The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law designed to improve the efficiency, effectiveness, and security of the nation’s healthcare system. The HIPAA Act is divided into five parts.

• Title I: Health Care Access, Portability, and Renewability
• Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
• Title III: Tax-Related Health Provisions
• Title IV: Application and Enforcement of Group Health Plan Requirements
• Title V: Revenue Offsets

We will be focusing on Title II, as this is where the privacy and security of patient data is described.

Even though HIPAA was passed in 1996, entities that were subject to the regulations HIPAA imposed had until 2003 to fully comply with the rooms. By 2003, many healthcare entities were still not fully complacent due to the lack of repercussions. In 2006, a HIPAA enforcement rule was passed that gave the Department of Health and Human Services the authority to investigate and bring criminal charges against entities that failed to comply with HIPAA regulations.

HIPAA Privacy Breaches

According to Dr. Mcoy and Dr. Perlis, between January 1, 2010 and December 31, 2017, 2149 breaches comprising a total of 176.4 million records were reported.

The most common entity breached was a health care provider, with 1503 breaches compromising a total of 37.1 million records. 278 breaches of health plans accounted for 110.4 million breached records.

The most common media breached was on paper with 510 breaches comprising 3.4 million records. 410 breaches of information from network servers accounted for 139.9 million breached records.

Despite the ethical and legal obligations to protect patient privacy, breach rates have increased. As the type of data breached shifted towards electronic records, the nature of the breaches shifted towards electronic means, such as hacking.

With traditional identity theft, banks and the Social Security Administration are able to contain some instances by changing details, such as account or social security numbers. However, because health data can not be changed, stolen health care records can have long-term ramifications that go beyond typical hazards. Once your health data is stolen, someone can assume your identity and do anything they want with it. Stolen health data is associated with more serious and heinous identity thefts such as tax fraud and home equity loan fraud. One can attempt to remove the charges from their credit report, but charges will reappear with each billing cycle.

Medical records can sell for up to $1,000 online depending on the completeness of the information contained within. The more complete the information, the harder it is for someone to have their identity back.

The HIPAA Security Rule

In 2003, the HIPAA Security Rule was passed. This rule is an important element of HIPAA Rules within Title II. This addition defined Protected Health Information (PHI) as “any information held by a covered any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.” Protocols were also created for how to get permission to use or share PHI from patients. This rule provided a large step towards security, but another challenge popped up: What if a patient has to move between healthcare systems?

Health Information Technology for Economic and Clinical Health Act (HITECH) and the Breach Notification Rule

HITECH and the Breach notification rules were added in 2009. HITECH was primariily designed to convince healthcare workers to start using Electronic Health Records (EHRs) to make it easier to transfer and share a patient’s health information between healthcare providers and reduce the dependence on paper records. In 2011, an additional incentive for the use of EHRs came in the form of the Medicare and Medicaid EHR Incentive Program. This program will provide payments to eligible healthcare professionals as they adopt, implement, upgrade, or make other meaningful uses of the certified EHR technology.

The Breach Notification Rule acted as a counterpoint to HITECH by requiring that any breach of EHRs affecting more than 500 people can be reported to the federal government. As mentioned above, cyberattacks and corporate data breaches are becoming more prevalent. This new reporting requirement was designed to help affected individuals protect themselves in the event that their information was compromised.

Final Omnibus Rule

The most recent addition to HIPAA was the Final Omnibus Rule created in 2013. This addition filled the gaps left by the Breach Notification Rule and HITECH by specifying encryption standards for EHRs. This rule also cleared up the definitions of the entities protected and regulated under HIPAA. The increased use of mobile devices in healthcare was also accounted for by introducing new policies for healthcare professionals who used their phones or tablets to access and send PHI.

Does HIPAA Keep Our Data Safe?

Based on the history of HIPAA, it may seem like HIPAA should protect all confidential health information from being shared or stolen. Unfortunately, our healthcare records are not as safe as it seems to be. New methods of storing and sharing data have created gaps in the regulatory framework that those with malicious intent can exploit. Federal and state laws designed to protect PHI are only enforced on covered entities, which include healthcare providers, healthcare plans, and research institutions. These laws are not enforced internationally or on the Internet. As a result, more and more of our personal information, including healthcare data, are being collected and sold by Internet Service Providers and third party analytics companies to be sold to marketing agencies. Websites are making users agree to “Terms of Service” which are typically long and confusing documents containing information on how the user’s information is collected and used that most readers do not read or understand. A new culture of social media and data sharing has encouraged Americans to willingly share personal information on the Internet. This shared information are not regulated under HIPAA. Some information may not be medical in nature, but it can be used to tie anonymized medical data back to specific individuals.

What’s Next for Health Data Privacy?

Additional statutes have been periodically added to HIPAA to improve regulations. Further adjustments to HIPAA may be needed to address current threats to our health data privacy. New laws need to be made to expand HIPAA-regulated entities to include any and all entities that gather personal health information, including companies such as Google and Facebook. Encryption and anonymization protocols could be updated to combat the threat of machine re-identification.

What Should You Do To Prevent Your Healthcare Records From Being Stolen?

1. Don’t overshare. Don’t overshare your personal information on social media. A person’s identity is similar to a puzzle. The more pieces you share to the public, the easier it will be for someone else to impersonate you.
2. Know who you are talking to. If you get a call/email coming from your healthcare provider or medical insurance company. Do not provide any personal information through the phone/email. Instead, log onto your patient portal to identify if the inquiry is really coming from your healthcare providers and answer the questions through the patient portal for maximum security.
3. Read medical related mails carefully. Your medical insurance company mails out a summary of medical services received routinely. Read through all the services and make sure they are the goods or services you received. If you spot any suspicious additional services, contact your provider or insurance company immediately. Problems are easier to fix when they are spotted early.