[ANSWERED] Why Was HIPAA Created?

Today, 61% of healthcare data breaches are due to negligent employees.

Healthcare administration is hard enough as it is. But, before HIPAA, it might as well have been the wild west.

During this time, there were no federal regulations protecting health information. That’s hard to imagine, isn’t it? We can thank HIPAA as to why patient privacy is so important.

We’ve gone over HIPAA in our blogs before, but let me refresh your memory on what the acronym stands for. The Health Insurance Portability and Accountability Act (HIPAA) is the federal law that helps protect your health information. Protected health information (PHI) is the fancy term that’s used to categorize health information.

HIPAA contains some of the most detailed and comprehensive requirements of any privacy and data security law to date, but I’m getting ahead of myself.

Let’s go back to before there was federal protection of health information.

Why was it created in the first place? 

Table of Contents

What is HIPAA?

To understand why HIPAA exists today, let me go into more detail on what it is and how it serves the public.

This act, passed by President Bill Clinton on August 21, 1996, set the national standard to protect and streamline sensitive health information. Every healthcare worker and covered entity must protect this information. Whether it’s on paper, on a computer, or other media, it needs protection.

The patient must consent to any disclosure of their health information. Or, at the very least, receive notification of its disclosure.

Healthcare professionals must also make sure to provide individuals with their privacy rights and help them understand these rights.

Another goal of the legislation was to ensure portable health insurance coverage. This allows employees to maintain coverage when they’re between jobs. Additionally, HIPAA would reduce wastage in the healthcare industry. By doing this, the rule would alleviate fraud and abuse. All this while better streamlining the management of healthcare.

HIPAA’s Privacy and Security Rules help install these regulations. The main goal for the HIPAA Privacy Rule (December 20, 2000) is to protect health information without infringing upon providing quality healthcare. Doctors and nurses must be able to care for their patient’s after all. In essence, HIPAA balances the confidentiality, integrity and availability of healthcare information. But, it exists to conquer three major purposes…

  • To protect the rights of clients by providing them access to their health information. Also to control the inappropriate use of the information. 

  • To improve healthcare quality in the United States. Restore trust in the healthcare system for consumers, professionals, and other organizations.

  • And to improve the effectiveness of health care delivery. Creating a national template to protect sensitive health information. Template builds on efforts by states, health systems, and individual organizations and individuals.

The HIPAA Security Rule (February 20, 2003) protects a subset of information from the Privacy Rule. This information is the health data that a covered entity creates, receives, maintains, or transmits electronically. We call this electronic protected health information (ePHI).

In a nutshell, complying with the HIPAA Security Rule means that covered entities must…

  • Secure the confidentiality, integrity, and availability of all e-PHI.

  • Detects and protects against anticipated information breaches.

  • Protect against anticipated impermissible uses or disclosures that are not allowed by the rule.

  • Certify compliance through their workforce.

But, since HIPAA has been around since the 90s, it has seen a few changes. For example, it no longer thinks that JNCO jeans are fashionable. I’m being facetious.

The point I’m trying to make is that more regulations have become available…

  • Enforcement Rule 

  • The “HITECH” Act

  • Breach Notification Rule

  • HIPAA Omnibus Rule

These revisions put new terms into HIPAA legislation through the years. The rules would further advocate for privacy of data, implementation of appropriate security measures, ensuring notifications if a data breach occurs, and more.

Oh yeah, HIPAA brought forth massive monetary and criminal penalties for infringing upon its requirements.

But, let’s get into what life was before all of these rules.

Healthcare Before HIPAA?

The practice of medicine itself has been around for thousands of years.

For a long time, there was little thought towards the storing of patient information. Again, weird thought, right?

Back in the day, doctors and nurses would store patient charts and notes in files and filing cabinets. So there really wasn't a pressing need for security standards when it came to PHI.

Not too many criminals were trying to break into their local family practice down the street to steal social security numbers, but I could be wrong.

It was the technological boom in the 90s that brought the need for stricter security. This, of course, needed to apply towards many industries. Healthcare wasn’t immune to these changes. Since we have a tendency to resist change, the introduction of HIPAA didn’t exactly gain full support of the public.

Skeptics would question whether HIPAA might be too bothersome and expensive to install. Some people thought it might be redundant of the existing state privacy laws. That they would not add value for the amount of work to put into enforcing it. Others were unsure if professionals could still provide efficient healthcare while complying with HIPAA’s requirements.

But as it is today, there were still many professionals that would need access to patient’s health data. Doctors, nurses, technicians, and administrative staff all handle PHI. As well as third party entities. Regardless of skepticism from the public, there was still a pressing need for change in healthcare administration processes. Especially as health data was beginning to store digitally as opposed to on paper. 

Why Do We Need HIPAA?

Before HIPAA, companies could receive detailed information about their employees health insurance.

That might not sound like such a big deal but picture this…

You’re up for a big promotion at work. You’re the best candidate for the job, but your anxiety has been affecting your performance. You know that if you seek help, it will show on your company health insurance. your supervisor will then see it and your likelihood of getting the job will decrease.

You don’t want your supervisors to see that you have a mental health issue as that might sway their opinion of you. So, now your anxiety about hiding your anxiety is taking an even greater toll. Your performance declines even more, and the job goes to your coworker Nancy.

While companies during this time were able to read these detailed updates regarding employees health, oftentimes patients themselves weren't necessarily able to receive their own records. So, the only way to protect your health information wasn’t to create any in the first place and people would put off seeking medical care.

The more obvious reason for the creation of HIPAA, though, has to be to protect PHI from cyber attacks. Even with HIPAA in place today, the total cost of a healthcare industry breach equals around $10.10 million. This is because healthcare information is worth about 50 times more than credit card information. How can this be possible?

According to the Center for Internet Security, the average cost of a non-healthcare data breach per stolen record is $158. For healthcare agencies, the average cost per record is $355.

This is because you cannot simply change someone’s history of ailments, injuries, and surgeries. Unlike credit card information or social security numbers.

With more professionals storing their protected health information on their computers or online, cybercriminals have an easier time targeting this data. 

Conclusion

HIPAA laws standardize the best way to handle protected health information. Especially that information that lives in digital storage systems. President Clinton made the following remark during his speech on medical privacy in 2000.

“Nothing is more private than someone's medical or psychiatric records. And, therefore, if we are to make freedom fully meaningful in the Information Age, when most of our stuff is on some computer somewhere, we have to protect the privacy of individual health records.”

HIPAA has evolved to be so much more than protecting patient data. It upholds safeguards that can help prevent unauthorized disclosures. Otherwise known as saving you and your company from hefty fines.

Having a system in place to keep this data secure is one thing, but don’t forget to push compliance as well. Without the proper training and awareness, even the best security system is useless. Your team will be sitting ducks in the chaotic world of healthcare management. So remember to practice good compliance through interactive training!