Privacy Advisor

HIPAA Hits Five

July 1, 2008

By Annie Lindstrom, IAPP Correspondent

In the Internet Age, a year is like a century. So while it has been only five years since the Health Insurance Portability and Accountability Act (HIPAA) privacy requirements took effect, it may seem to many like a much longer time.

When asked about HIPAA's effectiveness, however, privacy officials who are impacted by it on a daily basis quickly point out that while the HIPAA privacy rule "is not perfect," it was a good start. This is because HIPAA's privacy rules set a floor for safeguarding consumers' personal health information (PHI).

"We really think they were a landmark moment in privacy protection," says Deven McGraw, director of the Center for Democracy & Technology's Health Privacy Project (HPP). "We didn't get everything we wanted. But it was a big improvement over what was in place before, which was nothing at the federal level. Before that you had to rely on state level protection only."

Nevertheless, McGraw and most observers agree that an update to HIPAA's privacy rules is long overdue. For example, because of the new players and new technologies that no one could have imagined in 2003, there is a broad-based concern that the HIPAA Privacy Rule doesn't protect a wide range of individual health information. This is because many of these new participants aren't covered by HIPAA, she adds.

"We celebrated HIPAA's fifth anniversary because we did a good thing in 2003. But now is the time to look at how well it has worked and determine what we need to do to respond to the many challenges that are introduced by this new environment," says McGraw.

A Little History

It is difficult to understand how far HIPAA has come and where it is going without a little background on its origins. Created and passed into law in 1996, the HIPAA statute—which initially focused on the idea of "portability of health insurance coverage," was, and continues to be a "modular" work in progress, with a wide variety of healthcare topics covered in a single law. One key aspect was the idea of "administrative simplification," as HIPAA architects sought to simplify and reduce the cost of healthcare by turning certain paper transactions into standard electronic ones. As this push towards electronic standardization progressed, the privacy and security of this information also became a concern, because no one knew what that this standardization was going to look like. So, in 1996, the HIPAA law was passed without specifying any significant details about privacy and security protections.

In addition to cost cutting, overall privacy of "protected health information"—PHI—also was a growing concern in the early and mid-90s. Back then it wasn't unusual to be asked to provide PHI when seeking a mortgage or employment. There also were no rules providing broad privacy protections at the federal level. Instead, privacy was protected only by a patchwork of state laws. HIPAA's architects realized the need to codify and enact federal privacy rules and regulations concerning PHI, but they also realized it would take several years to develop those rules. The statute required Congress to sort out the issues and create HIPAA's privacy rules and regulations by 1999.

In the event that Congress was unable to meet the deadline, the act called for the U.S. Department of Health and Human Services (HHS) to step in and make the rules. That is exactly what happened. HHS finished writing the rules and regulations in 2002 and they took effect in 2003. The privacy rules apply only to the three types of covered entities (CEs) subject to HIPAA—most healthcare providers, healthcare clearinghouses and health plans. These were the entities specified in the HIPAA law itself—the ones who participated in the standard electronic transactions—and HHS couldn't extend the reach of the rules beyond these entities.

HIPAA is enforced by HHS' Office of Civil Rights (OCR). Statistics recently released by OCR indicate that the office has been busy over the past five years. OCR logged more than 36,000 HIPAA related complaints to date. The great majority of those complaints were resolved after their intake and review. The remaining cases were resolved by taking corrective action or were dismissed (see chart).

"If you look at the overall industry, the number of complaints received by HHS is not all that great when compared to the number of patient encounters with their providers and health plans" says Kimberly Gray, chief privacy officer for Highmark Inc. and IAPP board member.
The total number of complaints might actually be smaller if more people had a better overall grasp of HIPAA's privacy rules. For example, after HIPAA took effect in 2003, privacy officials in California started getting twice the normal number of calls concerning medical privacy issues, according to Joanne McNabb, Chief of the California Office of Privacy Protection.

"Almost all the calls were from people who said they thought they had just signed away their rights when they signed their HIPAA forms," she explains. "They didn't get it."
Doctors are not immune either.

"I get calls quite frequently from people who have asked their doctor for a copy of their medical records and the doctor has told them that HIPAA says they can't have them," adds John Collins, HIPAA privacy officer for the Florida Agency for Healthcare Administration, who spoke to the IAPP for this article on his own behalf.

When it comes to applying HIPAA, California recently conducted scenario-based research with people involved in various aspects of healthcare, including consumers. One of the findings of the research was that there is a huge range of interpretations in many of the provisions of HIPAA, says McNabb.

However, even though HIPAA often is misunderstood, its enactment "certainly has raised awareness of privacy issues" both inside and outside the healthcare industry over the past five years, adds Gray.

Despite the confusion, OCR has yet to level any civil monetary penalties on any CEs. While monetary penalties are a tool at OCR's disposal, the office prefers to stay focused on compliance and education because, in the end, that is of the greatest benefit to all involved, according to a spokesperson for HHS.

Gray applauds the approach, noting that Highmark and most CEs do the right thing simply because it is the right thing to do, not out of fear of any sort of penalty.

"I think the level of enforcement is absolutely appropriate. If OCR can get voluntary compliance its good for all of the entities involved and the population as a whole," says Gray. "There's really no grand benefit from slapping fines on CEs when they are not called for. On the other hand, if there is egregious misconduct on some entity's part, then I think assessing civil or criminal penalties is absolutely appropriate."

Closing the Gap

The introduction of new players and new technologies to the healthcare marketplace over the past five years has created gaps, or perceived gaps, in HIPAA that many would like to see addressed. At the forefront of their concerns is the entrance of Internet players—such as Google, Microsoft and AOL founder Steve Case—into the healthcare business. All are offering customers the ability to create and store their personal health records on the Internet.

The newcomers themselves are not necessarily the problem. It is the fact that they do not fall under HIPAA's jurisdiction, which at present is limited to the three types of CEs. Beyond these |new technology" entities, there is a wide variety of other kinds of companies that gather and disseminate healthcare information, but that are not covered by the HIPAA Privacy rule because of its limited scope.

"The general public is not aware that HIPAA's privacy and security measures do not apply to these companies," says Collins.

In addition, the migration and the free flow of PHI out of the traditional healthcare system to these Internet companies introduces some new challenges, adds McGraw. For example, agencies that regulate Internet companies are not as familiar with how the healthcare system and its entities operate. It also is quite possible that HIPAA might not be the right set of rules for personal health record tools that are supposed to be controlled by the consumer, she adds.
The continuing rapid evolution of new electronic technologies into the fabric of our society also is a major concern.

"I work with a group on health information exchange and e-records. A lot of today's technological capability was not anticipated when HIPAA was enacted in 1996. So there are some gaps I hope will be filled by subsequent legislation such as Senate Bill 1814, The Health Information Privacy and Security Act," says Collins.

Any update to HIPAA, or new privacy legislation, should include standards for digital signatures, e-prescribing and encryption, he adds. In addition, Collins would like to see OCR gain the ability to enforce HIPAA violations committed by entities that sign business associate agreements with CEs. Currently, HIPAA does not allow OCR to penalize, or remedy situations involving, non-covered entities working alongside CEs.

Taking Action

In Congress, the House of Representatives is working on a bill that would extend OCR's potential to enforce the HIPAA privacy rule against business associates working with CEs. The Health Information Technology and Quality Act also contains a breach notification provision. A source that is keeping an eye on the proposed legislation says that it is moving quickly and is likely to move through Committee this year.

Currently under consideration in the Senate is The Health Information Privacy and Security Act. Introduced in 2007 and still in committee, the proposed bill seeks to create new privacy safeguards in three areas—individuals' rights; restrictions on use and disclosure, including breach notification; and the creation of a new office of Health Information Privacy within HHS. A summary of the bill says that if it is passed, it requires the Secretary of HHS to revise HIPAA so it is consistent with the legislation.

An excellent starting point for increasing privacy protection could come in the form of an overarching piece of consumer privacy legislation that says that anyone who handles PHI must follow fair information practices, adds McGraw. Such a law would provide a broad framework, which also could be tailored to meet the needs of organizations in need of more specific rules, she adds. HPP has posted a white paper on its Web site on the topic.

The good news is that, unlike 1996, most everyone involved with updating HIPAA or creating new umbrella legislation has a better understanding and appreciation of the privacy issues that the Electronic and Internet Ages bring to the table.

"We are all wiser now than we were then," says McGraw. "But we still have a lot to learn."

Annie Lindstrom is president of KittyHawk Communications, Cape Coral, Fla. Annie has worked as a freelance writer since 2000. Prior to launching her own business, she worked as a journalist for the telecommunications industry's top trade publication since 1989.