HIPAA was introduced in 1996 to protect patient privacy and enable individuals to control their health records. However, over the last 30 years, the proliferation of technology has enabled patients to collect, transmit, and store personal health data in ways that were unimaginable to the original authors of the legislation. This article discusses how the definition of protected health information may expand in the future to account for new types of data, covered entities, and technologies.
Protected Health Information Today
Under the current iteration of HIPAA, protected health information, or PHI, is defined as “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:
- An individual’s past, present, or future physical or mental health or condition.
- The past, present, or future provisioning of health care to an individual.
- The past, present, or future payment-related information for the provisioning of health care to an individual.
For protected health information to be “individually identifiable,” the data must be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with health data, would constitute PHI.
In addition, under today’s HIPAA rules, only covered entities and business associates must abide by the regulations. Covered entities fall into three categories:
- Healthcare providers include hospitals, doctors, clinics, pharmacies, nursing homes, psychologists, and other providers.
- Health plans – Health insurance companies, company health plans, HMOs, and Government-paid health care plans such as Medicare are all considered health plans.
- Healthcare clearinghouses – These entities either process or facilitate the processing of health information they receive from other entities.
Business associates include a wide range of companies, but most importantly, they are contracted by a covered entity to perform a business function involving PHI. Business associates can include web hosts, billing companies, marketing agencies, legal firms, accountants, and more.
The Future of Protected Health Information
As the world has rapidly changed, new technologies that challenge how we think about personal health data have evolved. IT security teams must consider future security challenges and regulatory changes to futureproof their organization and mitigate risks. Below we explore how technology and PHI have progressed in a way that is pressuring regulators and legislators to protect patient privacy.
The smartphone was still a decade away from being invented when HIPAA was introduced. In today’s world, the success of the iPhone has trickled down to other internet-connected smart devices like watches, scales, and other wearable devices. Even medical devices, including heart rate monitors and remote patient monitoring devices, can be found in people’s homes today. When medical providers ask patients to use these devices to capture biometric data, HIPAA rules apply.
But what about when healthcare providers do not recommend these technologies? If a consumer wants to use an application to record their daily activity, record their weight, or monitor their heart rate without direction from a doctor, HIPAA does not apply. However, due to the sensitivity of the data and lack of consumer understanding, some are calling for additional privacy protections for device and application manufacturers. It is not hard to imagine that any application designed to collect, store, or transmit health data will become subject to stricter regulations regardless of whether they are involved in an individual’s healthcare.
New Types of Data
When HIPAA was envisioned, genetic science was progressing but still confined to the upper levels of academia and research. Improvements in genetic testing and increased knowledge of the human genome could completely alter what is defined as PHI and how individuals interact with their healthcare providers. In 2013, amendments to the Privacy Rule clarified that genetic information is PHI and needs to be secured. However, over the past decade, genetic testing capabilities have exploded. Anyone can order a genetic test from numerous consumer-facing companies. As a result, personalized medicine is thriving and is likely to grow over the next decade.
As doctors have more access than ever before to information about our genomics, it’s of the highest importance to ensure it is secured.
Change is On The Way: Are You Ready?
Covid-19 rapidly accelerated many of these technological changes, and recent events in the news have already sparked changes to HIPAA enforcement. For example, the use of online tracking pixels to collect and transmit PHI recently caused OCR to issue a statement on their proper use. In addition, last year’s Supreme Court decision in Dobbs vs. Jackson Women’s Health spurred many reproductive health-tracking apps to take additional steps to protect users’ data. The incident highlighted just how much personal health data is contained in unregulated applications.
Even without government intervention, organizations that process health data must secure it to build consumer trust and differentiate from the competition. With breaches and cyberattacks on the rise, only the best-prepared organizations will be able to grapple with future challenges and regulatory changes.