Protected health information (PHI) includes any past, present and future information that is generated or received by a healthcare provider, an employer, a school, a life insurance policy or a health insurance company. New technology trends in the healthcare industry have significantly changed the way protected health information is stored and shared.
The implementation of PHI via mobile, cloud computing and social networking have made it possible for doctors and nurses to work more effectively and efficiently, while also giving consumers more information and control when it comes to their own healthcare.
However, in order for the benefits of new technology to be fully appreciated, its effects on the privacy and security of consumers’ PHI should be considered.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) states that as long as the information includes details about a patient’s health, it cannot be shared without their permission. All information is protected no matter how it is received, whether it is spoken, faxed, emailed, written or part of an electronic medical record.
HIPAA is responsible for regulating who has legal access to a patient’s protected information. A patient can legally access their personal PHI at any time and for any reason, but covered entities also have a legal right to access that information under HIPAA. Covered entities are groups that HIPAA has labeled as responsible for protecting information concerning your health. These groups can include healthcare providers such as a doctor, nurse or a pharmacy, and can be owned privately or by the government.
When a patient visits a doctor for the first time, they are typically asked to fill out paperwork. One part of that paperwork requires new patients to sign a form which gives the doctor or nurse legal access to the patient’s PHI.
Under HIPAA, the Privacy Rule and the Security Rule also exist. The HIPPA Privacy Rule ensures that all covered entities keep patients’ PHI secure and properly educate their patients about their rights under HIPAA. Proper education involves providing patients with a written statement which describes how healthcare providers and other covered entities can use or share their PHI.
The HIPAA Security Rule details the steps healthcare providers must take to keep patients’ electronic PHI secure. Providers are required to continually assess the security of their electronic health record systems and then put specific physical, administrative and technical safeguards in place to protect against the risks that were revealed during the assessment.
But just as HIPAA became more engrained in the everyday practices of healthcare providers, Congress stepped in and passed the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH).
Among other things, the HITECH Act increased the penalties for HIPAA violations up to $1.5 million in certain circumstances, which particularly strengthened HIPAA’s enforcement and compliance regulations. It also included the first federal data security breach requirement, and required the U.S. Department of Health and Human Services (HHS) to conduct security and privacy audits.
The HITECH Act was a part of a larger bill known as the American Recovery and Reinvestment Act. The HITECH portion of the bill had $19.2 billion set aside to increase the use of electronic health records by hospitals and physicians.
The implementation of the act was the beginning of a major shift in the enforcement strategy of the Office of the National Coordinator for Health Information Technology (ONC). Because of the HITECH Act, non-compliance resulted in financial and professional standing losses for businesses.
In January 2013, the HITECH-HIPAA final rule was announced, which implemented all of the HIPAA modifications mentioned in the HITECH Act. One notable change was the direct application of HIPAA to business associates, which were previously governed by their contract with a covered entity. However, after the modifications from the HITECH Act, business associates became subject to HIPAA sanctions as well as enforcement.
The modifications were likely aimed at addressing patient privacy concerns and holding business associates to the same code of regulations as other entities. According to the American Health Information Management Association (AHIMA), more than 20% of all security breaches that are reported to the HHS are caused by business associates – that equates to approximately 12 million patients.
HIPAA continues to focus on its mission to protect the privacy and security of patients. As long as privacy problems exist in the healthcare world, HIPAA’s presence will be a necessity.
"It is too early to tell yet, but this shift in how data will be created, will flow, be maintained, and be accessed might require new thinking about how health information could be protected," said Jodi Daniel, director of policy and planning at the ONC in a 2013 article published in the Journal of AHIMA.
As technology continues to change, so will the rules and regulations that make up HIPAA. According to AHIMA, compliance is not something that will ever be completely solved.
"Protecting the privacy and security of health information is a continuous process. HIPAA must be reassessed all the time to make sure it is working optimally," said Joy Pritts, the chief privacy officer for the ONC, in a 2013 AHIMA article titled, "HIPAA Turns 10: Analyzing the Past, Present and Future Impact."