Editorial: 5 Gaps in HIPAA and How They Are Being Filled
There are – and always have been – gaps in HIPAA and, after more than a quarter of a century, some have yet to be addressed.
Most of the gaps in HIPAA are attributable to omissions from the original Act, provisions of HIPAA and HITECH that have never been enacted, and the increasing use of technology in healthcare. We have identified 5 gaps in HIPAA (there are plenty more) and discuss how these are being – or have been – filled.
The passage of HIPAA resulted in multiple benefits for the health insurance industry, the healthcare industry, and the people that they serve. For example, the Administrative Requirements (Part 162) helped reduce insurance fraud and accelerated eligibility inquiries, authorization requests, and claims processing.
The reduction in insurance fraud meant that plan members did not have to cover the cost of HIPAA´s portability provisions through increased premiums, while patients requiring health services did not have to wait so long for treatment to be provided. Additionally, the passage of HIPAA led to the creation of a federal floor for the privacy of individually identifiable health information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Despite these benefits, there are gaps in HIPAA, the Rules that evolved from HIPAA, and subsequent legislation that could further benefit the health insurance industry, the healthcare industry, and the people they serve. We look at five of the gaps in HIPAA, explain their consequences, and discuss how they are being – or have been – filled.
#1. Healthcare Providers Not Covered by HIPAA and the Privacy of Health Information
At the time HIPAA was passed in 1996, many healthcare providers did not qualify as Covered Entities because they did not conduct electronic transactions for which the Department of Health and Human Services (HHS) had established standards under the Transactions Rule. Despite the increasing use of technology, there are still some healthcare providers who do not qualify as Covered Entities.
These include – but are not limited to – medical practitioners who only accept direct payments from patients, vendors of personal health records that connect with devices such as exercise trackers, and healthcare facilities that use non-electronic channels for covered transactions. (In 2013, HHS confirmed that paper-to-paper, non-digital faxes are not covered transactions).
This gap in HIPAA – in which not all healthcare providers qualify as Covered Entities – means there are occasions when health information is not covered by the Privacy and Security Rules. Fortunately, this gap is increasingly being filled by state legislators passing privacy laws that provide as many – if not more – privacy protections as HIPAA.
#2. Health Care Data Collected by Personal Health Records
A common misconception about HIPAA is that all healthcare data is subject to its protection. As discussed above, this is not the case because not all healthcare providers qualify as Covered Entities. However, the issue of personal health records deserves its own section in this article because – until recently – the oversight of personal health records has been minimal.
Not only do mHealth apps lack HIPAA-compliant privacy and security protections, but users are also unable to request access to sensitive data stored by the vendor – contrary to the HIPAA rights principles of the Privacy Rule. Furthermore, vendors have been sharing users´ data with third parties – despite promising to keep it private – with no control over how it is further used or disclosed.
This gap in HIPAA is currently being closed by the Federal Trade Commission (FTC) – which has the authority to pursue civil action against any company that discloses sensitive consumer data after promising to keep it private under the Deceptive Trade Practices clause of the FTC Act. The agency also has the authority to pursue enforcement action against vendors of personal health records if they experience a data breach and fail to report it as required by the Breach Notification Rule.
#3. The National Patient Identifier
In the text of HIPAA, there is a section entitled “General Requirements for the Adoption of Standards” which requires the Secretary of the Department of Health and Human Services to “adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider. While unique health identifiers have been adopted by employers, health plans, and healthcare providers, there is a gap in HIPAA relating to National Patient Identifiers.
The purpose of National Patient Identifiers (NPIs) is to increase efficiency, save costs, facilitate interoperability, support accurate data registries, and improve security (because if a patient´s NPI is compromised, all that is breached is health data and no other identifiers). They also have the potential to improve patient safety by making it more difficult for patient records to be mismatched. Despite these clear benefits, Congress has prevented the HHS from implementing NPIs by withholding funding. Despite the benefits, the cost of implementing NPIs was forecast (in 2008) to be between $1.5 billion and $11.5 billion.
However, in 2015, Congress partially relented its stance by passing the Medicare Access and CHIP Reauthorization Act which requires the Centers for Medicare and Medicaid to remove Social Security Numbers from Medicare cards and replace them with Medicare Beneficiary Numbers. Advocates of NPIs are hoping that the introduction of Medicare Beneficiary Numbers (which went into effect in January 2020) will demonstrate to Congress that the benefits of NPIs far outweigh the costs.
#4. Not Making Business Associates Directly Liable for HIPAA Violations
Prior to the HITECH amendments implemented in the Final Omnibus Rule, Business Associates were not directly liable for HIPAA violations. Additionally, Covered Entities were not required to oversee the means by which Business Associates complied with the Privacy and Security Rules, nor ensure their Business Associates complied with the terms of their Business Associate Agreements.
Consequently, when data breaches occurred due to a lack of compliance by Business Associates, there was no accountability. The HHS´ Office for Civil Rights had no authority to take enforcement action against Business Associates, while the Covered Entities for whom the Business Associates were performing a service could claim they were unaware of the lack of compliance and escape sanctions.
This gap in HIPAA was closed by the HITECH (Omnibus Rule) amendments and the Breach Notification Rule, which requires Business Associates to report data breaches to Covered Entities within sixty days of the discovery of the breach – even if only one record has been breached. Subsequently, multiple Business Associates have been issued with HIPAA violation fines and Corrective Action Plans.
#5. OCR´s Failure to Issue (Enough) Financial Penalties
The HHS´ Office for Civil Rights (OCR) has followed a policy of leniency in enforcement actions for HIPAA violations – often favoring voluntary compliance and technical assistance ahead of civil monetary penalties and financial settlements. To date (September 2022), OCR has imposed civil monetary penalties or reached settlements in only 126 cases. In two rounds of HIPAA compliance audits, widespread non-compliance was identified, yet no financial penalties were issued.
While the risk of financial penalties may have been an incentive for some to get compliant, many HIPAA-regulated entities only made a cursory effort to achieve compliance with the HIPAA Rules, with some HIPAA requirements ignored entirely. While there was a risk of a financial penalty, very few penalties were actually being imposed. Only one penalty was issued in each of 2008 and 2009, 2 in 2010, 3 in 2011, and 6 in 2012. OCR has stepped up HIPAA enforcement in recent years, with 20 issued so far this year.
There is a school of thought that if the HSS will impose financial penalties for data breaches, why go to the expense of ensuring full compliance? The reluctance to invest in security to prevent cyberattacks and data breaches has now been addressed with the introduction of a partial safe harbor for organizations that have adopted ‘recognized security practices’ continuously for 12 months prior to a data breach. The reward is OCR will consider those measures when making determinations about financial penalties, and the extent and length of audits and investigations will be reduced.
Part of the reason for the lack of financial penalties is funding. OCR is a big department with a wide remit, and investigations of HIPAA violations are expensive. Its budget for enforcement is also being stretched further due to the huge number of data breaches that are now occurring. OCR requested a 55% increase in funding for 2023 to support its HIPAA enforcement efforts, but that request is still under review. Had OCR pursued financial penalties more aggressively over the past decade, it would have been easier to justify an increase in funding – notwithstanding that more organizations might have been more motivated to get compliant. OCR will also soon have to share a proportion of the funds it raises through its enforcement actions with victims of HIPAA violations, so without the funding increase, HIPAA enforcement may suffer even more.
Steve Alder, Editor-in-Chief, HIPAA Journal
