Lawmakers, providers and patients review HIPAA and HITECH’s legacy

HIPAA is almost 25 years old, and articles have begun looking at its impact. Lawmakers first enacted the landmark law in 1996, the year before the invention of the DVD. Aiming for security and privacy in U.S. health care, HIPAA began in the era of mostly paper records.

Later updates, especially HITECH (Health Information Technology for Economic and Clinical Health), soon made advancements.

HITECH grappled with some of the realities of digital patient records. In fact, lawmakers meant for HITECH to encourage and speed the move to digital records while laying down guidelines for it.

Security law reaches beyond health care providers

HITECH expanded the accountability for keeping health care data private and secure beyond just health care entities like plans and providers to their “business associates.”

Under HITECH, even a company that only handles data on behalf of a health care provider falls under HIPAA regulations.

Notifications must go out when the private information of patients/customers is compromised in any way. Notifications go to the customers and to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services.

Data breaches becoming even more frequent and costly

Fines for information breaches have broken records in recent years. Headlines regularly report fines of over $1million.

In 2018, an investigation following a massive data breach led to the nation’s second-largest health insurer paying $16 million to the OCR, the largest fine ever levied for a violation.

Despite HITECH, breaches appear to be getting not only more expensive but more common as well.