In the 20 years since its enactment, HIPAA has evolved to become the face of patient privacy guidelines. But even before the Healthcare Insurance Portability Accountability Act was enacted in 1996, the Hippocratic Oath made some of the first mentions of patient privacy — in roughly 400 B.C.
The original Hippocratic Oath was written in Greek. It was part of a body of manuscripts called the Hippocratic Collection that affiliated with Hippocrates, a physician of his time who is now deemed the Father of Medicine. A 1943 translation of the Hippocratic Oath reads, "What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about."
Now, centuries later, providers are still grappling with issues of safeguarding patient information and maintaining trust with their patients. Of course, times have changed, and the digitization of healthcare has created a healthcare environment and capabilities Hippocrates likely never would have imagined. But the basic tenets of the oath and what providers take HIPAA to mean are similar.
President Bill Clinton signed H.R. 3013, now known as HIPAA, into law Aug. 21, 1996. However, it wasn't until HHS added the Privacy Rule to HIPAA in 2000 and the Security Rule in 2003 that it earned its legacy as the privacy law. And as times continue to change, the law has undergone even more amendments, notably the Omnibus rule in 2013 that expands patient rights to their health information, increases requirements of entities that receive protected health information and established the breach notification rule.
In the early years of HIPAA, the law was intended to be permissive, says Peter Tippett, MD, PhD, chairman of data delivery solutions provider DataMotion. Dr. Tippett previously was CMO for Verizon and served on President George W. Bush's Information Technology Advisory Committee from 2003 to 2005, among many other leadership positions.
"HIPAA was supposed to be the permission, a way to get things done, easing the burden," Dr. Tippett says. "If you want to share information, all you have to do is take care of the basics of privacy, here they are."
The original HIPAA law includes standards for information transactions and data elements. "The Secretary shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically," reads Section 1173. "Each person described…who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards" of that information.
But Dr. Tippett says many providers and entities found the rules too "open and permissive."
"People tend to prefer explicit rules," Dr. Tippett says.
Now, healthcare organizations tend to view HIPAA in a more punitive light. It is something they can be punished for, and not without reason. With the Omnibus rule's breach notification requirement and HHS' Office for Civil Right's breach notification portal, covered entities are essentially publicly shamed when hit with a breach, whether it was the fault of an internal employee or an external hacker. In fact, OCR's breach notification portal is nicknamed the "Wall of Shame," which in and of itself has incited criticism.
Lynn Sessions, a partner with BakerHostetler's privacy practice, says the privacy and security rules of HIPAA changed how hospitals approached questions of patient privacy. She was a litigator working with healthcare providers when the Privacy Rule was enacted. "It really did change the way we did business as far as being able to get information and having to get authorization from patients," she says. "When the Privacy Rule came down, we saw HIPAA really started [to have] a more enforcement flavor to it."
If a breach does strike and healthcare organizations are found to have violated HIPAA, they can now face multimillion dollar penalties. In August, Downers Grove, Ill.-based Advocate Health System agreed to the largest HIPAA settlement to date: a $5.55 million payment and corrective action plan related to three separate incidences in 2013, two of which involved laptops being stolen from Advocate offices.
In the first seven months of 2016 alone, HHS recorded close to $15 million in HIPAA violation settlement payments.
And Ms. Sessions says OCR investigations into reported breaches and subsequent penalties are going to continue. That, though, may have an adverse effect on how patients view privacy efforts by hospitals and health systems. She says organizations are overly cautious when security incidents happen and tend to err on the side of notifying the public of an incident, often to comply with HIPAA requirements. But with so many letters and notifications, the public is developing its own kind of alarm fatigue.
"Patients are going to become desensitized to it," Ms. Sessions says. "There's going to be one situation that's really bad, and patients are not going to take it seriously."
So how should the industry move forward with HIPAA in a constructive way? Dr. Tippett suggests focusing on preventing security events that are truly destructive. "We're putting emphasis on the wrong syllable," he says, emphasizing the second syllable of "emphasis" and "syllable."
He suggests too much time and effort is spent penalizing organizations for breaches that don't actually breach patient data, such as a stolen, password-protected, encrypted laptop. Instead, enforcing security precautions like two-factor authentication and mitigating unauthorized internal access could be more effective and useful.
"I'd refocus on the few things that have the biggest power to reduce those kinds of problems," he says. "I liked HIPAA in the beginning because it was risk-oriented. Risk means figure out what's really going on and resist that thing. I feel like we've gotten away from the roots of that."
More articles on HIPAA:
HHS closes investigation into Walgreens data dumping case, no penalty given
10 largest HIPAA settlement fines
University of Mississippi Medical Center to pay $2.75M to settle HIPAA violations over stolen laptop