Regulatory Compliance

HIPAA Compliance and Privacy Issues

Heartbleed was like a wake-up call to patients, health care firms, and legislators. The fiasco illuminated both the weaknesses in online security certificates (particularly OpenSSL), and the inadequacy of the patient privacy laws that were already on the books. This wasn’t merely an issue of patient’s rights, but of national security. If hackers were capable of penetrating into the security certificates of these sites, who knows how else this could manifest? As vulnerabilities are exposed, the laws themselves need to be adjusted. As Heartbleed showed, the legislation is only ever as good as our command of the technology.

One of the most comprehensive laws on the subject of protecting electronic transmissions of patient data is the Health Insurance Portability and Accountability Act (HIPAA), which former US President Bill Clinton signed into law in 1996. The law was drafted to anticipate (and hopefully prevent) security breaches in a world that was becoming increasingly dependent upon electronic media. According to HIPAA, firms are supposed to have their own built-in methodologies for identifying and rectifying security issues. HIPAA also imposes limitations on who can access certain pieces of patient information. If a piece of information isn’t required for a physician to fulfill their duties, that physician should not, legally, have access to said information. In the simplest terms, the law makes it explicit that no health care provider should release any protected health information ever— unless of course they are permitted or obligated to do so in accordance with HIPAA’s “Privacy Rule.”

HIPAA further stipulates that there need to be safety measures established for administrators. The HIPAA “Security Rule” stipulates that firms are legally required to periodically evaluate both the technical and non-technical dimensions of their work-flow, and if it becomes common knowledge that a security measure is no longer viable, the firm could be liable unless they make the necessary changes.

One significant set of changes made to HIPAA was the Omnibus Rule, which was drafted in March of 2013. The Omnibus Rule obviously wasn’t enough to entirely safeguard the public against Heartbleed, but it was a step in the right direction regardless. It’s primary aim was to reduce the availability of patient information to be used for either fundraising or marketing. The Omnibus Rule also extended liabilities to include, not merely healthcare firms, but also other professionals who could be contracted by a healthcare firm, such as: consultants, creditors, accountants, data analysts, or anyone in legal services.

One of the most significant changes with the Omnibus Rule, however, was that it treats any sort of security breach with greater severity. Before the Omnibus Rule, there was a “harm threshold,” and if a breach didn’t exceed the parameters of that threshold, it was dismissed. With the Omnibus Rule now, there is no longer a threshold, and now every security breach is reported as such, unless comprehensive data analysis suggest that there is a low probability of data security having been compromised.

As a representative from HealthITjobs.com pointed out, modern technology (if properly harnessed) might offer many benefits to patients, but the government, and tech firms in the private sector, must be diligent in seeing that this technology is harnessed for good. They may even have to be somewhat reactionary for the next couple of years, as they struggle to keep pace with the development of technology for health care.

To address, and hopefully mitigate these issues, other pieces of legislation have also been passed in recent years. One example is the HITECH Act, which was itself a provision of the American Recovery and Reinvestment Act of 2009. This bill also addresses security issues involving electronic transmissions of health care data. This law created four general categories of infractions, and each severity corresponds to its own (supposedly proportionate) penalty. Violators could pay as much as $1.5 million per infraction.

Technology has, fundamentally, enriched modern society, and it has improved the health care industry. There is still, however, much work to be done towards preventing leaks of this sort in the future. Hopefully, legislators will continue do their part to both prevent issues like Heartbleed, and if they can’t do it through monitoring the growth of technology more closely, perhaps they can achieve something by holding firms accountable for their mishandling of patient info. They are, after all, much more likely to take caution if they are to be held accountable for breaches when they occur.


Jared Hill is a healthcare industry blogger who writes about technology and compliance issues. Please follow him on twitter @JaredHill341


« Parallelization: A Solution to the Big Video Data Problem


Saudi Arabia: Resisting Silence in the Kingdom »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?