HIPAA Turns 20: A Look Back at Its Impact

By Scott E. Rupp, via Multibriefs

In August 1996, the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by then-President Bill Clinton. Twenty years later, with Clinton's wife possibly on the verge of a presidency of her own, HIPAA still remains a pivotal point of policy and contention throughout the lexicon of the American healthcare system.

Despite its age and divisiveness, HIPAA still matters.

As MedCity News aptly points out, HIPAA — now seemly branded as a security measure for all things potentially wrong with health information sharing, breach or hack — was originally designed to address portability of health insurance and limiting the ability of "insurers to exclude coverage of pre-existing conditions" to people. The law of the land became the standard bearer for healthcare administrative transaction and a national system of provider identity codes.

HIPAA's original language also called for a national patient identifier, a massive undertaking at the time, but this part of the legislation continues to be blocked by Congress by lack of funding, and has led to countless efforts by figureheads and healthcare leaders to reignite the flame. Even this year, several efforts have been made to keep the effort alive, but that's somewhat beside the point in regard to where we are currently at with HIPAA at its two-decade birthday.

HIPAA, like Xerox and Kleenex, is a brand bigger than itself now. It still has a great deal of real-world influence and power over healthcare, yet in the current state of information storage, exchange, hack and breach, HIPAA seems more like a part of the American lexicon than a catch-all enforcement mechanism that can keep personal information safe, or at least safely regulated.

But HIPAA doesn't provide us all of the protections we think it does. Often, HIPAA serves as more of a barrier to patients getting access to their information, while those business models depending on our health information seems to have easy access to it. When HIPAA was created, paper records held our health information. That's obviously not so any longer, and the information in those records is dumped into vast databases.

"Both researchers and businesses that barter in your health information mine that data," STAT reports. "Genomic research has exploded. And the federal government is pushing precision medicine, connecting disparate streams of patient data to find cures for chronic diseases."

We rely on this research, but that means access to our scrubbed information, which most of us don't know is occurring because most of us believe HIPAA prevents such a practice. Regardless of your political preference, HIPAA is much different today than it was two decades ago. And, in that time, we've learned some things.

For example, based on NueMD research published earlier this year, annual staff training within the practice environment for HIPAA compliance dipped slightly from 62 percent in 2014 to 58 percent in 2016. Likewise, the number of respondents reporting having formal HIPAA officers in place also dropped from 2014 to 2016. In 2014, 56 percent of respondents said they appointed a security officer, while 53 percent said the same in 2016.

Overall, HIPAA compliance stayed relatively stable from 2014 to 2016. Two years ago, 38 percent of respondents said they were confident their organization was ensuring HIPAA compliance. That number rose to 40 percent in 2016. In 2014, 19 percent of respondents were not at all confident in their organization's ability to be HIPAA compliant, but that number dropped to 17 percent in 2016.

Perhaps this information provides some context as to what we know about HIPAA versus what we think we know about HIPAA. When HIPAA turns 40, there's a strong possibility it will look nothing like it does today at 20.

Scott E. Rupp is a writer and an award-winning journalist focused on healthcare technology. He has worked as a public relations executive for a major electronic health record/practice management vendor, and he currently manages his own agency, millerrupp. In addition to writing for a variety of publications, Scott also offers his insights on healthcare technology and its leaders on his site, Electronic Health Reporter.