Twenty years ago, on August 21, 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. In those two decades, healthcare has changed a lot, and HIPAA has assisted with those changes along the way.
Those original privacy provisions, as signed by Clinton, totaled 337 words. By 2002, when the initial HIPAA Privacy Rule came into effect, there were 101,000 words, spanning across more than 500 pages.
According to Jocelyn Samuels, Director, HHS “When HIPAA regulation initially went into effect, it generated significant skepticism, confusion, and even angst”. On the one hand, healthcare providers were concerned that HIPAA compliance might prove to be too trivial and expensive. On the other, patient advocates worried that HIPAA would fail to provide meaningful protection.
Early HIPAA enforcement was somewhat lax compared to today’s standards. Between 2003 to 2008, around 35,000 HIPAA privacy violations were reported, but not a single fine was issued against a healthcare provider. In a 2008 article with the Wall Street Journal, HHS said its approach was to encourage constructive improvements, achieved more quickly than through imposing monetary penalties.
This all changed in 2009, when the HITECH Act was introduced.
This update included provisions to not only strengthen HIPAA privacy protections, but also the HHS’ ability to enforce them. Compliance requirements were extended to business associates, self-reporting of breaches became compulsory, and potential fines for violations increased to up to $1.5 million. Later that year OCR issued the first of many multi-million dollar penalties for HIPAA violations. The HITECH Act was finalized in January 2013 as the HIPAA/HITECH Omnibus Final Rule.
So what has HIPAA accomplished in 20 years? And where has it fallen short?
It could be argued that HIPAA was ahead of its time. Even way back in 1996, before widespread adoption of electronic health records, HIPAA recognized that digitization of health data was on its way. HIPAA aimed to standardize the electronic exchange of sensitive health data, laid the boundaries for future health IT, and in turn, strengthened privacy protections to transform modern healthcare.
Through all the changes and updates, HIPAA was written to sit somewhere in the middle of being too rigid, and too general, and there is still a lot of room for interpretation in the exact meanings. HIPAA is not without its flaws, and this has become strikingly apparent in recent years, as the industry transitions into a world of digital technologies. By no means is HIPAA able to deliver a comprehensive map of security in 2016. Its principles now need to evolve to reflect new and changing demands.
Three cheers for HIPAA
At twenty years old, HIPAA may be an imperfect law, but it has the potential to grow and to mature. Jocelyn Samuels brands HIPAA a “blueprint” for health care reform, and this is likely to play a pivotal role long into the future.
It’s probably fair to argue that HIPAA has generated an extraordinary widespread awareness of data security and patient privacy. Everyone is familiar with HIPAA, and everyone understands there is a need to support it. HIPAA operates in full force for non-negotiable requirements, such as encryption, but it is flexible in methods for achieving a solution, which is why it is likely to succeed in adapting to the innovations of the future.