The Health Insurance Portability and Accountability Act – HIPAA – celebrates its twentieth birthday in 2016. Like most 20-year-olds, HIPAA has unique characteristics, foibles and contradictions, because HIPAA is a 20th-Century law applied to 21st-Century healthcare environments.
HIPAA was passed by Congress back in 1996, in an era when email was still a novelty and netbooks, smartphones and pocketable data storage devices didn’t exist. In many ways, HIPAA has remained the same while technology has shouldered past.
WHY DO WE HAVE HIPAA?
HIPAA exists because the government decided to crack down on rampant bank fraud in the 1980s. The growing tide of “victimless” financial crime meant the banking industry was losing money at an alarming rate. When bank security regulations were tightened, the criminals of that era turned their attention to committing fraud using healthcare data. This emerging threat led the Bush administration to determine how best to safeguard Protected Health Information. By the time HIPAA was enacted in 1996, medical identity theft seemed likely to continue to increase.
The payday for criminals makes healthcare data-harvesting activity astonishingly viable, particularly in comparison to the bank fraud of 30 years ago. Some patient records – especially those for pain management and pediatrics – can fetch up to $1000 each. There aren’t many criminals who can ignore such tempting targets … particularly when the security practices designed to safeguard them are lax, ignored, ineffective or easily bypassed.
SMALL BREACHES GROWING
The mega-breaches that make the news are certainly worrisome, but the impact they create is dwarfed by the sheer number of small breaches involving fewer than 500 patients. Since September, 2009, the Office of Civil Rights has received more than 80,000 reports of breaches of Protected Health Information affecting fewer than 500 patients. Still, most small breaches go unreported, and with good reason: The first fine imposed for a breach affecting fewer than 500 patients was a whopping $50,000.
Over the past 20 years, practitioners and staff alike have faced growing challenges in day-to-day operations. With genuine lack of attention to healthcare data security, the small breach issue is only getting bigger. Over the past three years, we've seen a 42% increase in data breaches in smaller practices compared to larger organizations, because all that valuable and relatively unguarded patient data is such a tempting target.
94% PROBABILITY OF BREACH
Patient data is more difficult to secure in part because all manner of mobile devices, tablets and laptops can be used by employees and hackers alike to breach patient confidentiality. Thumb drives can be hidden in pockets or purses, and server hard drives can be stolen or copied. While most did not exist when HIPAA became law in 1996, these devices now see widespread use in offices where privacy considerations have never really been thought through. That’s why the typical office’s lack of security infrastructure makes data compromise a 94% probability.
Many practitioners and stakeholders still refuse to worry about “all that HIPAA stuff.” This attitude, which seems deeply ingrained, is partly due to the fact that enforcement of HIPAA has been nearly nonexistent. Even today, patient privacy audits are still almost unheard of.
HIPAA @ 20: A FIVE-PART SERIES
In this five-part series, we’ll take a close look at HIPAA @ 20. We’ll examine what’s changed, what remains the same, and why small practices remain at risk. We’ll also look ahead to the next decade and make some educated guesses about what the future holds for patient privacy regulation, data safeguards, and the threats practitioners and patients will face.
Don't miss a single post. Sign up below!
Jim Moore is a Certified HIPAA Professional who has worked for Smart Training since 1999.
He can be reached at JimMoore@SmartTraining.com