Despite the HIPAA rules and improved safeguards to PHI, more than 40 million Americans suffered a breach of their personal health information from 2009 through the end of 2014, not including the 80 million record breach that Indianapolis-based insurer Anthem revealed in 2014, according to health IT security firm Redspin of Carpinteria, California.
Despite the HIPAA rules and improved safeguards to PHI, more than 40 million Americans suffered a breach of their personal health information from 2009 through the end of 2014, not including the 80 million record breach that Indianapolis-based insurer Anthem revealed in 2014, according to health IT security firm Redspin of Carpinteria, California. In 2014 alone, 164 incidents of PHI breaches were reported to the Office of Civil Rights, impacting nearly 9 million patient records, a 25% increase over 2013. More than half were caused by hackers.
Such breaches beg the question: Is HIPAA doing its job? Rebecca Herold, CISM, president of The Privacy Professor, an information security and privacy consultant in Des Moines, Iowa, thinks the answer is yes. “You can’t prevent all breaches, but I believe that without HIPAA there would have been many, many more,” she says. “And, because of the reporting requirement of HIPAA, we wouldn’t know about them because the entities covered by HIPAA would not report them.” Others say the omnibus rule that broadened patients’ rights to request electronic PHI paved the way to patient-centered care, empowering patients to take a more active role in their own care.
Not everyone agrees. As health information technology facilitates a more fluid exchange of sensitive patient data, it also opens the door to bigger potential breaches that not even HIPAA can prevent, says Peter Dixon, MD, an internist and solo practitioner in Essex, Connecticut. “We need privacy laws, but I am dubious about its ability to protect patient data,” he says, noting technology is always two steps ahead of legislation. “With paper records, privacy used to be sacrosanct. Now everything is on computers and it’s fair game for hackers.”
All the more reason that practices should to enact internal policies that protect their patients and their providers, says Robert Tennant, director of health information technology policy for the Medical Group Management Association in Englewood, Colorado. HIPAA is here to stay and must be part of the conversation. “HIPAA updates should be discussed in meetings and staff emails,” he says. “Talk to your staff about cases that illustrate broader policies and remind them how to handle it.”