Analyzing the US HIPAA Legacy and Future Changes on the Horizon

The US Department of Health and Human Services issued the long-awaited final omnibus rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on January 17^th,2013. This ruling set a federal level baseline for US healthcare privacy.

In a recent Data Protection Law & Policy article (Vol. 10, Issue 2) analyzing HIPAA’s legacy in light of future changes, Kirk Nahra, partner at Wiley Rein, LLP, reviewed HIPAA’s beginnings, subsequent rulings to fill in the gaps, and concerns going forward.

He noted that while HIPAA regulations have been the primary driver of privacy protection for a decade and provide the foundational principles in most situations, even these rules reflect both inconsistent internal approaches and often provide little assistance or overall confidence in more difficult situations.

He reflects that the current rules do not control a wide variety of situations involving healthcare privacy which other laws, particularly state laws, control or, in fact, no law controls. He succinctly states that with each new regulation and law we see “a movement towards more confusion and controversy, rather than less.”

Nahra provides a nice historical background for HIPAA by illustrating that for many decades healthcare privacy protection in the U.S. was driven exclusively by professional ethics and a myriad of state laws with no consistent federal baseline. This provided gaps in the application and much confusion. When the HIPAA era began with the passage of the act in 1996, it focused on ‘portability’ - the idea that individuals could take their health insurance coverage from one employer to the next, without having pre-existing health conditions acting as an impediment to job transitions.

When Congress passed HIPAA, it also included other healthcare topics, including large funding for an extended fight against industry fraud and the move to electronic health records (EHRs). Nahra posits how privacy concerns around EHR implementation prompted HIPAA’s further Privacy and Security rules, respectively, and stated that these new rules had limits on the applicability to “covered entities” - such as doctors, hospitals and health insurers who might be participating in these standardized transactions. Hence, a large number of entities who obtain or use healthcare information are not within the scope of these rules, such as consumer-facing entities, many healthcare websites, life and disability insurers, employers in their employment role, etc.

He explains that while the covered entities are core participants in the industry they rely on vendors to provide services, many of which involve patient information. The limitation referenced above led HHS to develop the concept of “business associates” - an entity that provides services to the healthcare industry where the performance of those services involves the use or disclosure of patient information.

Nahra further explains the confusion with the business associate rule by noting that because HHS had no direct jurisdiction over these “business associates”, they imposed an obligation on the covered entities to implement specific contracts with the vendors that would create contractual privacy and security obligations. The failure to do so would mean a violation of HIPAA rules and a breach of contract, but would not subject the business associate to government enforcement because said associate was not regulated under the HIPAA rules. This confusion has existed since the inception of the HIPAA Privacy Rule in 2003.

Nahra brings us to the present with round two of HIPAA regulations, driven largely by Congress, which are only beginning to be reviewed, analyzed and implemented. He surmises that after almost four years, the Department of Health and Human Services finally has released its omnibus HIPAA/HITECH regulation, implementing changes to the HIPAA Privacy, Security and Enforcement Rules, as well as the interim final regulation on breach notification and certain changes to the Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA Act). The regulation was published in the Federal Register on January 25, 2013.

The recent changes resulting from the 2009 passage of the HITECH act. According to Nahra, the “schizophrenic nature” of the act has been well documented with Congress’ desire to incentivize - meaning pay - healthcare providers to implement EHR systems. Congress decided that it would impose new privacy compliance obligations on those who chose to use EHRs; and then would create a new set of privacy obligations for everyone else, unconnected in any way to the use of these EHRs.

Nahra concludes that this statute “fixed” one of the key gaps of the original legislation and rules by applying the enforcement reach of HIPAA to not only covered entities but their 'business associates' as well. It increased the available penalties for HIPAA violations, cut down on permitted marketing, and modified and expanded certain individual rights.

Nahra encapsulates with a few final points. Namely, that even with its recent expansion, HIPAA is still not a general medical privacy law and that while its scope has broadened, the protections still depend on where healthcare information starts - with a healthcare provider or health plan. He argues this leaves enormous gaps in protection, particularly given recent developments that are encouraging consumer-centric involvement in their own healthcare and providing the technology to make this goal a reality. Secondly, although the legislation does not turn business associates into covered entities, it does impose - for the first time - direct accountability on these business associates, with potential civil and criminal liability for a failure to meet these requirements. And finally, that aside from some modest clarifications the HITECH law did not fundamentally broaden the overall HIPAA scheme, nor did it address in any way the tensions between HIPAA and the thousands of applicable state laws.

Highlighting concerns for the future, Nahra claims the structure leads to a variety of ongoing tensions that affect the efficiency of the healthcare system, the effectiveness of individual privacy and the operations of the overall healthcare system, including the systemic benefits of large scale data analysis.

The concerns being mainly

1. Single rule vs. Multiple Rules - federal floor versus individual, more stringent, state laws

2. Research - HIPAA rules create significant limitations on how research can be conducted and have been heavily criticized by many in the research community

3. Technology vs. Security – Balancing technological advances with security in relation to breaches, etc.

4. Health Information Exchanges – Exchanges being driven by state law privacy concerns that dictate what information can and cannot be included

Nahra concludes by stating that the healthcare privacy model in the U.S. is a work in progress and the progress is slow, while the movement of technology is fast. However, he offers that HIPAA works most of the time in most situations and more stringent state laws fill the gaps, when applicable, and that one solution would be to allow states to pass more stringent future laws, yet tailored to the HIPAA model. “A better healthcare privacy system would in fact benefit individuals, healthcare business, and the system on the whole, but we are a long way away from solving this wide variety of issues.”