Skip to main content
Sister Publication Links
  • ESG: THE IMPLEMENTATION IMPERATIVE
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Digital Health
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Unwell in America
  • Opinion
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Supply Chain
    • - Hospital at Home
    • - Workplace of the Future
    • - Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • Data Center
    • Data Center Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Government
August 13, 2016 01:00 AM

At 20, is HIPAA hitting its stride, or is it over the hill?

Erica Teichert
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    AP Photo
    Since President Bill Clinton signed HIPAA into law in 1996, it has been updated to keep up with changes in data exchange.

    NYU medical students are exposed to de-identified information so they can learn how to analyze data and come up with hypothetical treatments for patients before they hit hospital floors. They also generally follow two to three specific patients at any point during rotations, but they can't continue to monitor patients and see how their treatments play out over time.

    Dr. Fritz Francois, NYU Langone Medical Center's chief medical officer, would like to see New York University School of Medicine use more real-time data to better prepare students for the real world of population health management they're about to enter.

    HIPAA, the law the federal government uses to police the privacy and security of the nation's health information, is standing in the way, he said.

    That law—the Health Insurance Portability and Accountability Act—is turning 20, and some people may wonder if it's up to the job in 2016 and beyond.

    The frustration Francois expressed illustrates one of the many conundrums posed by HIPAA and its regulations in an age when the healthcare industry is counting on the free flow of data to revolutionize how care is delivered and paid for.

    President Bill Clinton signed the law Aug. 21, 1996—around the same time the World Wide Web and email were starting to take hold in American life. HHS and Congress have worked to transform and update the law—initially created to make it easier for Americans to keep health insurance coverage. In the decades since it was enacted, electronic health records have eclipsed paper, and health information is being collected and transmitted in ways the law doesn't reach.

    And in spite of the law, healthcare has seen a drumbeat of massive data breaches. A cyberattack disclosed just weeks ago by Banner Health compromised the records of 3.7 million people. In addition, there have been recent episodes of criminals seizing hospital EHR systems with malware and demanding ransom to unlock vital medical data.

    Hundreds of thefts, losses and other mishaps with paper and electronic patient information have been disclosed to HHS each year since mandatory reporting took effect in 2009, and the breaches often involve a sprawling array of vendors that do business with healthcare providers and insurers.

    HHS' Office for Civil Rights has been quite active lately in HIPAA enforcement, reaching a dozen settlements in the current fiscal year compared with three in fiscal 2015.

    The apparent crackdown has led to a lot of anxiety among healthcare providers, especially small entities that don't have the staffing or technology capabilities to keep up with an ever-changing world of cybersecurity where everyone is worried about the next attack.

    “I think to fight off those kinds of attacks requires an increasing sophistication that isn't necessarily affordable for all providers,” said Mark Swearingen, an attorney at Hall Render Killian Heath & Lyman. “They do what they can to get a secure system set up.”

    Covered entities and business associates also may not be aware of the requirements they must meet to be HIPAA- compliant. Although HHS produces guidance for the complex web of regulations, many businesses' HIPAA risk analysis programs aren't broad enough, Swearingen said.

    Most companies have conducted risk analysis of their EHR systems as part of the federal incentive program for using the technology, but HIPAA actually requires a “comprehensive enterprise-wide risk analysis” that looks into all systems that touch protected health information, including billing systems and email.

    Deven McGraw, who leads the health information privacy division at the Office for Civil Rights, says the higher volume in HIPAA settlements doesn't necessarily show an upward trend in HIPAA enforcement actions.

    “Each case is examined, and the investigations develop based on the facts,” McGraw said. “The ultimate penalty that could be pursued that is the basis of the settlement discussion depends on the conduct involved.”

    Even with record settlements, there are growing gaps in the law's protections. For example, wearable mobile devices, consumer-facing mobile apps and social media aren't generally covered by HIPAA's privacy and security protections, said Jodi Daniel, a partner in the law firm Crowell & Moring. And the application of HIPAA is ambiguous, she said, for services that aren't billed to health plans or other payers, including many telehealth services and care provided by so-called concierge practices. These swaths of the healthcare landscape are sure to grow.

    “I think that gap poses significant problems,” said Daniel, previously was policy director in HHS' Office of the National Coordinator for Health Information Technology. “Even the same information held in different places may have protections in one place and not another.”

    McGraw, however, praised HIPAA for covering the environment it was created to address 20 years ago while being flexible enough to adapt to dramatic changes in the industry. “I think it goes to show that we're open and willing to address the questions that are arising out there in the field, no matter how small or how big they seem,” she said.

    The Office for Civil Rights is just starting its second wave of audits of covered entities, and the first-ever audit of their business associates, which became directly liable under HIPAA in 2013. “What I'm hoping we'll see is more examples of compliant organizations than in phase one,” McGraw said.

    Ultimately, according to some, the Office for Civil Rights does not have the budget, staff or power to broadly enforce HIPAA's privacy and security provisions, leading many providers and business partners to install inadequate systems and protocols. “HIPAA is a false promise. It gives us the illusion that our privacy is protected, but without any enforcement mechanism that protection is largely hollow,” said Neal Eggeson, an Indianapolis-based attorney who specializes in privacy law. “The emperor has no clothes.”

    But dramatically increasing the Office for Civil Rights' budget wouldn't drive providers to take data security more seriously, Eggeson said. Congress needs to create a private cause of action to allow victims to sue when their data is compromised, he said. “Overnight you would see covered entities start to take real strides towards improving patient privacy protection.”

    Victims of breaches have pursued class-action lawsuits—one was filed last week against Banner—but judges have generally been dubious of the argument that the heightened risk of identity theft constitutes damages.

    Nevertheless, just the fear of running afoul of the regulations is often blamed for stifling innovation, such as NYU's attempts to infuse medical education with data-driven healthcare delivery.

    While he still wants patients to retain their privacy, Francois said relaxing some restrictions on the sharing of patient data with students could submerge them in managing population health from the beginning of their training. “That's really how we should be moving in terms of training the next generation,” he said.

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    mh_20160711p29_bills_i.jpg
    State, local governments pay off medical debt relief with COVID funds
    HHS AGENCY
    Congress told HHS to create a data management system in 2006. It never did.
    Most Popular
    1
    More healthcare organizations at risk of credit default, Moody's says
    2
    Centene fills out senior executive team with new president, COO
    3
    SCAN, CareOregon plan to merge into the HealthRight Group
    4
    Blue Cross Blue Shield of Michigan unveils big push that lets physicians take on risk, reap rewards
    5
    Bright Health weighs reverse stock split as delisting looms
    Sponsored Content
    Modern Healthcare Alert: Sign up for this breaking news email to be kept in the loop as urgent healthcare business news unfolds.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Digital Health
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Unwell in America
    • Opinion
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Supply Chain
        • - Hospital at Home
        • - Workplace of the Future
        • - Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • Data Center
      • Data Center Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing