Introduction
The present paper is devoted to the discussion of HIPAA regulations. It considers the Privacy and Security Rules, examines the HITECH Act as a complementary set of regulations, reviews the challenges that HIPAA needs to respond to, and evaluates HIPAA capacity to do so. It is concluded that HIPAA is not without a flaw and additional measures might be required to ensure the safety of healthcare information.
Is HIPAA Enough?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was developed specifically for healthcare to determine the security requirements that can protect the information used in the field. In particular, HIPAA exists to ensure the protection of the protected health information (PHI), which includes “medical data and personally identifiable information” (Rhodes-Ousley, 2013, p. 5).
General Administrative Requirements
The general provisions of HIPAA establish the definitions for key terms, for example, PHI, health insurance coverage, group health plan, and covered entities. In HIPAA, a covered entity can be “a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter” as defined by section 1172 of the Act.
The enforcement of HIPAA is carried out by the HHS Office for Civil Rights (American Medical Association [AMA], 2016, para. 1). According to HIPAA, civil money penalties can be applied if a provision is not met or violated by a covered entity as a result of a “reasonable cause,” “willful neglect” or not being aware of the issue when the entity is supposed to be aware of it (AMA, 2016, para. 6-9). The size of the penalty depends on the specific violation (noncompliance), the violator, and some other factors (for example, the correction of the failure). Apart from that, criminal penalties can apply to “health plans, health care clearinghouses, health care providers who transmit claims in electronic form, Medicare prescription drug card sponsors” (AMA, 2016, para. 13). HIPAA also states its preemption on state law.
Privacy Rule
HIPAA Privacy Rule establishes patients’ rights over their PHI and determines the “general requirements” for PHI protection, which presupposes ensuring the “integrity and confidentiality” of PHI (Gaynor, Bass, & Duepner, 2014). The Rule also guarantees the possibility of disclosing the information when it is required for care-related purposes (Murray, Calhoun, & Philipsen, 2011). The confidentiality requirements apply to “health plans, health care clearinghouses, health care providers who transmit claims in electronic form, Medicare prescription drug card sponsor” (AMA, 2016, para. 13).
Security Rule
The Security Rule is aimed at defining the requirements for protecting PHI in detail. This Rule is typically used in practice to evaluate the “appropriateness” of the safeguards adopted by a covered entity to comply with the Privacy Rule (Rhodes-Ousley, 2013, p. 67). In particular, the covered entities (as well as business associates) are expected to comply with the general rules for security standards that include the directives to ensure the “confidentiality, integrity, and availability of all electronic protected health information,” protect PHI against “reasonably anticipated threats” and disclosures, adopt a flexible approach toward security and maintain its compliance with HIPAA (HHS Office for Civil Rights, 2013, p. 63). The Rule also defines administrative (security, risk, and information access management; workforce security and training, contingency planning and evaluation), physical (control over the facilities, devices, and the use of workstation), and technical (access and audit controls and transmission security) safeguards that the entities and business associates are supposed to employ (HHS Office for Civil Rights, 2013, pp. 64-68).
The HITECH Act
HIPAA has been developing since its introduction in 1996. Apart from that, it has been complemented with other Acts, including the American Recovery and Reinvestment Act of 2009, which encompasses the Health Information Technology for Economic and Clinical Health Act (HHS Press Office, 2013). The HITECH Act exists primarily to encourage the use of certified electronic health records (EHRs) and otherwise improve healthcare through technology (Murray et al., 2011). Also, the Act requires the use and timely update of certified EHR software, appropriate training for the staff. Finally, as a part of the American Recovery and Reinvestment Act of 2009, it requires the meaningful use of technology in healthcare (Murray et al., 2011, p. 750). It can be suggested that the HITECH Act and HIPPA complement each other in ensuring the security of PHI.
Legal, Ethics, and Compliance
Cyber-Attacks Trends and Current Regulations’ Safeguards
EHRs have a great potential for the improvement of the quality and efficiency of healthcare, and the HIPAA and HITECH Acts attempt to ensure that the information security also does not decrease as a result of their implementation (Murray et al., 2011). However, as healthcare grows to depend on EHR and other technology-assisted resources, it also becomes vulnerable to cyber-attacks (Harries & Yellowlees, 2013). Given the extent to which healthcare can depend on electronic communication, cyber-attacks can result in security and privacy breaches, process disruption, and even deaths (Harries & Yellowlees, 2013). At the same time, Harries and Yellowlees (2013) demonstrate that the US hospitals are hardly protected against the threat (primarily because of the lack of cooperation, funding, and due attention to the issue). Kruse, Frederick, Jacobson, and Monticone (2016) come to a similar conclusion and point out that healthcare organizations do not keep up with cyber-attack trends (apparently, as a result of insufficient funding and attention). As a result, the effectiveness of HIPAA and HITECH can be questioned and needs to be investigated.
The Need for Ethical Guidelines
A major strength of HIPAA is its specific orientation towards healthcare (Murray et al., 2011). As pointed out by Rhodes-Ousley (2013), HIPAA requires safeguards that are similar to those demanded by the regulations of other industries, for example, the financial industry. Thus, the regulations can be regarded as the best practice as viewed by the government. However, the Act also has multiple weaknesses, including ineffective enforcement (small fines and the possibility of avoiding harsher punishments if the lack of malicious intent is proven) and complexity that is combined with vagueness (Murray et al., 2011, p. 116), which implies that the document is open for interpretation. The problem of HIPAA ineffectiveness in ensuring safety and security of PHI can be explained by these issues, which suggest that a reconsideration of the Act is required. Apart from that, it is noteworthy that the adoption of technology in healthcare has brought along new ethical challenges related to information use (Vayena, Salathé, Madoff, & Brownstein, 2015). Vayena et al. (2015) insist that the development of healthcare technology requires a consistent updating of the existing ethics codes or the development of new ones. Given the fact that an ethics code can serve as a complementary measure to a set of regulations, it can be suggested that the development of a complementary ethics code for PHI management can help to improve the effectiveness of HIPAA.
Conclusion
HIPAA regulations are aimed at ensuring the safety of information that is used in healthcare. These regulations can be regarded as a best practice in the field as seen by the government, and they attempt to respond to both privacy and security challenges, but, unfortunately, they are not perfectly effective. The flaws of HIPAA include its vagueness and insufficient penalties, which implies that a reconsideration of the Act is required. Apart from that, the development of a complementary ethics code might contribute to the improvement of information security in healthcare.
References
American Medical Association. (2016). HIPAA violations & enforcement.
Gaynor, M., Bass, C., & Duepner, B. (2014). A tale of two standards: strengthening HIPAA security regulations using the PCI-DSS. Health Systems, 4(2), 111-123.
Harries, D. & Yellowlees, P. (2013). Cyberterrorism: Is the U.S. healthcare system safe?. Telemedicine And E-Health, 19(1), 61-66.
Health Insurance Portability and Accountability Act of 1996, Pub. L. 104–19.
HHS Office for Civil Rights. (2013). HIPAA administrative simplification.
HHS Press Office. (2013). New rule protects patient privacy, secures health information.
Kruse, C., Frederick, B., Jacobson, T., & Monticone, D. (2016). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology And Health Care, 1, 1-10.
Murray, T., Calhoun, M., & Philipsen, N. (2011). Privacy, confidentiality, HIPAA, and HITECH: Implications for the health care practitioner. The Journal For Nurse Practitioners, 7(9), 747-752.
Rhodes-Ousley, M. (2013). Information security: The complete reference, second edition (2nd ed.). New York, NY: McGraw-Hill.
Vayena, E., Salathé, M., Madoff, L., & Brownstein, J. (2015). Ethical challenges of big Data in public health. PLOS Computational Biology, 11(2), e1003904.