At 20, is HIPAA hitting its stride, or is it over the hill?

NYU medical students are exposed to de-identified information so they can learn how to analyze data and come up with hypothetical treatments for patients before they hit hospital floors. They also generally follow two to three specific patients at any point during rotations, but they can't continue to monitor patients and see how their treatments play out over time.

Dr. Fritz Francois, NYU Langone Medical Center's chief medical officer, would like to see New York University School of Medicine use more real-time data to better prepare students for the real world of population health management they're about to enter.

HIPAA, the law the federal government uses to police the privacy and security of the nation's health information, is standing in the way, he said.

That law—the Health Insurance Portability and Accountability Act—is turning 20, and some people may wonder if it's up to the job in 2016 and beyond.

The frustration Francois expressed illustrates one of the many conundrums posed by HIPAA and its regulations in an age when the healthcare industry is counting on the free flow of data to revolutionize how care is delivered and paid for.

President Bill Clinton signed the law Aug. 21, 1996—around the same time the World Wide Web and email were starting to take hold in American life. HHS and Congress have worked to transform and update the law—initially created to make it easier for Americans to keep health insurance coverage. In the decades since it was enacted, electronic health records have eclipsed paper, and health information is being collected and transmitted in ways the law doesn't reach.

And in spite of the law, healthcare has seen a drumbeat of massive data breaches. A cyberattack disclosed just weeks ago by Banner Health compromised the records of 3.7 million people. In addition, there have been recent episodes of criminals seizing hospital EHR systems with malware and demanding ransom to unlock vital medical data.

Hundreds of thefts, losses and other mishaps with paper and electronic patient information have been disclosed to HHS each year since mandatory reporting took effect in 2009, and the breaches often involve a sprawling array of vendors that do business with healthcare providers and insurers.

HHS' Office for Civil Rights has been quite active lately in HIPAA enforcement, reaching a dozen settlements in the current fiscal year compared with three in fiscal 2015.

The apparent crackdown has led to a lot of anxiety among healthcare providers, especially small entities that don't have the staffing or technology capabilities to keep up with an ever-changing world of cybersecurity where everyone is worried about the next attack.

“I think to fight off those kinds of attacks requires an increasing sophistication that isn't necessarily affordable for all providers,” said Mark Swearingen, an attorney at Hall Render Killian Heath & Lyman. “They do what they can to get a secure system set up.”

Covered entities and business associates also may not be aware of the requirements they must meet to be HIPAA- compliant. Although HHS produces guidance for the complex web of regulations, many businesses' HIPAA risk analysis programs aren't broad enough, Swearingen said.

Most companies have conducted risk analysis of their EHR systems as part of the federal incentive program for using the technology, but HIPAA actually requires a “comprehensive enterprise-wide risk analysis” that looks into all systems that touch protected health information, including billing systems and email.

Deven McGraw, who leads the health information privacy division at the Office for Civil Rights, says the higher volume in HIPAA settlements doesn't necessarily show an upward trend in HIPAA enforcement actions.

“Each case is examined, and the investigations develop based on the facts,” McGraw said. “The ultimate penalty that could be pursued that is the basis of the settlement discussion depends on the conduct involved.”

Even with record settlements, there are growing gaps in the law's protections. For example, wearable mobile devices, consumer-facing mobile apps and social media aren't generally covered by HIPAA's privacy and security protections, said Jodi Daniel, a partner in the law firm Crowell & Moring. And the application of HIPAA is ambiguous, she said, for services that aren't billed to health plans or other payers, including many telehealth services and care provided by so-called concierge practices. These swaths of the healthcare landscape are sure to grow.

“I think that gap poses significant problems,” said Daniel, previously was policy director in HHS' Office of the National Coordinator for Health Information Technology. “Even the same information held in different places may have protections in one place and not another.”

McGraw, however, praised HIPAA for covering the environment it was created to address 20 years ago while being flexible enough to adapt to dramatic changes in the industry. “I think it goes to show that we're open and willing to address the questions that are arising out there in the field, no matter how small or how big they seem,” she said.

The Office for Civil Rights is just starting its second wave of audits of covered entities, and the first-ever audit of their business associates, which became directly liable under HIPAA in 2013. “What I'm hoping we'll see is more examples of compliant organizations than in phase one,” McGraw said.

Ultimately, according to some, the Office for Civil Rights does not have the budget, staff or power to broadly enforce HIPAA's privacy and security provisions, leading many providers and business partners to install inadequate systems and protocols. “HIPAA is a false promise. It gives us the illusion that our privacy is protected, but without any enforcement mechanism that protection is largely hollow,” said Neal Eggeson, an Indianapolis-based attorney who specializes in privacy law. “The emperor has no clothes.”

But dramatically increasing the Office for Civil Rights' budget wouldn't drive providers to take data security more seriously, Eggeson said. Congress needs to create a private cause of action to allow victims to sue when their data is compromised, he said. “Overnight you would see covered entities start to take real strides towards improving patient privacy protection.”

Victims of breaches have pursued class-action lawsuits—one was filed last week against Banner—but judges have generally been dubious of the argument that the heightened risk of identity theft constitutes damages.

Nevertheless, just the fear of running afoul of the regulations is often blamed for stifling innovation, such as NYU's attempts to infuse medical education with data-driven healthcare delivery.

While he still wants patients to retain their privacy, Francois said relaxing some restrictions on the sharing of patient data with students could submerge them in managing population health from the beginning of their training. “That's really how we should be moving in terms of training the next generation,” he said.