Some hope was given for the current legal environment to become better defined for health-care providers when Health Insurance Portability & Accountability Act (HIPAA) was passed by the in 1996. As previously mentioned, HIPAA is a monumental act that attempts to address and incorporate all three issues-- privacy, confidentiality, and security within one law. When HIPAA was passed, many applauded the portability aspects of HIPAA that allowed for continuing healthcare coverage for individuals who lost their jobs and attendant healthcare insurance. But few back in 1996 anticipated the dramatic impact that HIPAA would have later on the privacy and security of patient's health information in the United States.
HIPAA Legislation History
HIPAA legislation was passed in the year 1996. Title I of the regulation dealt with the health insurance coverage of the public and their immediate family when they lost their jobs. Title II of HIPAA concerned "administrative simplification" that necessitated Congress in future years to establish standards and rules for the transmission of health information electronically and the privacy and security of that information before 1999 (HIPAA, 1996). Within the HIPAA legislation itself, Congress imposed a deadline on itself to provide for health privacy and security under the administrative simplification aspects of HIPAA. But because Congress did not act in this regard in a timely manner, HIPAA had a fallback whereby its authority to create such rules would eventually expire and transfer to the United States Department of Health and Human Services (HHS). In 1999, HHS was suddenly charged through HIPAA with creating broad federal rules to protect health information privacy and security. Therefore, on December 28, 2000, HHS issued proposed rules for the privacy of healthcare in America, referred to as the HIPAA Privacy Rules.
The new proposed HIPAA Privacy Rules were initially met with heated resistance from the healthcare provider community, with the American Hospital Association claiming that the HIPAA Privacy Rules would be burdensome and would increase cost and paperwork in the form of consents and other types of authorizations and compliance that the proposed Privacy Rules envisioned (HIPAA, 1996). Not to be outdone, the American Association of Physicians and Surgeons filed a federal lawsuit in Houston, Texas, to block the implementation of the Privacy Rules for the same reasons, indicating that it would cause much undue hardship on physicians and physician practices, and impose greater costs with no real benefits. Eventually, after significant revision to the proposed Privacy Rules, the lawsuits and lobbying efforts stopped, and focus turned toward reluctant compliance with the new HIPAA Privacy Rules. Compromises were made with HHS and revisions were made to the Privacy Rules, and a new compliance date was set for April 14, 2003. The Security Rules went into effect on April 21, 2005 (Erikson, Miller, 2005)
HIPAA has changed the way information regarding the patient documented, reserved, stored, and shared between the healthcare professionals (HIPAA, 1996). This regulation has also modified the way people are insured and compensated. HIPPA legislation was intended to provide the following:
• restrict fraud and abuse in health care
• implement set rules and standards regarding health information, • promise the security and privacy of health information, • guarantee health care insurance for people.
HHS designated the Office for Civil Rights (OCR) as the enforcer of the HIPAA Privacy Rules, and OCR quickly indicated that it would emphasize assisting providers to move toward voluntary compliance with the Privacy Rules instead of imposing penalties for violations initially. Within one year of the enactment, there were over 4755 complaints filed with OCR for privacy violations. A year later, over 10,785 complaints were filed. It was noted by HHS that majority of the complaints were related to impermissible use of patient health information.
Other than certain high-profile cases, HIPAA privacy enforcement was relatively low-key over the first six years of the HIPAA Privacy Rules (Buckovich, 2000).
Eventually, as time has gone by, most healthcare providers in the United States have fully embraced the HIPAA Privacy and Security Rules, and generally HIPAA has been touted as a key law for the protection of patients everywhere. The initial reluctance to comply with HIPAA Privacy and Security Rules has now been replaced with a desire to become fully HIPAA- compliant, even as a public relations tool to foster goodwill with patients across the United States. As new healthcare providers enter the workforce, many HIPAA compliance programs have gathered dust or are not adhered to as strongly as before, especially in light of the relatively mild enforcement to date of the HIPAA Privacy and Security Rules (Wills, 2002).
However, that seems to be changing with the Obama Administration, and more and more providers are becoming aware that HIPAA privacy and security compliance is more important than ever, especially in light of the changes forthcoming through the HITECH Act and the proliferation of electronic health records (EHRs).
Steps Needed To Be Taken To Implement HIPAA Effectively
HIPAA signifies at least a first step toward protecting the privacy, confidentiality, and security of health information. However, only time will tell how well the law's intent will be met. DHHS' proposed security rules have already resulted in negative reactions from many provider organizations. Many provider and health-plan associations have vigorously opposed the proposed rules because of fears that the regulations will actually increase administrative burdens and costs. Congress has not yet enacted privacy legislation although it considered a few bills introduced in early 1999. It became obvious during the 1999 Congressional discussions of medical privacy that many controversial issues must be resolved if Congress is to pass national privacy legislation. Some of the major issues that have to be resolved include: (Gostin, 2000).
• Balancing privacy rights with those who need access to information
• Defining the categories of information that should be protected (e.g., "identifiable" versus all health information)
• Determining which entities or persons should have access to what kinds of information (e.g., employers, insurance companies, pharmacies, research institutions)
• Deciding what legal proceeding will be required for enforcement of laws regarding access to medical information (warrant or a less stringent legal procedure)
• Determining the extent of federal law preemption ("ceiling" preemption means federal law supersedes all state laws; "floor" preemption means states may pass more stringent laws)
• Defining when patient authorization is required for information disclosure for primary (medical care) and secondary (research, marketing, etc.) uses of information
• Determining enforcement mechanisms
Implementation of HIPAA and Current Status
During the initial stages of HIPAA Privacy Rule implementation, there was a considerable amount of confusion regarding what the HIPAA Privacy Rules provide and what they require given the length and breadth of the regulations themselves. But after some time the healthcare providers fine-tuned their HIPAA programs. However, recently -- and it seems to happen in waves -- new or unsophisticated healthcare providers have been falling into the many traps of "HIPAA-mania," only to find themselves being noncompliant with the true requirements of the HIPAA Privacy Rules (Rosati, 2002). HIPAA provides a benchmark to protect patient information for nurses.
Industry Lessons Learned
According to healthcare related professionals the HIPAA Privacy and Security Rules suffer from several significant flaws and thus a number of lessons have been learned from the implementation of HIPAA: (Buckovich, 2000)
First, the rules cover only health plans, physicians, and health care providers who transfer electronic PHI for reimbursement or benefits purposes. Consequently, employers, marketers, operators of websites who provide medical advice or sell medicine who have EHI are exempted from the HIPAA law. Even physicians who require cash payments from patients upon provision of care and therefore do not bill any party or interact with insurers fall outside the jurisdiction of the rules. This narrow scope of coverage is creating problems because these parties contain health information and are not held accountable for using it in any way they want.
Second, the HIPAA Privacy Rule limits the information patients can gain about their EHI. It allows patients to review and get duplicates of their medical records from protected bodies as well as to request revisions of incorrect information. However, the rule does not enable data subjects to verify the origins of information or to inquire about the purposes for which it is maintained. As more and more parties process and utilize EHI for their own business objectives, there are growing dangers of hacking, theft, the development of illicit health information markets, and other forms of malfeasance (Buckovich, 2000). Thus patients might increasingly find that unexpected people or organizations possess their EHI and become increasingly concerned that the data will be used in harmful and inappropriate ways. Without an ability to submit inquiries to covered entities concerning the origins and use of their medical data, health care consumers have little power to track their EHI and try to prevent its exploitation.
Finally, the HIPAA Privacy Rule has been criticized for providing ineffectual privacy protections because it fails to adequately limit disclosures and empower data subjects. For…