HIPAA turns 20: Why it’s an effective law for healthcare
With all the healthcare breaches in the past few years it’s easy to blame HIPAA, the lone US healthcare data privacy regulation. I often hear complaints like “HIPAA is not specific enough” and “HHS isn’t even enforcing HIPAA.”
In light of HIPAA’s 20-year anniversary this month (to be specific, it was signed into law on Aug. 21, 1996), I’m going to share a brief history of HIPAA revisions over the years and my thoughts on the overall regulation as a useful driver for security.
If you have been following the updates to HIPAA over the past 20 years, you’ll recall that, with every revision, loopholes are closed and requirements have become increasingly strict.
Privacy Rule (Year: 2000): Limits the circumstances under which an individual’s protected health information may be used or disclosed by covered entities.
Security Rule (Year: 2003): Sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.
HITECH Act (Year: 2009): Extended application of some provisions of the HIPAA Privacy and Security Rules to the business associates of HIPAA-covered entities, making those business associates subject to civil and criminal liability. It also:
- Strengthened enforcement of Privacy and Security Rule violations.
- Established new limits on the use of protected health information for marketing and fundraising purposes.
- Increased civil and criminal penalties for HIPAA violations.
- Required covered entities and business associates to notify the public and HHS of data breaches.
Omnibus Rule (Year: 2013): Significantly revised which enterprises qualify as “business associates.” Third parties that create, receive, maintain or transmit PHI now qualify as a business associate, rather than just those that use and disclose PHI as part of their services.
With all these updates, there is a still a lot of room for interpretation in HIPAA language, and it by no means provides a comprehensive map of a security program. It doesn’t dictate exactly what a security team needs to do to secure patient data.
It doesn’t tell you how frequently to apply patches, and you won’t find the word “firewall” in any HIPAA rules. Does that mean that covered entities don’t need firewalls? Of course not. HIPAA was intentionally written to strike a balance between being overly prescriptive vs. too general. If HIPAA was too prescriptive, it could stifle innovation in both patient care and allowed security technologies. If it was too general, it would not be enforceable. HIPAA outlines the basic components of a covered entity’s privacy program and is actually quite detailed in some respects.
For example, HIPAA requires covered entities to:
- Identify and manage risks to patient data
- Notify patients and HHS upon a breach of data
- Conduct security training for staff
- Log all logins and login attempts
- Auto-timeout any applications containing ePHI
- Deploy measures to protect against malicious software
- Encrypt or de-identify data, whenever appropriate
And it prescribes many other activities. It’s up to the covered entity to determine which processes and technologies are required to be considered “reasonable” coverage. On the question of whether HIPAA over or under prescribed protection, lawmakers got it right. In general, significant alternatives in either direction would be either too prescriptive (hindering innovation) or too general (not unenforceable).
Regardless of your thoughts on HIPAA’s effectiveness, few could deny the fact that HIPAA has created an incredible amount of awareness of patient privacy and data security. In my former role as IT security lead in a hospital, I frequently ran into doctors who “needed” security exceptions for everything from encryption (because of performance concerns) and screensaver timeouts (because it’s annoying to login to your computer every 15 minutes). With HIPAA, IT security teams are able to make real change “in the name of HIPAA” because everyone knows what it is and understands why they need to support it.
HIPAA is firm when it comes to certain non-negotiable requirements, like the need to encrypt patient data on mobile devices that could be stolen, but is flexible when it comes to the method of achieving the goal, which make it more likely to adapt to changes with medical and technology innovation.