision guide to assist hospitals in identifying their greatest vulnerabilities; prioritizing risk mitigation; and strengthening training practices, breach identification, response planning, and patient notification. Read more.
A 'thorny issue' becomes a 'window of opportunity' for hospital fundraisers
Cynthia Schaal, practice manager of the Philanthropy Leadership Council
HIPAA has been a thorny issue for hospital fundraisers for a long time. Specifically, there's been a lot of hesitancy at some organizations to engage with current and prospective donors out of fear of violating patient privacy. In the past, the rule has put definite guard rails on some components of philanthropy by limiting the amount of PHI that fundraisers can access. Furthermore, the information available in the past was very limited and delayed the application of more thoughtful and customized fundraising strategies.
As such, fundraisers have been working for a long time with their compliance officers and legal counsel to interpret a vague set of regulations clearly not written with fundraising in mind.
- Responding to new privacy regulations: Six next steps for philanthropy executives.
However, this year's omnibus rule expanded the kinds of PHI that's available to fundraisers to include the treating physician's name, the department where the patient received care, and some element of their outcome. At the same time, it also clarified provisions related to patient wishes to opt-out of receiving fundraising materials, so fundraisers have to be more diligent in their processes to be able to comply in a more timely fashion.
The intent of this portion of the omnibus rule was to make sure that fundraisers could be much more targeted and appropriate in their outreach to patients. It also allows philanthropy executives to partner with providers in targeting which patients to engage, where previously they had no way of knowing which physicians were involved in any particular patient's care, unless the patient specifically divulged this information.
Today, the regulations represent a window of opportunity for hospital fundraising to forge more meaningful relationships with grateful patients.
HIPAA brought IT security to the forefront
Eric Banks, Information Security Officer
HIPAA—the Security Rule, specifically—created a national standard for minimizing potential risks to PHI, including access controls, physical security, and technical safeguards. From a patient perspective, the Security Rule has helped ensure that those with access to their PHI does so with care and uses proper disclosure. On the provider side, the regulations mandate procedural and technical changes to how many communication and IT systems function.
The Security rule has helped to strike a balance between data privacy and free flow of information: The first goal of protecting PHI is (and was) needed, and properly implemented security controls can either eliminate or minimize the "cost" of security while facilitating the exchange of data.
One of the major benefits of the Security Rule is that it forces consideration of information security safeguards into every discussion related to patient information, which in my opinion is beneficial for the patient and allows the industry to flourish.
- A Primer on the HIPAA Final Rule: The Health Care Law Roundtable outlines key considerations and legal insights for IT vendors. Learn more.