This August marked the 28th anniversary of the Health Insurance Portability and Accountability Act (HIPAA), a pivotal regulation in protecting patient data in the U.S. healthcare system. Over the years, HIPAA has been updated numerous times in response to changing technologies and evolving threats.
A Brief History of HIPAA (and the Role of Cybersecurity)
HIPAA was signed into law in 1996 with two key purposes: to ensure individuals could maintain their health insurance coverage when transitioning between jobs (portability) and to protect the privacy and security of health information (accountability). The latter has become increasingly important in the digital age as healthcare entities have adopted electronic health records (EHRs) and other digital systems.
Cybersecurity has also become a focus of HIPAA thanks to the skyrocketing number of cyberattacks targeting the healthcare sector. The HIPAA Security Rule, published in 2003, outlines specific safeguards covered entities must implement to protect electronic protected health information (ePHI). These include administrative, physical, and technical safeguards like encryption, user access controls, and regular security audits. As cyber threats have grown, so too have the penalties for non-compliance with HIPAA’s security requirements.
Recent Changes
In recent years, HIPAA has undergone several updates to enhance patient rights, increase data security, and adapt to the growing use of digital health technologies.
HHS modifies the HIPAA Privacy Rule
On April 26, 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule modifying HIPAA’s Privacy Rule to enhance protections for reproductive health information. These changes, part of the Biden-Harris Administration’s response to the Supreme Court’s Dobbs v. Jackson Women’s Health Organization decision, limit the circumstances under which healthcare providers can share reproductive health data, particularly in cases involving legal proceedings related to seeking or providing lawful reproductive care.
The rule, which received tens of thousands of public comments, primarily seeks to ensure people feel safe accessing reproductive health services and aren’t afraid of privacy violations. Effective June 25, 2024, with full compliance required by December 22, 2024, the amendments will prevent the use of health data for law enforcement investigations in states where reproductive health services remain legal. Covered entities must update their privacy policies and practices to reflect these new protections.
Telehealth adjustments during COVID-19
During the COVID-19 pandemic, telehealth services became essential, prompting the temporary relaxation of certain HIPAA rules to enable remote care. These allowances permitted healthcare providers to use non-HIPAA-compliant platforms like Zoom and Skype.
It ensured that healthcare providers would not face penalties for HIPAA Privacy, Security, and Breach Notification Rule violations if they occurred during the good faith delivery of telehealth services during the COVID-19 national public health emergency.
The Cost of HIPAA Failures
HIPAA violations are not uncommon. The Office for Civil Rights (OCR), which acts as the watchdog for HIPAA compliance, has imposed hefty fines on those found to have violated the standards.
One of the most notable HIPAA violations happened when health insurer Anthem experienced a massive data breach affecting nearly 79 million people. In 2023, the company was fined a whopping $16 million by the OCR — one of the largest HIPAA settlements to date. This breach highlighted the vulnerabilities healthcare providers face from cyberattacks as well as the importance of proactive cybersecurity measures.
Another newsworthy violation involved New York-Presbyterian Hospital, which permitted TV crews to film patients without their consent, violating the Privacy Rule. The hospital settled for $3.1 million in 2023, again emphasizing that patient consent is critical, even in media-related situations.
Common Misperceptions & Misinformation about HIPAA
Despite its longevity, misconceptions about HIPAA’s scope are widespread. A common misunderstanding is that HIPAA applies to all organizations handling health data. In reality, HIPAA only applies to covered entities — such as healthcare providers, health plans, and healthcare clearinghouses — and their business associates. Organizations that do not fall into these categories are not subject to HIPAA, even if they handle health-related information.
Another misconception is that HIPAA prevents sharing any health information without patient consent. While HIPAA does place strict limitations on the use and disclosure of PHI, it also includes provisions that allow data sharing in certain circumstances, such as when required by law or when necessary for treatment, payment, or healthcare operations.
Finally, many believe HIPAA violations only occur when health information is shared without patient consent. While HIPAA does enforce strict rules on the use and disclosure of protected health information (PHI), it also allows for data sharing in specific situations, such as when mandated by law or when needed for treatment, payment, or healthcare operations. HIPAA violations can also result from a failure to provide patients with timely access to their information or implementing adequate security measures to protect electronic protected health information (ePHI).
Proposed Changes in 2024
Looking ahead, the proposed changes to the HIPAA Privacy Rule in 2024 will reshape the landscape of healthcare privacy and data protection even further. Updates worth mentioning include:
- Patients will be able to inspect and photograph their PHI in person.
- Healthcare providers will have to respond to records requests within 15 days instead of the current 30-day window.
- The definition of EHRs will be broadened to include billing records.
- Covered entities will need to post fee schedules on their websites to provide access to PHI, improving transparency.
Moreover, the Substance Abuse and Mental Health Services Administration (SAMHSA) and OCR are proposing updates to better align HIPAA with Part 2 regulations, which protect the privacy of substance use disorder records. These changes aim to ease the complexity of compliance and improve care coordination without compromising the heightened protections for sensitive health information.
Healthcare firms have until February 2026 to comply with the Final Rule, but they can begin benefiting from its new flexibilities immediately.
Future Directions: What’s Next for HIPAA?
As the healthcare industry digitizes even further, HIPAA will need to evolve to address the inevitable privacy and security challenges. Artificial intelligence (AI), telehealth, and other technologies will raise new questions about data protection, and we can expect future updates to focus on these contexts.
Staying on top of HIPAA changes is critical for healthcare organizations. While the proposed 2024 updates are expected to ease administrative burdens, they also will tighten patient access to health information requirements. All changes will require significant planning, training, and process adjustments to ensure compliance.
As cyber threats increasingly target the healthcare industry, HIPAA’s role in protecting patient data will remain central. It ensures that individuals’’ health information is secure and accessible when needed.
Learn more on how Fortra’s Alert Logic can collaborate with you on your HIPAA compliance strategy.
Additional resources:
Security Compliance Solutions | Alert Logic Managed Security
