HIPAA at 15: HITECH Tightens Health Care Data Privacy Laws

Fifteen years after Congress enacted the HIPAA data privacy laws, health care IT is adapting to guidelines made more stringent by the 2009 HITECH Act.

With 2011 marking the 15th anniversary of the Health Insurance Portability and Accountability Act, health care providers and IT companies continue to evaluate how to keep electronic health data secure.

On Aug. 21, 1996, President Clinton signed into law a set of rules detailing who can access personal health information. Under HIPAA, health information may not be disclosed without a patient's consent unless disclosure is necessary to administer benefits, payment or health care.

Under HIPAA, providers must regularly disclose privacy practices to patients, and parties must also disclose information to the Department of Health and Human Services if they're under investigation.

"It does give patients rights to their records and the rights to know who's seen their records, and that's important," John Moore, an analyst at Chilmark Research, told eWEEK. The law doesn't tell hospitals what to do with the data, however, Moore added.

HIPAA has also influenced the passage of the Obama administration's 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which made penalties for data breaches more severe. Data breaches can now cost companies up to $250,000, Moore noted.

The 2009 HITECH Act widened the scope of privacy protection under HIPAA following criticism that the privacy laws had not been rigorously enforced, according to Amit Trivedi, health care program manager for ICSA Labs, a division of Verizon. ICSA tests electronic health records (EHRs) to see if they satisfy federal mandates on meaningful use.

Under HITECH, "business associates," or third parties such as a billing company or cloud provider, now must follow the HIPAA privacy laws by protecting patient information and reporting data breaches, Mike Gleason, director of information services at Scottsdale Healthcare, in Scottsdale, Ariz., told eWEEK.

"That wasn't as clearly spelled out in the initial HIPAA law but was in HITECH provisions," Gleason said.

Concerns about HIPAA rules have resulted in some companies avoiding the health care IT space altogether, according to Moore.

"You need to jump through hoops to make sure a solution is HIPAA-compliant," Moore said. "So some companies say we're just not going to go there, particularly now that they've strengthened HIPAA rules and [implemented] big penalties for those that have violated HIPAA."

Meanwhile, HIPAA privacy laws have led to opportunities for vendors such as Proofpoint, a software as a service (SaaS) company that provides email archiving to large enterprises.

In an email, Proofpoint's service can spot identifiers, such as Social Security numbers or the name of a disease, that could be in violation of HIPAA laws, Rami Habal, director of product marketing at Proofpoint, told eWEEK.

"We spend a lot of time in R&D defining what HIPAA compliance is," he said.

For health care, HIPAA has served as an example for other industries to follow as far as data privacy, Habal suggested.

"It's sort of an important thing to recognize that HIPAA is almost at the forefront as far as best practice in ensuring privacy in business communication, and you have more and more organizations abiding by it," he said.

In addition, providing access to health care data in the cloud has made HIPAA compliance easier, Habal said. "You can have a more secure HIPAA compliance infrastructure in the cloud than what you get on premise," Habal said.

To keep data secure, Scottsdale Healthcare, in Arizona, uses Proofpoint's email archiving service, Microsoft Vergence (formerly Sentillion) single-sign-on technology, Barracuda Web-filtering and Entrust RSA token IDs to authenticate remote access.

In addition, the hospital system conducts annual threat assessments and tests to ensure that the network remains secure and to guard against unauthorized access, Scottsdale Healthcare's Gleason said.

"Security is a layer that needs to be there, it needs to be stringent, and it needs to be adhered to, but it cannot be an obstacle in providing information," he explained.

HIPAA laws have brought a greater awareness for health care providers that data security is important, Gleason said. The privacy laws have impacted the agenda of Scottsdale compliance committee meetings and have made hospital employees more careful as far as how they communicate with one another and have led to increased auditing of who's viewing data records.

"I think there's much more awareness, not only in our employee population but also our patient population," Gleason said. Awareness of HIPAA laws means "you can't just kibitz with your co-worker," he added.