Fifteen years after Congress enacted the HIPAA data privacy laws, health care IT is adapting to guidelines made more stringent by the 2009 HITECH Act.
With 2011 marking the 15th
anniversary of the Health
Insurance Portability and Accountability Act
, health care providers and IT
companies continue to evaluate how to keep electronic health data secure.
On Aug. 21, 1996, President
Clinton signed into law a set of rules detailing who can access personal health
information. Under HIPAA, health information may not be disclosed without a
patient's consent unless disclosure is necessary to administer benefits,
payment or health care.
Under HIPAA, providers must
regularly disclose privacy practices to patients, and parties must also
disclose information to the Department of Health and Human Services if they're
"It does give patients
rights to their records and the rights to know who's seen their records, and
that's important," John Moore, an analyst at Chilmark Research, told eWEEK
The law doesn't tell hospitals what to do with the data, however,
HIPAA has also influenced
the passage of the Obama administration's 2009 Health Information Technology for
Economic and Clinical Health (HITECH) Act, which made penalties for data
breaches more severe. Data breaches can now cost companies up to $250,000,
The 2009 HITECH Act widened
the scope of privacy protection under HIPAA following criticism that the
privacy laws had not been rigorously enforced, according to Amit Trivedi,
health care program manager for ICSA Labs, a division of Verizon. ICSA tests electronic
health records (EHRs)
to see if they satisfy federal mandates on
Under HITECH, "business
associates," or third parties such as a billing company or cloud provider,
now must follow the HIPAA privacy laws by protecting patient information and
reporting data breaches, Mike Gleason, director of information services at
Scottsdale Healthcare, in Scottsdale, Ariz., told eWEEK
"That wasn't as clearly
spelled out in the initial HIPAA law but was in HITECH provisions,"
Concerns about HIPAA rules
have resulted in some companies avoiding the health care IT space altogether,
according to Moore.
"You need to jump
through hoops to make sure a solution is HIPAA-compliant," Moore said.
"So some companies say we're just not going to go there, particularly now
that they've strengthened HIPAA rules and [implemented] big penalties for those
that have violated HIPAA."
Meanwhile, HIPAA privacy
laws have led to opportunities for vendors such as Proofpoint
, a software as a service
(SaaS) company that provides email archiving to large enterprises.
In an email, Proofpoint's
service can spot identifiers, such as Social Security numbers or the name of a
disease, that could be in violation of HIPAA laws, Rami Habal, director of
product marketing at Proofpoint, told eWEEK
"We spend a lot of time
in R&D defining what HIPAA compliance is," he said.
For health care, HIPAA has
served as an example for other industries to follow as far as data privacy,
"It's sort of an
important thing to recognize that HIPAA is almost at the forefront as far as
best practice in ensuring privacy in business communication, and you have more
and more organizations abiding by it," he said.
In addition, providing
access to health care data in the cloud has made HIPAA compliance easier, Habal
said. "You can have a more secure HIPAA compliance infrastructure in the
cloud than what you get on premise," Habal said.
To keep data secure,
Scottsdale Healthcare, in Arizona, uses Proofpoint's email archiving service,
Microsoft Vergence (formerly Sentillion) single-sign-on technology, Barracuda
Web-filtering and Entrust RSA token IDs to authenticate remote access.
In addition, the hospital
system conducts annual threat assessments and tests to ensure that the network
remains secure and to guard against unauthorized access, Scottsdale
Healthcare's Gleason said.
"Security is a layer
that needs to be there, it needs to be stringent, and it needs to be adhered
to, but it cannot be an obstacle in providing information," he explained.
HIPAA laws have brought a
greater awareness for health care providers that data security is important,
Gleason said. The privacy laws have impacted the agenda of Scottsdale
compliance committee meetings and have made hospital employees more careful as
far as how they communicate with one another and have led to increased auditing
of who's viewing data records.
"I think there's much
more awareness, not only in our employee population but also our patient
population," Gleason said. Awareness of HIPAA laws means "you can't
just kibitz with your co-worker," he added.