How HIPAA Shaped Patient Privacy and Security but Still Has Room to Grow
Photo by Adam Hamza
By Adam Hamza
RICHMOND, Va -- HIPAA may be a foundational part of the health care landscape however it’s a relatively new law that’s in danger of becoming obsolete as technology eclipses it.
HIPAA, and the push for patient privacy, evolved out of the late 1980s as the nation was struggling with the HIV/AIDS epidemic. Jennifer Searfoss, chief legal and compliance officer at U.S. Foot and Ankle Specialists, said concerns over health insurance coverage and equality led Congress to act.
“This bill was coming forward as an employer aspect,” Searfoss said. “What was the major health crisis that was going on internationally in the late 80s and early 90s,” referring to the AIDS crisis in the U.S.
“If you think about that concept, that was where [HIPAA] came out, specifically, whether or not employers have the right, or have the ability to know if one of their employees was HIV positive,” Searfoss said.
HIPAA is a federal law that created national standards for the protection of patient information and includes rules on privacy, security rules and breach notification.
In 2002, the Department of Health and Human Services issued the privacy rule, which defined protected health information (PHI) and under what circumstances it can be disclosed. It also established standards for an individual's right to know how the information is being used, including to whom it’s being disclosed and for what purpose.
Ethics or research boards can deny approval to a study if the data can be traced back to individuals. These rules include how protected or identifiable information is used in academic settings as well said Michael Bale, a first-year Ph.D. student in immunology.
“A big thing in STEM research is you always need the data to be publicly available for anyone to see,” Bale said. “Because I came from an HIV lab, where a lot of what we did was sequence the virus…you always made sure that you were making it clear to the ethics board that the virus sequence of any one individual is not identifiable.”
The HIPAA security rule came into effect In 2005. According to David Holtzman, former senior IT specialist with the Department of Health and Human Services and principle of HITPrivacy, the security rule laid out a series of administrative, physical and technical safeguards for protecting electronic PHI.
“This is where the concept of an organization having real policies and procedures in place to safeguard electronic information and their information systems,” Holtzman said.
In 2009, the Health Information Technology for Economic and Clinical Health Act introduced additional liability to HHS for violations of the privacy and security rules. It also established the electronic health record system and changed the breach notification rule so healthcare providers had to report breaches of over 500 people within 60 days of detection.
On a larger scale, there are two areas moving forward that Searfoss is concerned with when it comes to privacy: which entities are considered business associates and the threat of ransomware.
She said that moving forward Internet service providers might be considered business associates because protected information is transmitted over their lines. This would make them liable for that information like other HIPAA covered entities. For now, they are regarded as the same as the U.S. Postal Service, which is not considered a business associate.
With ransomware, Searfoss pointed out that those attacks, which lock institutions out of their data and computer systems unless a ransom is paid, is not considered a breach at the federal level.
“If the data never leaves your system, you may not have access to it, but if it never leaves your system, there's actually no breach,” Searfoss said. “There is a discussion about whether or not if you ‘lose control’ of it and are able to make a full backup, what that would be considered.”
Bale also experienced something similar while working at the National Institutes of Health when he received an email that advised him to check his records because they may have been compromised by a foreign hacker.
“Five years ago there was a government breach in which China had acquired the names of many government employees,” Bale said. “So, co-workers of mine were affected by that but I personally was not and I don’t think I was affected by any of the other major ones.”
Incidents like this are rare and although they are severe there are proactive ways for organizations to safeguard themselves. Searfoss makes sure her staff are not connecting company devices to personal networks or devices and tests her staff to see which people might compromise protected information.
“Right now I've phished all of the staff at FASMA. So that we know who our troublemakers are, who are going to be the people that give away the keys to the kingdom and their doctors.”
Although not every compliance officer will go to these same lengths, Searfoss said the most important thing is elevating the people who make security a priority."
You have to have somebody who cares and, hopefully, have vendors around you that have a support aspect that goes along with that,” Searfoss said. “Then establish a culture that will promulgate and other people will share it.”