HIPAA’s Strengths and Limitations

President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law on August 21, 1996. The more than two decades since the Department of Health and Human Services (HHS) issued its administrative simplification rules pursuant to HIPAA have revealed the rules’ strengths and limitations. HHS’s privacy rule is illustrative of these strengths as well as needed opportunities for improvement. HHS’s recent enforcement of the privacy rule’s individual rights provisions, including the privacy rule’s right to access protected health information (PHI), is an area of significant strength. The privacy rule establishes a series of rights for individuals who are the subject of PHI, including the right to receive a notice of privacy practices, the right to request additional privacy protections, the right to access PHI, the right to request amendments of PHI, and the right to receive an accounting of disclosures of PHI. In the first few years following the compliance date for the privacy rule, numerous covered entities reportedly violated privacy rule requirements without enforcement consequences, leading many analysts to suggest that HIPAA was “all bark, no bite.” In the context of the privacy rule’s right to access PHI requirement, the first civil money penalty was not imposed until 2011, almost eight years after the privacy rule’s compliance date, when HHS’s Office for Civil Rights (OCR) determined that Maryland-based Cignet Health denied forty-one patients access to their medical records. HHS explained that Cignet Health violated the privacy rule, which “requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request.” Since 2011, covered entities have continued to violate patients’ right to access their PHI. In response, the OCR announced a Right of Access Initiative. The initiative’s purpose has been to prioritize enforcement of individuals’ right to access their PHI, including their medical and billing records, under the privacy rule. HHS has stayed true to its initiative. OCR has settled nineteen investigations under the initiative. The most recent settlement involved Diabetes, Endocrinology & Lipidology Center, Inc. (DELC), a West Virginia-based health care provider that serves individuals with endocrine disorders. In 2019, DELC failed to respond to a parent’s request to obtain a copy of her child’s medical records. After OCR’s investigation, DELC finally provided the requested records, agreed to take other corrective action, and paid the government a $5,000 settlement amount. Acting OCR Director Robinsue Frohboese explained that “it should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records” and that “covered entities owe it to their patients to provide timely access to medical records.” The scope of the privacy rule’s regulated entities is one opportunity for improvement. The original HIPAA legislation stated that HHS’s administrative simplification rules should only apply to health plans, health care clearinghouses, and health care providers that transmit health information in electronic form for certain standard transactions, including health care claim transactions. As a result, the early versions of the privacy rule—proposed by HHS in 1999, finalized in 2000, and modified in 2002—directly regulated just those three categories of covered entities. HHS repeatedly clarified that the civil and criminal penalties set forth in the HIPAA statute could only be imposed on those three categories of covered entities. Business associates—persons who need access to PHI to perform certain functions or activities for or on behalf of their covered entity clients—were indirectly regulated only by the terms of their business associate agreements. The narrow scope of regulated entities changed on February 17, 2009, when President Obama signed the American Recovery and Reinvestment Act into law, which included the Health Information Technology for Economic and Clinical Health Act (HITECH). Section 13404(a) of HITECH mandated the direct application of the privacy rule to business associates. Section 13404(c) further clarified that HIPAA’s civil and criminal penalties could be imposed on business associates, not just covered entities. HITECH’s expansion of the class of directly regulated entities was important. A wide range of health industry service providers—including accountants, actuaries, attorneys, billing companies, claims processors, consultants, data aggregators, data analyzers, quality assurers, and utilization reviewers—became directly responsible for protecting the privacy of their health industry clients’ PHI. Since 2009, technological advances and public health crises have revealed additional individuals and institutions that collect, obtain, maintain, use, disclose, or sell individually identifiable health information but do not fall within the definition of a covered entity or business associate. Mobile health and research applications collect voluminous health data, for example, but many are not regulated by the privacy rule. Wearable devices also collect a wide range of health data but not all are regulated by the privacy rule. During the COVID-19 pandemic, both in-person contact tracers and electronic exposure notification services collected or disclosed infectious disease data. The privacy rule does not regulate all of these contract tracers and notification services. Congress has several options for remedying the still-narrow application of the privacy rule. One option is to enact new legislation requiring non-covered entities and non-business associates to protect the privacy of individually identifiable health information. Legislation introduced during recent congressional sessions focusing on the data privacy risks associated with mobile applications, wearable devices, and infectious-disease exposure notification services would do just that. To date, Congress has introduced eight bills that address these data privacy risks, but not one of these bills has been signed into law. A second option is for Congress to expand the classes of individuals and institutions that meet the definition of a HIPAA covered entity. Recall that HITECH expanded the direct application of the privacy rule to include business associates in 2009, more than twelve years after President Clinton signed HIPAA into law. There is no reason Congress cannot expand the definition of covered entity twenty-five years after the enactment of HIPAA. To do so would be a fitting celebration of the twenty-fifth anniversary of this important statute