In August 1996, President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. For many Americans, HIPAA is a blip on the radar — some papers that get signed when they visit a new doctor, or another box to check when working with vendors. In reality, few people know what HIPAA stands for, and even fewer know why it’s important. In the 25 years since HIPAA was enacted, the statue has grown to become one of the nation’s pillars of individual privacy. While HIPAA is a complex and wide-ranging piece of legislation, its enduring legacy is its requirement that the healthcare industry protect personally identifiable information (PII) from theft and exploitation.
At the time of its signing, the drafters of HIPAA could not possibly have predicted the extent to which personal data would become an important part of the American healthcare system. Rather than simply storing patient information, data is now a driver of innovation; large datasets fuel research that leads to improved health outcomes for patients across the world.
But while the ever-growing body of healthcare data serves as a resource for the industry as a whole, it also represents a major target for hackers and ransomware. According to Security Magazine, more than 92 U.S. healthcare organizations faced ransomware attacks in 2020, and bad actors made off with more than $15.5 million in ransom payments. These breaches don’t just have financial consequences: they are also HIPAA violations which could potentially lead to both civil and criminal penalties.
While HIPAA has done a remarkable job of keeping pace with technological innovations, the increasing threats of ransomware and data breaches are the most serious challenge yet for institutions and service providers.
As technology evolves, so too does HIPAA
Over the past 25 years, HIPAA has not remained a static, inflexible piece of legislation. To maintain relevance in the face of new technologies and applications, lawmakers added two important rules to the HIPAA statutes:
- HITECH 2009/Breach Notification Rule: In the decade that followed HIPAA’s enactment, doctors and nurses were likely to be found carrying paper files into appointments and storing patient data in physical, on-site cabinets. Recognizing the potential for electronic health records, Congress enacted the Health Information Technology for Economic and Clinical Health Act in 2009. Most notably for cybersecurity, the HITECH Act requires HIPAA-covered entities to report any data breaches that impact more than 500 people to the Department of Health and Human Services. This key step served as acknowledgement of both the growing importance of customer data and the increasing threat of hacks.
- 2013 Final Omnibus Rule: Four years after its enactment, Congress updated the HITECH Act to include not just those covered by HIPAA, but also business associates. Additionally, the 2013 Final Omnibus Rule changed the burden of proof for whether or not harm had occurred as a result of a breach. Previously, an organization needed to prove that significant harm to an individual had occurred; under the new legislation, the organization must prove that significant harm had not occurred, a much higher standard of consumer protection.
HIPAA’s evolution has not just included proactive legislation, but also its ability to react to violations. In 2017, the first settlement for HIPAA violations involving a wireless service provider occurred with CardioNet. The company, which provides remote mobile monitoring and rapid response services for patients at risk for cardiac arrhythmias, settled for $2.5 million in relation to an alleged impermissible disclosure of unsecured electronic protected health information.
Serving an increasingly digital healthcare system
While the American healthcare system was already trending towards increased digitalization, the Covid-19 pandemic drove an unprecedented acceleration in the adoption of telehealth services. According to a study published in JAMA Network Open, telehealth made up 0.3 percent of provider visits in 2019; in 2020, that number grew to a whopping 23.6 percent. This dramatic increase in telehealth use inevitably demands a parallel increase in electronic data transfer: for each online touchpoint, a patient will need to submit PII or arrange for their information to be sent from one service provider to another. Each new telehealth patient places an additional burden on healthcare providers and corporations to maintain HIPAA compliance.
In this increasingly digital world, organizations will need to maintain strong security and privacy practices to avoid the potential civil and criminal consequences of HIPAA violations. Recognizing the need for HIPAA-compliant tools to facilitate new digital services, many leading tech companies have worked to create new solutions for the healthcare industry.
After 25 years of HIPAA, it’s clear that these regulations are a vital and necessary tool for protecting consumer privacy. For HIPAA to remain relevant for the next 25 years, policymakers and healthcare providers will need to remain agile and alert; this groundbreaking legislation will only be effective for as long as it keeps pace with the newest technologies and security challenges.
