1

Protecting the Patient: An Encompassing Look at the

Significance of HIPAA in Healthcare Data Privacy

Alizain Fatehali

Florida State University

ENC2135

Professor So Young Koo

6 October 2023
Protecting the Patient
2
Introduction

In 1996, Congress officially passed and signed the Healthcare Insurance Portability and

Accountability Act. Although this seemed like a simple piece of legislation at the time, HIPAA

would go on to become the basis of some of the most important privacy laws in the United

States, redefining the fields of patients’ rights, medical information handling, and insurance

coverage. The importance of this set of rules has increased exponentially since its inception,

directly correlated with the healthcare world’s constantly growing dependence on technology.

Ranging all the way from complex scanning and testing to simple record maintenance and

storage, technology and the digital era have found their way into every crevice of the medical

world. As society approaches a new era of innovation, powered by what seems like daily

advances in technological capability and constantly increasing access, it is incredibly important

to consider whether or not current regulations are enough to keep up with future growth. By

thoroughly examining the past, present, and future of safeguarding medical information, this

study paints a picture of the importance of data privacy in healthcare and ensuring that

technological growth doesn’t outpace patient protections.

Conception

Though electronic medical records (EMRs) were initially designed in 1972 and were

frequently used by government entities and research institutes, historical data shows that EMR

incorporation in common medical practices (including private hospitals) took several decades

due to a variety of factors. Notably, the National Institute of Health (via the Indian Journal of

Ophthalmology) upholds that cost was the primary constraint restricting the widespread uptake

of these innovative electronic records (Honavar, 2020). The conception of HIPAA over 20 years
Protecting the Patient
3
later wasn’t born from a desire to improve the quality of healthcare assurances in the United

States, but rather a need to do so. According to the NIH and Baylor University, spikes in the cost

of widespread healthcare in the country were frequent at the time, causing the federal

government to look into industry-wide cost saving measures. As part of this investigation, it was

discovered that administrative costs, including the maintenance of physical and non-standardized

health records, were an easily mitigable factor in the high cost of medical care (Bowers, 2001).

The difference at this point, however, was that the ongoing trend of computerization and

technological advancement made the adoption of EMRs significantly more cost-effective over

time. As such, one of the primary goals of HIPAA was to find efficiencies in a bloated system of

physical records, improving value for patients. Bowers acknowledges a caveat here, saying that

this drastic change in the system “would cost the industry billions of dollars to implement and

monitor,” which corresponds with the widespread backlash and lobbying against the bill during

the process of its passing.

The other branch of HIPAA, which at the time was considered the most important, was to

ensure access to healthcare for members of the workforce transitioning between jobs. The driver

for this was a phenomenon known as ‘job lock,’ where people would be forced to stay in a job,

withholding their career advancement and financial goals to avoid losing their

employer-provided health coverage. According to the HIPAA Journal, an independent resource,

the goal of this act was to introduce “a number of measures to ensure the continuity of coverage

between jobs [and] guarantee coverage for employees with pre-existing conditions” (HIPAA

Journal). Naturally, the healthcare industry was relentless in their opposition to these proposed

regulations, which the Journal attributes to the anticipation of increased financial burden on

health insurers. The idea behind this plan, however, was that the cost-saving effects of adopting
Protecting the Patient
4
electronic medical records and payment systems (which was encouraged by HIPAA) would

offset these increased costs, which in theory would protect patients and providers from having to

bear the weight of “higher premiums, deductibles, and copays” (HIPAA Journal). With these two

facets in play, the Health Insurance Portability and Accountability Act was signed into law,

opening the doors for further healthcare protections in the United States.

Evolution

In the following years, Congress continued with its efforts to bolster and enforce this

newly passed law. The first amendment to this law, finalized in 2003, was the Privacy Rule,

designed to protect patients’ rights when it comes to restricting, releasing, and limiting access to

what the rule defined as ‘Protected Health Information (PHI)’ (HIPAA Journal). According to

Part 1 of the Journal of Nuclear Medicine Technology’s “Review of HIPAA,” “PHI includes all

information that could be used to identify an individual. Any part of a person’s medical record

and payment history is considered PHI and may not be shared with unauthorized personnel”

(Moore & Frye 2019). This part of HIPAA can be considered one of the single most important

regulations in the field of healthcare, and has effectively rehumanized the entire concept of

patients’ rights in the medical field despite its simplicity. The Privacy Rule seems to have

returned the idea of common sense to health privacy, codifying the seemingly implied fact that

“my data is my own data, and should be protected.”

Following the implementation of the Privacy Rule which only addressed protections

against intentional PHI disclosures, it was recognized that a supplementary rule was needed to

protect against unintentional PHI disclosures perpetrated by actors other than the patient and

appropriate medical practitioner. As such, the Security Rule was finalized in 2005, and was
Protecting the Patient
5
structured quite differently from its predecessor; As the Privacy Rule detailed the rights of

patients, the Security Rule provided a set of guidelines for the safeguarding of PHI in three

domains: physical, administrative, and technical. These facets working in tandem paint a picture

of HIPAA as a constant presence in healthcare, respectively representing its past, present, and

future. As described by Part 1 of the JMNT’s “Review of HIPAA,” “Physical security refers to

physical access to PHI, including access to a location or physical object such as a building,

office, secured area, computer, or file” (Moore & Frye 2019). Although physical medical records

are now limited in use and are effectively relics, this rule provided significant peace of mind for

patients due to its extreme detail regarding the thoroughness of file location inspections and the

treatment of physical PHI. In the context of this study, however, this part of the Security Rule can

be considered an item of the past. Next is the administrative protection, which can be viewed as

the transition between physical and technical security. These safeguards are more

human-focused, detailing the process that HIPAA-compliant institutions must use to train their

employees, which, according to the JMNT, includes the coverage of acceptable-use policies for

patient data, device passwords and security, and contingency plans in the event of a PHI breach

(Moore & Frye 2019). The administrative section aims to ensure seamlessness in the

combination of the physical security of the past and the technical security of the future, which is

where the real value of HIPAA truly shines. These technical guidelines apply to the use of

modern digital storage and delivery methods in managing EMRs, such as email and cloud

platforms. Specifically, JMNT recommends that privately-hosted, cloud-based patient portal

systems be implemented for transmitting PHI in lieu of public email and cloud services, which

are typically prohibited for use in exchanging EMRs and are labeled as HIPAA-noncompliant

(Moore & Frye 2019). Because of the array of legal protections and supplements rooted in this
Protecting the Patient
6
section of the Security Rule of 2005, the remainder of this study (including future projections

and analytics) will focus on the technical aspect of HIPAA regulations, covering primarily the

digital benefits and consequences of data security.

In the years following the effective compliance date of the Security Rule, changes were

made to HIPAA’s administrative process that combined several key points of the law’s goal in the

form of the Enforcement Rule. This new rule incorporated the Privacy Rule’s cornerstone

regarding a patient’s right to know about breaches of their private data, the Security Rule’s

implication that medical practitioners and administrators have a responsibility to be vigilant in

protecting patients data, and the authority of the the federal government via the Department of

Health and Human Services to investigate claims of HIPAA violations by the aforementioned

practitioners and administrators. Specifically, the Enforcement Rule explicitly delegated the

authority to punish negligence in PHI breaches to the DHHS Office for Civil Rights (OCR). In

addition, this regulation also created a structure of fines for civil offenses for individual

practitioners and corporations who violated patient privacy, as well as an imprisonment structure

for criminal offenses. According to Part 2 of the JNMT’s “Review of HIPAA,” these fines can

range from $100 to $1.5 million depending on the level of negligence determined, which can be

associated with up to 10 years in federal prison in cases of negligent HIPAA violations such as

“[Using] PHI for personal or commercial gain or to cause harm” (Moore & Frye 2019). This

regulation reflects not only the federal government’s theoretical commitment to securing patient

privacy, but also its willingness and promise to prosecute those who go against this logical

policy.

Though the Enforcement Rule was one of the last official additions to HIPAA, it wasn’t

the last step in the evolution of modern patients rights legislation. That honor goes to the Health
Protecting the Patient
7
Information Technology for Economic and Clinical Health Act, also known as HITECH. Passed

in 2009, this legislation was designed to further encourage the use of electronic health records

(EHRs) for the sake of bolstering security and efficiency in the industry. According to Howard

Burde, JD in an overview of HITECH published in the AMA Journal of Ethics in 2011, EHRs

were encouraged through the implementation of a financial incentive system, where physicians

would receive subsidies for meeting certain sets of criteria in the incorporation of EHRs and

appropriate security in their practices (Burde, 2011). These methods proved to be wildly

successful, and the passing of HITECH is now considered “the vital push” in the uptake of EHRs

(Honavar 2020). The Indian Journal of Ophthalmology continues, citing public figures regarding

the increased use of EHRs in the following; as a direct result of HITECH’s incentives, EHR

adoption for ophthalmologists in the United States grew from 19% in 2008 to 72% in 2016

(Honavar 2020). The breach notification and security rules of HITECH further bolstered

HIPAA’s pre-existing regulations, laying the groundwork for safe, secure EHR adoption in the

US for the foreseeable future.

Although HIPAA has proved over the years that its regulation and administration have

successfully bolstered the security of patients’ data in every specialty of healthcare, reexamining

this law’s current adherence and contribution to its initial goals reveals that its importance may

be overstated in certain fields. This is notable in the case of job lock, the concept of workers

staying in suboptimal positions to avoid losing employer-provided health insurance coverage.

The passage of HIPAA in 1996 was primarily inspired because job lock was believed to be a

widespread issue, affecting millions of employees in every industry. However, according to a

2004 study by the Southern Economic Journal, all evidence of job lock as a widespread issue is

purely anecdotal, with only specific familial instances supporting its existence. Instead, a
Protecting the Patient
8
majority of the data, through an analysis of survey-based results of workers with family members

who depended on employer-provided health insurance, showed that job mobility isn’t

significantly affected by job lock (Berger et al., 2004). This is also visible through the SEJ’s

analysis of marketwide wage rates, which didn’t follow trends that were expected following the

passage of HIPAA. On the other hand, independent international analyses, such as those made by

the IZA Institute of Labor Economics in 2015, find that “strong evidence of persistent job lock

that is consistent with estimates made before HIPAA suggests that its continuation-of-coverage

provisions were generally ineffective” (Chute & Wunnava 2015). In either case, whether job lock

exists or not, it can be concluded that HIPAA was wholly ineffective in eliminating it. In this use

case, HIPAA undoubtedly failed to solve the issue that it was primarily created to target.

Evaluating the costs of enacting its policies over the last 25 years forces a simple question: what

was the point?

Projection

Although HIPAA proved to be a failure when it came to addressing its main goal, the

lessons and innovations that have resulted from its evolution are invaluable. Without its passing

and evolution, EHRs likely would never have gained the popularity they did in the US, and the

healthcare process would still be paper based, effectively forcing patients into a less secure and

efficient situation. Going forward, however, it is abundantly clear that simple regulation isn’t

enough to keep patients’ data secure. Vigilance and continued investment in actively protecting

digital records is an absolute necessity, as threats are growing constantly.

This importance is shown in two ways, through both the severity and frequency of

modern-day cyberattacks. According to the 2022 Healthcare Data Breach Report published by
Protecting the Patient
9
the HIPAA Journal, 2022 was the first year since 2015 that saw any decline in the number of

breaches of private patient records, albeit decreasing by only 1.13% (Alder 2023). This decrease

shows that current cybersecurity measures are relatively effective, and their growth (enforced by

HIPAA and HITECH) has been critical in neutralizing the steady growth of cyberattacks on the

healthcare industry. However, the Report also shows that hacking/IT attack attempts are still

steadily increasing, along with the severity of successful attacks (Alder 2023). As a result,

despite the countless successful security measures, millions of patients are constantly at risk of

getting their protected health information stolen and exposed.

In addition to the increasing need for technical cyber-safeguards on protected health

information, it has been shown that the human aspect of data vigilance is just as important.

According to an article published by independent researchers Mary J. Culnan and Cynthia Clark

Williams in a 2009 issue of MIS Quarterly, companies can use ethical practices to enforce data

security by “creating a culture of integrity that combines a concern for the law with an emphasis

on managerial responsibility for the firm’s organizational privacy behaviors” (Culnan & Clark

2009). By viewing privacy as not only something guaranteed by the law but also something that

should be morally protected by every party involved, it is suggested that successful

implementation of this strategy becomes a sort of natural experience, ensuring that patients,

physicians, and intermediaries involved in handling data are protected. This ties in with the

administrative safeguard of the Security Rule, which creates guidelines for the data security

training of all employees, ensuring that both human and technical connections in the chain of

handling remain secure.

However, despite these numerous benefits, HIPAA can still be viewed as a restriction on

public data sharing for the common good, in fields such as research or analytics. To resolve this,
Protecting the Patient
10
secure public health can be viewed as a successful model of information sharing, where patient

trust built on reputations of information security can lead to pooling of anonymous,

non-identifiable data. The goal of this is to advance public health information levels, which can

help deter large scale disease epidemics and pandemics. According to a research article

published in the UC Berkeley Technology Law Journal on this topic, there are several steps that

can be taken through the future that will not only support the goals of HIPAA and HITECH, but

also pave the way for furthered public trust and ‘true’ public health info sharing. These include

clarification of non-identifiable information sharing policies, coordinating campaigns led

specifically by experts in the field, fostering voluntary sharing, specifying de-identification

processes of specific data and, most importantly, increasing technical and non-technical privacy

protections (Sedenberg & Mulligan 2015). These steps mitigate any possible negative impact of

data privacy legislation, proving to be well worth the investment going forward for the sake of

public health and safety.

Conclusion

The Healthcare Insurance Portability and Accountability Act stands as a cornerstone in

the realm of healthcare data privacy within the United States. From its inception almost three

decades ago, HIPAA has evolved to become the hallmark of patient rights, the handling of

medical information, and the regulation of insurance coverage. Its significance has magnified

exponentially in tandem with the healthcare sector's escalating reliance on advancing technology.

At this point in the timeline, it is critical to maintain focus on the changing needs of this industry.

In order to ensure successful seamlessness between healthcare and technology, every involved

party needs to be vigilant in the process of handling data. The lessons of the past build the goals
Protecting the Patient
11
of the future, and HIPAA has proven to be—while incredibly ahead of its time—one of the

greatest lessons of all.

Protecting the Patient
12
References

Berger, M. C., Black, D. A., & Scott, F. A. (2004). Is There Job Lock? Evidence from the

Pre-HIPAA Era. Southern Economic Journal, 70(4), 953–976.

https://doi.org/10.2307/4135282

Bowers, D. (2001). The Health Insurance Portability and Accountability Act: Is it really all that

bad? Proceedings (Baylor University. Medical Center), 14(4), 347–348.

https://doi.org/10.1080/08998280.2001.11927786

Culnan, M. J., & Williams, C. C. (2009). How Ethics Can Enhance Organizational Privacy:

Lessons from the Choicepoint and TJX Data Breaches. MIS Quarterly, 33(4), 673–687.

https://doi.org/10.2307/20650322

Davis, J. (2021, January 11). HIPAA Safe Harbor Bill Becomes Law; requires HHS to

incentivize security. HealthITSecurity.

https://healthitsecurity.com/news/hipaa-safe-harbor-bill-becomes-law-requires-hhs-to-inc

entivize-best-practice-security

HIPAA Journal. (n.d.). 2022 Healthcare Data Breach Report. Retrieved from

https://www.hipaajournal.com/2022-healthcare-data-breach-report/
Protecting the Patient
13
HIPAA Journal. (n.d.). HIPAA History. Retrieved September 22, 2023, from

https://www.hipaajournal.com/hipaa-history/

Honavar, S. G. (2020). Electronic medical records - The good, the bad and the ugly. Indian

Journal of Ophthalmology, 68(3), 417–418. https://doi.org/10.4103/ijo.IJO_278_20

Moore, W., & Frye, S. (2019). Review of HIPAA, Part 1: History, Protected Health Information,

and Privacy and Security Rules. Journal of Nuclear Medicine Technology, 47(4),

269–272. https://doi.org/10.2967/jnmt.119.227819

Moore, W., & Frye, S. (2020). Review of HIPAA, Part 2: Limitations, Rights, Violations, and

Role for the Imaging Technologist. Journal of Nuclear Medicine Technology, 48(1),

17–23. https://doi.org/10.2967/jnmt.119.227827

Sedenberg, E. M., & Mulligan, D. K. (2015). Public Health as a Model for Cybersecurity

Information Sharing. Berkeley Technology Law Journal, 30(3), 1687–1740.

https://www.jstor.org/stable/26377580

American Medical Association. (n.d.). HIPAA violations & enforcement. Retrieved from

https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement