A rebuttal to a 2019 article on HIPAA.
Take a trip back with me to 2019. A fire at the famed Notre Dame Cathedral gripped the entire world, Hurricane Dorian ripped through the Bahamas, causing over $3 billion in damages, and Lil Nas X’s song “Old Town Road” dominated the US charts. But 2019 was notable for another reason, despite not making headlines. Kim-Lien Nguyen, MD, cardiologist and associate professor of medicine at the David Geffen School of Medicine at UCLA, wrote a provocative article for Medical Economics titled “HIPAA: At what cost?” that made several assertions regarding HIPAA and its impact on healthcare.
While the article raises some valid concerns, it is essential to critically examine specific claims and broaden the discussion by considering the unique nature of PHI and the multifaceted landscape of patient privacy in the healthcare industry.
Although no one will argue that HIPAA is perfect, it is essential to review many of Nguyen’s claims critically. This rebuttal article will endeavor to address these claims and provide clarity on protecting patient data.
Nguyen begins her article by providing an anecdotal story about Amazon’s 2019 offer of a $10 credit in exchange for allowing them to track their browsing data and use it for marketing purposes. She questions what healthcare costs would look like if every patient were offered $10 to opt out of HIPAA. It is crucial to highlight the stark disparities between PHI and browsing data. PHI encompasses sensitive information that, if compromised, can lead to identity theft, medical fraud, or unauthorized access to highly personal details. Unlike browsing data (which is devoid of sensitive personally identifiable information like social security numbers and bank account information), PHI has a substantial value on the dark web, and evidence shows it is MUCH more than $10. In fact, according to the cybersecurity firm Trustwave, one medical record is worth around $250 on the dark web. The next highest-value item, credit card information, is worth a paltry $5.40.
Dr. Nguyen claims that healthcare providers have employed an “ever-increasing number of compliance officers” to safeguard the accessibility of PHI. While this may be true, HIPAA does not specify the number of compliance officers required. Indeed, its focus is on establishing comprehensive privacy and security protocols. Simply put, if an organization is deploying more compliance officers to address privacy and security, they are doing it wrong.
In the article, Nguyen claims that the true costs related to HIPAA compliance are around $8.3 billion annually. This figure came from a 2013 report released by the Ponemon Institute, but it had nothing to do with HIPAA compliance. Instead, the report attributed the cost to the use of outdated technologies and the protracted nature of hospital discharges, and it had nothing to do with the average medical practice. Furthermore, Nguyen distilled this $8.3 billion price tag down to $35,000 spent per annum by each medical professional. What makes this misattributed statistic all the more concerning is that it has been cited multiple times as fact, often linking back to Nguyen’s article as proof. It is essential to approach cost discussions with a comprehensive understanding of the specific components involved and avoid generalizations that may misrepresent the true nature of the expenses associated with HIPAA compliance.
The healthcare industry is not the only one subject to strict regulatory requirements for securing data. The Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), and the Sarbanes-Oxley Act (SOX) are examples of regulations implemented in the financial and corporate sectors. Companies in banking, retail, corporate, legal, and many other sectors can effectively and affordably meet or exceed the data security requirements set forth by their respective regulatory frameworks. If the corner store down the street can protect our credit card information, healthcare providers can protect the most intimate parts of their patient’s data.
According to a 2019 study by Black Book Market Research, a staggering 93% of healthcare organizations experienced some type of data breach from 2016-2019. That statistic alone is a sobering reality, but it gets even more sobering. Of those, 57% reported that they experienced more than five breaches during that same period. As the least-protected, most-targeted industry, it is paramount that the healthcare industry exercise constant vigilance in protecting patient data. Acknowledging this unique phenomenon is essential in driving improvements in the sector's cybersecurity posture.
Healthcare innovation is a burgeoning ecosystem. With the rise of the Internet of Things (IoT), telemedicine, and remote patient monitoring, advancements in medical technology (MedTech) are popping up at breakneck speed. Yet Nguyen asserts that “expensive infrastructure” is required to work with researchers and innovators, a claim that is simply not accurate. The deidentification of PHI is a well-defined, almost formulaic undertaking that can be achieved by following the HHS’ processes on de-identification. Myriad MedTech companies can function effectively by using de-identified PHI.
To her credit, Nguyen mentioned the Trusted Exchange Framework and Common Agreement (TEFCA), which promotes the interoperability of electronic health records. TEFCA was finalized in January 2022 and has been in use in earnest since then.
One of the more dubious claims by Nguyen is the proposition of an "opt-in/opt-out" model for HIPAA protections. Such a model is rife with inherent flaws and lacks evidence supporting its effectiveness. Her claim that "most folks" would choose not to opt-in to privacy protections based on a perceived lack of value placed on medical privacy is unsupported. It overlooks the nuanced nature of individuals' privacy preferences. Assuming that individuals would willingly forgo such protections without a shred of empirical evidence undermines the importance placed on sensitive health information.
Furthermore, implementing an opt-in/opt-out model would place the burden of privacy decision-making solely on patients, potentially resulting in a disproportionate loss of privacy for vulnerable individuals who may not fully understand the implications. Rather than relying on hypothetical assumptions about public preferences, one must take a comprehensive approach to patient privacy, given the prevalent nature of data breaches in the healthcare space.
Trying to effectively comply with HIPAA without the assistance of subject matter experts can be a frustrating and daunting task. Perhaps it was out of this frustration that Dr. Nguyen advocated for fewer protections and an opt-in/opt-out model for privacy protections. But such a model lacks a solid foundation and is driven by anecdotal assumptions and unsupported statements about public attitudes towards medical privacy. Such proposals risk undermining the fundamental right to confidentiality and jeopardizing patients’ trust in their healthcare providers. Dr. Nguyen's claim about the true costs of HIPAA is misleading and misattributed. Forty-four million individual records were compromised in 2019 alone, with an estimated worth of over $11 billion to criminals. That’s considerably more than the $10 Dr. Nguyen wants to offer patients in exchange for not protecting their information.
Will Evertsen is the founder and principal consultant of Axeleos Technology Consulting, a boutique IT & cyber security consulting firm that offers information security and cloud consulting services for medical practices and healthcare companies. Will has nearly 20 years of experience in technology and cyber security, with the majority of his career having been spent in highly regulated industries such as financial, medical, and casino gaming.