A Look Back at HIPAA’s Data Breach Security and Protection History

July 2, 2013 by ofonseca

For healthcare businesses, the wait is over.

When the Department of Health and Human Services’ (HHS) released its Omnibus Rule on January 17, 2013 amending the HIPAA privacy and data breach protection laws, it capped a 17 year evolution of medical cyber security regulations. In 1996 The Health Insurance Portability and Accountability Act (HIPAA) was enacted and contained provisions that required the establishment of national standards regarding the security and privacy of exchanging patient electronic health records (EHR).

The standards were meant to improve the efficiency and effectiveness of the U.S. health care system by encouraging the use of electronic records and proper data exchange between healthcare providers.

Then in 2009, along came the Health Information Technology for Economic and Clinical Health (HITECH) Act which promoted the use of EHR systems by containing financial incentives for providers who adopted EHR. Following the passing of HITECH, the HHS also issued interim final rules to strengthen existing HIPPA data protection and security rules by widening the liability for HIPAA violations to include business associates such as medical software vendors. This increased liability now forced providers to have contractual agreements in place with all their vendors regarding compliance issues. In addition, providers and their business associates were required to notify patients and the HHS of any medical data breaches or face severe fines. From a financial standpoint, the interim rules forced healthcare businesses to make sure they had compliant EHR systems in place that included transparency and accountability or risk losing their HITECH incentives.

The evolution to protect a patient’s privacy is now complete as one of the key rulings in the new Omnibus Rule is the expanded definition of business associates to include third-party vendors that handle patient data when performing legal, accounting and other services required by medical businesses. Under the Omnibus rule, any entity that fits the definition, even if they don’t have a business associate agreement, must still comply with the HIPAA Security Rule. The final rule’s expansion of liability to include all who deal with EHR is further demonstration of the importance of medical data privacy and security and how every healthcare business entity, no matter how large or small, can now be held accountable.