Teaching the Internet to whisper: The evolution of HIPAA

The Internet has become a tool of unprecedented growth. In healthcare, the increased levels of connectivity provide opportunities for enhanced care coordination and innovation.

Growth and power, though, come with the risks and responsibilities of using such a resource in an appropriate manner.

"The Internet hasn't given us a whole lot of reason to trust it," says Jeff Tangney, co-founder and CEO of Doximity, a physician social networking site. Incidences such as the Target data breach and recent hack into Community Health Systems' network are illustrative of Mr. Tangney's point: threats to cybersecurity are increasing.

However, public use and trust of the Internet isn't slowing down. "People have come to trust the Internet but it's at the same time when the Internet has had more breaches than ever," Mr. Tangney says.

With more and more people using the Internet, the need for rules and regulations arose. In healthcare, those regulations come in the form of the Health Insurance Portability and Accountability Act, which, after a series of revisions, aims to minimize and maintain the free-flowing information hosted on the Internet.

"People learn how to shout quickly from the Internet to everywhere," Mr. Tangney says. "Now with HIPAA and healthcare, we're trying to teach it to whisper. It's hard to take a tool that was built for shouting and teach it to whisper."

The history of HIPAA
HIPAA is known in the vernacular as the Healthcare Privacy Law, a set of rules and regulations set to safeguard the personal health information of American patients.

However, HIPAA was never originally intended for such purposes.

When President Bill Clinton signed it into law in 1996, HIPAA's focus was on protecting health insurance coverage for citizens who lost or changed jobs. It wasn't until 2001 when privacy became equated with the law by way of the Privacy Rule amendment, which clarified the rights of individuals to control the use of their protected health information. In 2003, the Security Rule was enacted, establishing administrative, technical and physical national standards for safeguarding protected health information.

Leeann Habte, senior counsel and a healthcare business lawyer with Foley & Lardner in Los Angeles, says the original emphasis of HIPAA was on the enforcement of protecting the data and information. But that has changed with the expansion of electronic data, leading to more entities affected by the law, including third-party business associates. As providers increasingly turned to outside companies to handle data, the Privacy Rule added business associates to the list of entities required to comply with HIPAA, alongside health plans, healthcare clearinghouses and providers.

"The scope and breadth of information of the supply has greatly expanded," Ms. Habte says. "The [number of] entities it applies to has expanded because the omnibus rules that were implemented...really clarified and expanded the applicability of these HIPAA regulations to business associates."

HIPAA: Then and now
Before the proliferation of mHealth and the onset of healthcare-related information technology advancements, HIPAA and its applicability were still shrouded with uncertainty.

Mr. Tangney experienced navigating HIPAA first-hand when the law was in its early stages. Before his current position with Doximity, he was a co-founder of Epocrates, a healthcare software company that launched in 1999 providing drug references for physicians on mobile devices. At that time, Epocrates was focused on understanding basic definitions and functions of HIPAA, mainly encryption and how to authenticate app users online.

Additionally, Mr. Tangney suggests people in the late 1990s and early 2000s perhaps simply weren't aware of the permanence of information disseminated via the digital platform, which created less haste surrounding cybersecurity. Current technologies and advancements have highlighted such concerns.

"People have come to understand what Internet privacy means a little more," he says. "Things like Facebook have made people aware that digital information doesn't go away. Once it's leaked, it's out there forever."

Another area healthcare providers were less concerned were HIPAA violation fines because they were less threatening, Mr. Tangney suggests. The final omnibus rule in 2013 increased violation penalties. The previous standard had a penalty range of $100 to $25,000. The new law established a tiered system of penalties, with up to a $50,000 penalty per violation.

The impact of these increased penalties became apparent earlier this year when NewYork-Presbyterian Hospital and Columbia University in New York City were handed the largest HIPAA violation settlement to date, a $4.8 million fine after the electronic protected health information of more than 6,800 patients was made available on public search engines.

Now, Mr. Tangney says a lot of the questions and uncertainties surrounding HIPAA have been ironed out, allowing for greater understanding of the law and wider spread and applicability of its regulations.

When HIPAA is misused
On one side of the spectrum, hospital and healthcare organizations are wary of HIPAA, trying to avoid mentions of their company name alongside the acronym for fear of a breach of security or, worse, loss of trust from patients.

On the other side, organizations are also finding ways to use HIPAA to their benefit, whether the law is truly applicable or not.

HIPAA is a piece of legislation that is set in place to protect patients and their sensitive medical information, but hospitals have misconstrued HIPAA as a protective shield for themselves.

Take, for example, the mother who sued a Mercy hospital in Springfield, Mo., who was told she was violating HIPAA and was threatened with jail time for taking a picture of her son in the hospital. In another incident, attorneys of the Daytona Beach (Fla.) Health and Rehabilitation Center said they could not hand over information regarding the alleged sexual abuse of one of its residents to investigators because of patient privacy.

Deven McGraw, partner at Manatt, Phelps & Phillips who specializes in healthcare, said in an NPR report (co-published with ProPublica) that HIPAA in fact has provisions allowing investigating police officers and whistleblowers to share information with appropriate authorities.

In such cases, healthcare providers appear to be calling upon HIPAA to protect themselves, as opposed to protecting the privacy of their patients.

"Sometimes it's really hard to tell whether people are just genuinely confused or misinformed, or whether they're intentionally obfuscating," Ms. McGraw said in the report.

However, Ms. Habte says it is difficult to claim these instances as misuses and abuses of HIPAA, as healthcare providers need to strike a balance between adequate communication and patient protection. "Hospitals and healthcare institutions have to walk a fine line between being somewhat transparent but also making sure that in commenting on a particular incident that they're not in any way violating the privacy of their patients," she says.

HIPAA's role in strategic marketing
As IT software and device development forge onward, more organizations are making a concerted effort of ensuring patient privacy. Many have turned HIPAA into a marketing tool, boasting their service or software is "HIPAA-compliant," which Mr. Tangney says can be rather misleading.

"I grimace every time I hear 'HIPAA-compliant app,'" Mr. Tangney says. "You can be HIPAA-secure as an app — that means you have certain encryption levels and authentication levels you adhere to — but I can never promise that everything that happens on our service is HIPAA-compliant. That's a false promise."

For example, a physician using Doximity can still take the securely transmitted information and share it inappropriately through other channels. Mr. Tangney says there is a fine line between being HIPAA-secure and HIPAA-compliant; the former can lie in the hands of the developer and organization, the latter is partly the doing of users of the service.

Ms. Habte agrees, saying labeling services as HIPAA-compliant can be inaccurate, although she says such a proclamation can indicate to providers that the company has adequately thought through security risks and pays mind to cybersecurity.

"Covered entities who are looking at vendors and software applications to handle their data have to understand what the security profile of these vendors and organizations are," Ms. Habte says. "By [vendors] identifying themselves as being compliant with HIPAA, it's intended to indicate to their potential clients that, 'Yes, we do know about HIPAA and we do take it seriously.'"

Continuous evolution
The collective mind paid to HIPAA will continue to grow as information technology and healthcare innovation develop further. With the quickening pace of electronic data sharing, the ongoing journey toward meaningful use and the continuous development of mHealth platforms, the issue of patient privacy and safeguarding health information will stick around.

"There's always something new, something that people didn't think about a year or two ago that is now possible that we have to protect against," says Ms. Habte. "As technology changes and as practices change, it is constantly evolving. There are always new things to consider."

More articles on HIPAA:

3 new challenges with HIPAA and data security 
HIPAA and Ebola: What information should be quarantined? 
Five questions to ask your service provider about HIPAA compliance 

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars