Despite the constant darts thrown at the HIPAA (the Health Insurance Portability and Accountability Act of 1996) since President Bill Clinton signed the legislation into law 25 years ago, an expert in legal privacy issues shares a “glass half-full” perspective on the law, whose provisions have been the foundation for healthcare privacy rules in the past quarter century.
Writing in The New England Journal of Medicine online on June 10, Anita J. Allen, J.D., Ph.D., a professor at the University of Pennsylvania Law School in Philadelphia, summarizes her perspective in the title of her Perspectives article, “HIPAA at 25—A Work in Progress.”
Professor Allen spends the first part of her article reviewing the origins and history of HIPAA, including, importantly, the December 28, 2000 release by the Department of Health and Human Services of the Standards for Privacy of Individually identifiable Health Information, otherwise generally known as the HIPAA Privacy Rule, which became the rule governing how healthcare providers, plans, and clearinghouses have had to work to preserve and honor patients’ privacy concerns. She notes helpfully that, given that the Privacy rule didn’t go into full effect until 2004; indeed, given that the final compliance deadlines for the Privacy Rule didn’t go into effect until 2005 and 2006, in fact, we haven’t yet reached the 25th anniversary of the Privacy Rule itself; instead, we’re basically at the fifteenth anniversary of the Privacy Rule.
Still, no one will argue that HIPAA has not had a huge impact on how providers work with privacy issues. But, Professor Allen argues, we need to understand that HIPAA was never intended to be set in concrete with no modifications; or, as she puts it, “HIPAA was not destined to be a ‘one and done’ law,” she writes. “Given innovations in medical informatics, encryption, genomics, medicine, ‘big data’ analytics, wearable health devices, and telemedicine, it’s not surprising that its requirements have been supplemented and amended several times,” including through the GINA (Genetic Information Nondiscrimination Act), signed into law in 2008 by President George W. Bush, which amended HIPAA to restrict the use of individuals’ genetic data on the part of health insurers and employers. And of course, she notes, the HITECH (Health Information Technology for Economic and Clinical Health) Act that President Barack Obama signed into law in 2009, promoted the use of electronic health records “while strengthening HIPAA and GINA.” Further, she notes, an Omnibus Rule created in 2013 modified HIPAA, GINA, and HITECH in order to “better balance individual rights with public health and medical research,” by allowing access without explicit patient authorization to limited data sets and deidentified patient information.
Professor Allen writes that “The Covid-19 pandemic has revealed the extent to which our technology infrastructure allows employers and public health officials, for better or worse, to track, trace, and monitor people’s symptoms, illnesses, and contacts. HIPAA regulations may be an institutional headache, but medical identity theft, ransomware attacks, data breaches, weak encryption, de-anonymization risks, wearable devices generating sensitive data, big data analytics, and discrimination are bigger headaches. Strong, well-informed regulations, with periodic revisions, can continue making a positive difference.”
And, speaking as an attorney, she concludes that “Privacy lawyers’ assessments of HIPAA’s impact skew positive — a perspective not universally shared by a health care industry saddled with the compliance burden. On HIPAA’s 10th birthday, attorney Daniel Solove noted that HIPAA had not bankrupted health care, shut down research, and paralyzed industry, as critics had feared. Instead, it ‘paved the way to real benefits for consumers through greater access to quality care.’ At 25, HIPAA is further along in paving the same important road.”