HIPAA (U.S. Health Insurance Portability and Accountability Act) is an effort to help workers in the United States transfer coverages, receive privacy, and extend those benefits to their families. It was passed in 1996 to allow insurance to transfer for workers if they change or lose their employment.
Additional points of emphasis for the legislation included a reduction of healthcare abuse and fraud within the system, the implementation of industry standards for information and billing, and confidential handling of protected materials.
The system requires all healthcare organizations and providers, including their business associates, to develop, then follow procedures which ensure the security and confidentiality of PHI (protected health information) whenever transfers occur. All forms of PHI, such as verbal, electronic, and written are included under HIPAA. Only the minimum amount of health information required to conduct business is used with this law.
Here are the pros and cons of HIPAA from 20+ years of its practice in the United States.
List of the Pros of HIPAA
1. It increases personal privacy in healthcare information and decision-making.
HIPAA emphasizes personal privacy for information sharing on several different levels. Buffer zones at doctor’s offices, pharmacies, and other care centers prevent individuals from hearing the specifics about a personal case. People have the right to correct their information because of this legislation as well, with permission assignment possible for who and when their health data should be shared. This process limits the personal sharing of information when it is unnecessary, which leads to fewer incidents of identity theft or compromise.
2. It prevents any form of discrimination.
HIPAA was the first step taken to limit the impact of pre-existing conditions for people when receiving health insurance of healthcare coverage. Limits were in place to restrict the consideration of such conditions for six months, with health issues or concerns due to working conditions a factor in those decisions. Even when there were qualifying pre-existing conditions, insurers could only delay the implementation of a policy for 12 to 18 months, depending on the medical file of the individual involved.
3. It allowed patients to contribute to their medical file.
HIPAA was the first opportunity for patients in the United States to make personal changes to their medical information. Before this legislation passed, many people were not permitted to see their medical file at all. After this law went into effect, it became possible to copy or correct the information it contained. That made it easier for everyone, but especially those with pre-existing conditions, to change jobs without worrying about the status of their health insurance at the time.
4. It created a brand-new industry to support medical professionals.
The passage of HIPAA created a new industry in the United States. Businesses who specialize in consulting with medical professionals about their data privacy and security contribute millions of dollars to local economies each year. The average salary of a HIPAA privacy officer in the United States with a minimum of 5 years’ experience is more than $62,000, according to data published by PayScale. Compliance officers may earn up to $67,000 on average, while small business owners may earn upwards of $100,000.
5. It assigns role-based security of information based on a person’s role.
When patients provide consent through HIPAA, they aren’t giving providers a blanket okay to do what they want with the collected data. Users within each organization are supposed to have different levels of security based on the level of access required to do their job. Most medical practices before this legislation didn’t control who had access to specific data, which meant anyone could find out something about you.
There are two steps which must be followed when assigning roles. Covered entities must identify the people in its workforce, as appropriate, who require access to PHI for their jobs, then assigned categories of that data to which the access is needed and any conditions which may be appropriate. Covered entities must also make a reasonable effort to limit access to PHI when no access is required.
6. It requires providers to have a data backup plan in place.
Before the implementation of HIPAA, medical providers did not have a proper backup plan in place for their organization. If you want to a doctor’s office back then, you likely saw the rows upon rows of medical files on full display. Larger offices kept an entire room dedicated to file storage. Without electronic health records, losing the paper file meant your patient data was lost for good.
Data backup systems under this legislation have a daily, weekly, and monthly rotation based on how often they’re accessed. Providers are required to take care in how backup files, tapes, or external storage are stored too. There are additional rules for online or Cloud-based backups under this legislation also.
7. It mandates that strong passwords be used when protecting PHI.
Medical professionals are just like everyone else when dealing with passwords. They choose whichever options they can best remember. Some of the most common ones used in medical settings matched the top 25 most common passwords used each year. Almost 10% of people use at least one of the hackable passwords, while 3% use the worst one on the list: “123456” or “password.”
Additional poor passwords which frequently make the list include “welcome,” “login,” “letmein,” and “qwerty.”
HIPAA required medical providers to use strong passwords which the average brute force hacking software wouldn’t crack. That eliminated healthcare-related general passwords, such as “Billing,” “Nurses Station 2,” or “Intake.”
8. It requires protection against malicious software.
Before HIPAA, most medical facilities failed to keep their data systems updated – if they even had one in place at all. That meant early EHRs were running on early version operating systems and security software which required updates and patching. New systems offer these functions automatically to reduce manual update errors, since software threats to patient data occur almost daily.
9. It forced medical providers to look at their physical security processes.
HIPAA also made entities take a look at how they stored their servers, computers, and data storage systems. Many items were kept in common areas before this legislation, where anyone could access information if staff supervision was not available. Kitchens or supply closets were other storage areas seen quite often.
Now these items are supposed to be locked behind another door beyond the entry door to the facility. The areas should also have adequate cooling, spacing, and maintenance to maintain the systems. Power supplies, including backups, may be necessary for some providers too to meet the expected standards of the legislation.
10. It reduces the number of medical errors in busy systems.
HIPAA allows providers and patients to work together when building medical files. Because there are multiple parties involved with each item, the chances for errors reduce dramatically. That process improves the overall quality of care which patients receive because doctors and nurse practitioners have confidence in the quality of the data before them. Upgrades to EHRs allow for research to be conducted immediately during patient interviews. That all comes together to create operational efficiencies which were not present in the healthcare system before the legislation passed in 1996.
11. It requires regular audits of the system.
HIPAA requires that all covered entities audit their systems for intrusions regularly. They’re also required to have policies in place, with specific procedures to follow, about how and when their monitoring occurs. This could be a disadvantage if a medical provider doesn’t have an internal IT provider who knows how to perform these actions, but it does benefit the patient because it offers certainty in the security of their information. Without this advantage, many healthcare providers could be hacked and never even know the event occurred.
List of the Cons of HIPAA
1. It increased the administrative requirements of medical care.
HIPAA did improve patient access to personal information and improve coverage possibilities when changing positions. It also created an administrative headache for medical professionals, especially in the first years this legislation was active. The American Medical Association estimates that several billion dollars was spent to bring compliance to the 1996 legislation. Even today, the costs of HIPAA compliance for many industries is several thousand dollars.
2. It requires providers pay fines when violations occur.
There is no “true” cost of HIPAA non-compliance to report. What we do know is that several multimillion-dollar fines have been issued for violations in the 20+ years of this legislation’s lifetime. Even small data breaches create costly fines which must be paid, even by small businesses or individual practitioners. Anthem once paid a 9-figure fine because of data breaches and privacy loss due to HIPAA, while Tenet Healthcare paid over $30 million to resolve their issues.
3. It changed how information is released to patients.
Because of the severity of fines associated with HIPAA violations, medical providers became extremely cautious about how test results or medical issues were discussed with patients. Some fallout from this change is still felt today. Some medical offices require patients to pick-up test results in person instead of mailing them out. Providers ask patients to call for results over the phone instead of contacting them when the information becomes available.
Some hospitals even started requiring doctors to submit written requests on their personal letterhead to provide patient information when referrals were necessary. Although the legislation allows the information to be provided by phone, the fear of fines creates more frustration for patients in some situations.
4. It doesn’t give patients standing if a violation occurs.
HIPAA legislation requires the U.S. Department of Health and Human Services to enforce the provisions of privacy and portability offered. If patients learn that a violation occurs which involves their information, they are not permitted to sue. The law does not give patients standing in court, which means you can’t sue companies which misuse your data for some reason.
Between April 2003 and July 2018, HHS reports they received a total of 186,453 complaints regarding HIPAA violations. They report that 96% of the complaints are resolved, which leaves over 7,600 of them outstanding. No data is supplied about how old the status of the unresolved complaints is at this time.
5. It creates shortcomings in the enforcement of violations.
Patients do not usually see the investigative work performed by HHS when potential HIPAA violations do occur. That led to a public perception that the government doesn’t thoroughly investigate each complaint as it is mandated to do. The government’s own statistics seem to back up this perception.
Between 2003-2018, there were 37,670 complaints investigated by HHS from the more than 186,000 complaints received. 31% of the investigations determined that no violation occurred, while the remainder are listed as “corrective action obtained (change achieved).” There is no data to show which companies have repeated violations or fines, which keeps consumers in the dark about who protects their data and who does not.
6. It does not require consent for billing.
One of the primary disadvantages of HIPAA was its consent structure for payment. The privacy rules do not mandate that your medical provider obtain consent to submit claims to your insurance company. If you show up at the office to receive services, the business is permitted to request a claim for pay from your insurance provider without asking you about the process first. If you want to self-pay for services, HIPAA places the onus on the patient to communicate this fact to the office first.
7. It doesn’t provide a choice for information sharing in several circumstances.
HIPAA offers a privacy agreement and information provided to patients on an annual basis after receiving care. Most medical providers contract with several providers to offer services, including legal and accounting third parties. You have no choice regarding the sharing of your medical information with these providers and personal consent is not required. Written agreements are used with third parties to keep this data confidential, but patients are kept out of the loop with this process.
8. It doesn’t allow doctors to share information with family members.
HIPAA requires doctors to offer information to their patient only. That’s why many of them stopped sending test results or communication through the mail. Even if a spouse opens the envelope to see the results, that could technically be a violation of this legislation. That creates a lot of hassles for family members and doctors, especially if there is an emergency situation being managed. Then add in the consent forms you’re required to sign before being treated, and it could be argued the amount of bureaucracy added to the system raised the price of care more than any other contributing factor.
9. It doesn’t properly define the word “reasonable.”
Reasonable access to PHI is not fully defined by HIPAA legislation. It does mean that covered entities must take “care and prudence” to stop someone from accessing data when it is not necessary. It also requires companies to report omissions or take appropriate steps when potential violations could be present in the environment.
You cannot deny a patient a copy of their medical records because of unpaid charges due to HIPAA. At the same time, you cannot provide more information than is necessary in any given situation. That creates several privacy rule concerns for providers to follow.
10. It still generates complaint reports after 20+ years of implementation.
Although one-third of complaint investigations are logged as unfounded, there are still 10 common violations which generate citations as of 2018. The most common issue involves employees who disclose information improperly. Someone gossiping about a patient to friends or a family member is enough to trigger a citation.
Another common citation involves medical records mishandling. When a hardcopy chart is used for patient records, accidentally leaving the item in the exam room for another patient to see constitutes a violation.
Having devices lost or stolen, texting patient information, using social media to discuss patient data, illegal access of patient files, home computer access, and a lack of training are all issues which generate citations each year too.
11. It provides only the relevant medical record information.
Instead of providing the entire medical file of a patient, HIPAA requires that only the relevant data be offered. That prevents someone like a collections department from being able to see a specific diagnosis as they only get to see the billing issue. It may also cause some providers to not share the entire medical file when a patient sees a different doctor because there is uncertainty about the situation.
The pros and cons of HIPAA are essential to review periodically to understand your rights as a patient under this legislation. Although changes to healthcare have occurred since 1996 that impact the implementation of some policies, your privacy is still of the utmost importance with these guidelines. If you suspect your rights were violated in some way, then you can file a complaint with the Office for Civil Rights through their online portal.