Professional Documents
Culture Documents
Enc Research Paper Final 3
Enc Research Paper Final 3
Enc Research Paper Final 3
Alizain Fatehali
ENC2135
6 October 2023
Protecting the Patient
2
Introduction
In 1996, Congress officially passed and signed the Healthcare Insurance Portability and
Accountability Act. Although this seemed like a simple piece of legislation at the time, HIPAA
would go on to become the basis of some of the most important privacy laws in the United
States, redefining the fields of patients’ rights, medical information handling, and insurance
coverage. The importance of this set of rules has increased exponentially since its inception,
directly correlated with the healthcare world’s constantly growing dependence on technology.
Ranging all the way from complex scanning and testing to simple record maintenance and
storage, technology and the digital era have found their way into every crevice of the medical
world. As society approaches a new era of innovation, powered by what seems like daily
to consider whether or not current regulations are enough to keep up with future growth. By
thoroughly examining the past, present, and future of safeguarding medical information, this
study paints a picture of the importance of data privacy in healthcare and ensuring that
Conception
Though electronic medical records (EMRs) were initially designed in 1972 and were
frequently used by government entities and research institutes, historical data shows that EMR
incorporation in common medical practices (including private hospitals) took several decades
due to a variety of factors. Notably, the National Institute of Health (via the Indian Journal of
Ophthalmology) upholds that cost was the primary constraint restricting the widespread uptake
of these innovative electronic records (Honavar, 2020). The conception of HIPAA over 20 years
Protecting the Patient
3
later wasn’t born from a desire to improve the quality of healthcare assurances in the United
States, but rather a need to do so. According to the NIH and Baylor University, spikes in the cost
of widespread healthcare in the country were frequent at the time, causing the federal
government to look into industry-wide cost saving measures. As part of this investigation, it was
discovered that administrative costs, including the maintenance of physical and non-standardized
health records, were an easily mitigable factor in the high cost of medical care (Bowers, 2001).
The difference at this point, however, was that the ongoing trend of computerization and
technological advancement made the adoption of EMRs significantly more cost-effective over
time. As such, one of the primary goals of HIPAA was to find efficiencies in a bloated system of
physical records, improving value for patients. Bowers acknowledges a caveat here, saying that
this drastic change in the system “would cost the industry billions of dollars to implement and
monitor,” which corresponds with the widespread backlash and lobbying against the bill during
The other branch of HIPAA, which at the time was considered the most important, was to
ensure access to healthcare for members of the workforce transitioning between jobs. The driver
for this was a phenomenon known as ‘job lock,’ where people would be forced to stay in a job,
withholding their career advancement and financial goals to avoid losing their
the goal of this act was to introduce “a number of measures to ensure the continuity of coverage
between jobs [and] guarantee coverage for employees with pre-existing conditions” (HIPAA
Journal). Naturally, the healthcare industry was relentless in their opposition to these proposed
regulations, which the Journal attributes to the anticipation of increased financial burden on
health insurers. The idea behind this plan, however, was that the cost-saving effects of adopting
Protecting the Patient
4
electronic medical records and payment systems (which was encouraged by HIPAA) would
offset these increased costs, which in theory would protect patients and providers from having to
bear the weight of “higher premiums, deductibles, and copays” (HIPAA Journal). With these two
facets in play, the Health Insurance Portability and Accountability Act was signed into law,
opening the doors for further healthcare protections in the United States.
Evolution
In the following years, Congress continued with its efforts to bolster and enforce this
newly passed law. The first amendment to this law, finalized in 2003, was the Privacy Rule,
designed to protect patients’ rights when it comes to restricting, releasing, and limiting access to
what the rule defined as ‘Protected Health Information (PHI)’ (HIPAA Journal). According to
Part 1 of the Journal of Nuclear Medicine Technology’s “Review of HIPAA,” “PHI includes all
information that could be used to identify an individual. Any part of a person’s medical record
and payment history is considered PHI and may not be shared with unauthorized personnel”
(Moore & Frye 2019). This part of HIPAA can be considered one of the single most important
regulations in the field of healthcare, and has effectively rehumanized the entire concept of
patients’ rights in the medical field despite its simplicity. The Privacy Rule seems to have
returned the idea of common sense to health privacy, codifying the seemingly implied fact that
Following the implementation of the Privacy Rule which only addressed protections
against intentional PHI disclosures, it was recognized that a supplementary rule was needed to
protect against unintentional PHI disclosures perpetrated by actors other than the patient and
appropriate medical practitioner. As such, the Security Rule was finalized in 2005, and was
Protecting the Patient
5
structured quite differently from its predecessor; As the Privacy Rule detailed the rights of
patients, the Security Rule provided a set of guidelines for the safeguarding of PHI in three
domains: physical, administrative, and technical. These facets working in tandem paint a picture
of HIPAA as a constant presence in healthcare, respectively representing its past, present, and
future. As described by Part 1 of the JMNT’s “Review of HIPAA,” “Physical security refers to
physical access to PHI, including access to a location or physical object such as a building,
office, secured area, computer, or file” (Moore & Frye 2019). Although physical medical records
are now limited in use and are effectively relics, this rule provided significant peace of mind for
patients due to its extreme detail regarding the thoroughness of file location inspections and the
treatment of physical PHI. In the context of this study, however, this part of the Security Rule can
be considered an item of the past. Next is the administrative protection, which can be viewed as
the transition between physical and technical security. These safeguards are more
human-focused, detailing the process that HIPAA-compliant institutions must use to train their
employees, which, according to the JMNT, includes the coverage of acceptable-use policies for
patient data, device passwords and security, and contingency plans in the event of a PHI breach
(Moore & Frye 2019). The administrative section aims to ensure seamlessness in the
combination of the physical security of the past and the technical security of the future, which is
where the real value of HIPAA truly shines. These technical guidelines apply to the use of
modern digital storage and delivery methods in managing EMRs, such as email and cloud
systems be implemented for transmitting PHI in lieu of public email and cloud services, which
are typically prohibited for use in exchanging EMRs and are labeled as HIPAA-noncompliant
(Moore & Frye 2019). Because of the array of legal protections and supplements rooted in this
Protecting the Patient
6
section of the Security Rule of 2005, the remainder of this study (including future projections
and analytics) will focus on the technical aspect of HIPAA regulations, covering primarily the
In the years following the effective compliance date of the Security Rule, changes were
made to HIPAA’s administrative process that combined several key points of the law’s goal in the
form of the Enforcement Rule. This new rule incorporated the Privacy Rule’s cornerstone
regarding a patient’s right to know about breaches of their private data, the Security Rule’s
protecting patients data, and the authority of the the federal government via the Department of
Health and Human Services to investigate claims of HIPAA violations by the aforementioned
practitioners and administrators. Specifically, the Enforcement Rule explicitly delegated the
authority to punish negligence in PHI breaches to the DHHS Office for Civil Rights (OCR). In
addition, this regulation also created a structure of fines for civil offenses for individual
practitioners and corporations who violated patient privacy, as well as an imprisonment structure
for criminal offenses. According to Part 2 of the JNMT’s “Review of HIPAA,” these fines can
range from $100 to $1.5 million depending on the level of negligence determined, which can be
associated with up to 10 years in federal prison in cases of negligent HIPAA violations such as
“[Using] PHI for personal or commercial gain or to cause harm” (Moore & Frye 2019). This
regulation reflects not only the federal government’s theoretical commitment to securing patient
privacy, but also its willingness and promise to prosecute those who go against this logical
policy.
Though the Enforcement Rule was one of the last official additions to HIPAA, it wasn’t
the last step in the evolution of modern patients rights legislation. That honor goes to the Health
Protecting the Patient
7
Information Technology for Economic and Clinical Health Act, also known as HITECH. Passed
in 2009, this legislation was designed to further encourage the use of electronic health records
(EHRs) for the sake of bolstering security and efficiency in the industry. According to Howard
Burde, JD in an overview of HITECH published in the AMA Journal of Ethics in 2011, EHRs
were encouraged through the implementation of a financial incentive system, where physicians
would receive subsidies for meeting certain sets of criteria in the incorporation of EHRs and
appropriate security in their practices (Burde, 2011). These methods proved to be wildly
successful, and the passing of HITECH is now considered “the vital push” in the uptake of EHRs
(Honavar 2020). The Indian Journal of Ophthalmology continues, citing public figures regarding
the increased use of EHRs in the following; as a direct result of HITECH’s incentives, EHR
adoption for ophthalmologists in the United States grew from 19% in 2008 to 72% in 2016
(Honavar 2020). The breach notification and security rules of HITECH further bolstered
HIPAA’s pre-existing regulations, laying the groundwork for safe, secure EHR adoption in the
Although HIPAA has proved over the years that its regulation and administration have
successfully bolstered the security of patients’ data in every specialty of healthcare, reexamining
this law’s current adherence and contribution to its initial goals reveals that its importance may
be overstated in certain fields. This is notable in the case of job lock, the concept of workers
The passage of HIPAA in 1996 was primarily inspired because job lock was believed to be a
2004 study by the Southern Economic Journal, all evidence of job lock as a widespread issue is
purely anecdotal, with only specific familial instances supporting its existence. Instead, a
Protecting the Patient
8
majority of the data, through an analysis of survey-based results of workers with family members
who depended on employer-provided health insurance, showed that job mobility isn’t
significantly affected by job lock (Berger et al., 2004). This is also visible through the SEJ’s
analysis of marketwide wage rates, which didn’t follow trends that were expected following the
passage of HIPAA. On the other hand, independent international analyses, such as those made by
the IZA Institute of Labor Economics in 2015, find that “strong evidence of persistent job lock
that is consistent with estimates made before HIPAA suggests that its continuation-of-coverage
provisions were generally ineffective” (Chute & Wunnava 2015). In either case, whether job lock
exists or not, it can be concluded that HIPAA was wholly ineffective in eliminating it. In this use
case, HIPAA undoubtedly failed to solve the issue that it was primarily created to target.
Evaluating the costs of enacting its policies over the last 25 years forces a simple question: what
Projection
Although HIPAA proved to be a failure when it came to addressing its main goal, the
lessons and innovations that have resulted from its evolution are invaluable. Without its passing
and evolution, EHRs likely would never have gained the popularity they did in the US, and the
healthcare process would still be paper based, effectively forcing patients into a less secure and
efficient situation. Going forward, however, it is abundantly clear that simple regulation isn’t
enough to keep patients’ data secure. Vigilance and continued investment in actively protecting
This importance is shown in two ways, through both the severity and frequency of
modern-day cyberattacks. According to the 2022 Healthcare Data Breach Report published by
Protecting the Patient
9
the HIPAA Journal, 2022 was the first year since 2015 that saw any decline in the number of
breaches of private patient records, albeit decreasing by only 1.13% (Alder 2023). This decrease
shows that current cybersecurity measures are relatively effective, and their growth (enforced by
HIPAA and HITECH) has been critical in neutralizing the steady growth of cyberattacks on the
healthcare industry. However, the Report also shows that hacking/IT attack attempts are still
steadily increasing, along with the severity of successful attacks (Alder 2023). As a result,
despite the countless successful security measures, millions of patients are constantly at risk of
information, it has been shown that the human aspect of data vigilance is just as important.
According to an article published by independent researchers Mary J. Culnan and Cynthia Clark
Williams in a 2009 issue of MIS Quarterly, companies can use ethical practices to enforce data
security by “creating a culture of integrity that combines a concern for the law with an emphasis
on managerial responsibility for the firm’s organizational privacy behaviors” (Culnan & Clark
2009). By viewing privacy as not only something guaranteed by the law but also something that
implementation of this strategy becomes a sort of natural experience, ensuring that patients,
physicians, and intermediaries involved in handling data are protected. This ties in with the
administrative safeguard of the Security Rule, which creates guidelines for the data security
training of all employees, ensuring that both human and technical connections in the chain of
However, despite these numerous benefits, HIPAA can still be viewed as a restriction on
public data sharing for the common good, in fields such as research or analytics. To resolve this,
Protecting the Patient
10
secure public health can be viewed as a successful model of information sharing, where patient
non-identifiable data. The goal of this is to advance public health information levels, which can
help deter large scale disease epidemics and pandemics. According to a research article
published in the UC Berkeley Technology Law Journal on this topic, there are several steps that
can be taken through the future that will not only support the goals of HIPAA and HITECH, but
also pave the way for furthered public trust and ‘true’ public health info sharing. These include
processes of specific data and, most importantly, increasing technical and non-technical privacy
protections (Sedenberg & Mulligan 2015). These steps mitigate any possible negative impact of
data privacy legislation, proving to be well worth the investment going forward for the sake of
Conclusion
the realm of healthcare data privacy within the United States. From its inception almost three
decades ago, HIPAA has evolved to become the hallmark of patient rights, the handling of
medical information, and the regulation of insurance coverage. Its significance has magnified
exponentially in tandem with the healthcare sector's escalating reliance on advancing technology.
At this point in the timeline, it is critical to maintain focus on the changing needs of this industry.
In order to ensure successful seamlessness between healthcare and technology, every involved
party needs to be vigilant in the process of handling data. The lessons of the past build the goals
Protecting the Patient
11
of the future, and HIPAA has proven to be—while incredibly ahead of its time—one of the
Berger, M. C., Black, D. A., & Scott, F. A. (2004). Is There Job Lock? Evidence from the
https://doi.org/10.2307/4135282
Bowers, D. (2001). The Health Insurance Portability and Accountability Act: Is it really all that
https://doi.org/10.1080/08998280.2001.11927786
Culnan, M. J., & Williams, C. C. (2009). How Ethics Can Enhance Organizational Privacy:
Lessons from the Choicepoint and TJX Data Breaches. MIS Quarterly, 33(4), 673–687.
https://doi.org/10.2307/20650322
Davis, J. (2021, January 11). HIPAA Safe Harbor Bill Becomes Law; requires HHS to
https://healthitsecurity.com/news/hipaa-safe-harbor-bill-becomes-law-requires-hhs-to-inc
entivize-best-practice-security
HIPAA Journal. (n.d.). 2022 Healthcare Data Breach Report. Retrieved from
https://www.hipaajournal.com/2022-healthcare-data-breach-report/
Protecting the Patient
13
HIPAA Journal. (n.d.). HIPAA History. Retrieved September 22, 2023, from
https://www.hipaajournal.com/hipaa-history/
Honavar, S. G. (2020). Electronic medical records - The good, the bad and the ugly. Indian
Moore, W., & Frye, S. (2019). Review of HIPAA, Part 1: History, Protected Health Information,
and Privacy and Security Rules. Journal of Nuclear Medicine Technology, 47(4),
269–272. https://doi.org/10.2967/jnmt.119.227819
Moore, W., & Frye, S. (2020). Review of HIPAA, Part 2: Limitations, Rights, Violations, and
Role for the Imaging Technologist. Journal of Nuclear Medicine Technology, 48(1),
17–23. https://doi.org/10.2967/jnmt.119.227827
Sedenberg, E. M., & Mulligan, D. K. (2015). Public Health as a Model for Cybersecurity
https://www.jstor.org/stable/26377580
American Medical Association. (n.d.). HIPAA violations & enforcement. Retrieved from
https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement