Q&A: 20 years later, is it time for HIPAA 2.0?

Aug. 21 marks the 20^th anniversary of HIPAA being signed into law, but at least one health IT expert believes the act needs to be updated to better address modern challenges.

Since 1996, new trends in health IT have popped up which the crafters of HIPAA couldn’t have foreseen, such as the data cloud, secure text messaging, and mobile applications. At the same time, regulators have stepped up enforcement of HIPAA violations penalties, with Illinois-based Advocate HealthCare recently paying the single largest HIPAA settlement ever.

Peter Tippett, MD, PhD,  chairman of DataMotion Health, former chief medical officer for Verizon and a member of President George W. Bush's IT advisory committee spoke with HealthExec about the past, present, and most importantly, the future of the law as it reaches its 20^th birthday.

HealthExec: For physicians and professionals who weren’t involved in a practice back then, what were the privacy, security, and information exchange challenges of the pre-HIPAA world?

Tippett: First of all, there was e-mail before HIPAA, and PCs were around, and doctors used them, just like everyone else at the time. So this was not a time that was devoid of things like email.

The Hippocratic oath, among other things, we’re used to ‘do no harm’, but it’s a longer oath than that. One of the things it implores is privacy, and it’s a first principle of people in healthcare to protect the privacy in the doctor-patient relationship. So, doctors and the rest of clinical medicine were worried about privacy forever, and when this new medium came along—the PC and email and the internet and what not—they were generally not using email to send medical records or notes back and forth to each other, that generally did not happen.

It didn’t happen because they were afraid. It wasn’t that it didn’t work, it worked just fine, but generally, doctors did not use email, even though they knew their other peers would certainly know their email addresses, because they were worried about privacy and security and wanted some guidance.

HealthExec: What were some of the general principles which guided the crafting of the law?

Tippett: I would say, first off, that HIPAA was born because of demand from the medical community. It wasn’t imposed on the medical community. That’s the first thing.

The second was, when HIPAA came along, it was designed to be very open and a sort of a self-certification. It still is a self-certification. There is no such thing as a HIPAA certification. There is no body that certifies either people or organizations. You can be compliant with HIPAA or not, but that’s still you claiming to be compliant, not someone else asserting you are with some kind of certification or training or whatever.

Back then, though, the idea was to make it pretty broad and simple.

Because HIPAA was so open and based on this notion of a risk assessment that, I thought, was liberating; I thought it was a great idea at the time. I know Bill Braithwaite (MD, PhD, considered the author of HIPAA) thought it was a great idea at the time, but it turns out that the community of companies who would consume this, who need to do this—hospitals and health insurance agencies and everybody else who handles personal health insurance information—those people didn’t know what a risk assessment was, and didn’t know what it meant to do one, and neither did most anybody else.

They’d get advice from a lawyer, and advice from their auditor, and advice from some other firm or some specialist, and it’d be three different kinds of advice, because compared to the payment card industry standard, for example, called PCI, that was 12 rules. The rules were written at a high level and each one had explicit sort of detail. If the (PCI) certifier said you were good, you were good. That’s a very different thing from HIPAA.

That’s how this thing got going. It has since been defined largely by the community of experts arguing over what these things meant and creating guidelines and checklists and interpretations. Of course, since then, there’s been some revisions and HHS itself and others have come in with guidance and the ability to ask questions and so on, so it has become more clear over time.

HealthExec: When did the concerns over the law being too vague start to calm down?

Tippett: I’m not sure it has calmed down. Most people now look at HIPAA as an onerous, painful thing that’s in the way of progress. Most technologists in the health IT space blame HIPAA for the inability to do all kinds of things.

I would say today the confusion is probably bigger than ever. Even though there’s lot of interpretation, most people, most lawyers, most senior auditors, most board of directors, most health IT people, in covered entities, tend to operate way on the conservative side of what the rules actually are.

HealthExec: Obviously technologies have sprung up in the past two decades which couldn’t have been foreseen by HIPAA. Did the open-ended nature of the law help or hurt when it came to adapting to technological advancements?

Tippett: I’ve come to believe that being precise and explicit and having a few rules that could evolve quickly over time to take in the new issues is probably a better way to go about things than we did with HIPAA. I was a big fan of the approach at the time, don’t get me wrong.

I think the good news is the world of IT is worried about privacy and security, and they are serious about doing the right thing on behalf of patient data. This stuff is all built into the fabric now of health IT, and most IT people have a good sense for how this works. Everyone has to be trained on privacy or they can’t come near personal health information and they have to be trained particularly on HIPAA-related privacy.

If I flip that around, say ‘Are we doing the right things?’ This isn’t exclusive to HIPAA or healthcare, in general, around information security, we tend to fix things that are less important.

HealthExec: So where has HIPAA fallen short and led to these misplaced security priorities?

I’ll give you the most glaring example of all that. For this notion of risk, you need both attacks and vulnerabilities. You need both of those to create risk, but people, being human, worry more about vulnerabilities because they can’t quite understand whether the attack is ever likely, is ever going to happen, (or) has ever happened.

So we get all strung up about things like encryption, which works really well in some cases and is completely useless in others, and we tend to put it in the wrong places.

The most common problem today is we can’t figure out who is logging in. People login with other people’s user IDs and passwords, and it doesn’t matter how good the password is, but north of 80 percent of all computer crime in the last ten years has to do with the fact that even a strong password is stolen by the bad guy and they login on behalf of the administrator or the doctor and steal the data.

The problem that needs to be fixed is making that login stronger. Stronger passwords don’t do it. We need to do something, it’s called two-factor authentication, or other things, that make it easier to make that strong.

We are putting our energy around whether it’s a patient logging in or a doctor or an administrator or anybody else. Those all tend to be simple things. So if we put our energy onto just that one thing, we’d reduce the risk by at least 80 percent. Any single other thing we do can’t get past 5, 10, or 20 percent individually in reducing risk, so we’re not putting our energy where it belongs.

HealthExec: Recently, HHS issued the largest single HIPAA fine to Illinois-based Advocate Health Care for $5.5 million. What does that say about how enforcement of the HIPAA has changed?

Tippett: HIPAA gained teeth a couple of years ago. Before that, it was a law without a lot of bang for the buck, not much enforcement capability. Now, HIPAA has more enforcement capability than most other standards. Not only can HHS bring fines, but other organizations, like the Office of Civil Rights can, or attorneys general in states or the federal governments could.

There’s a lot of attention on this and big fines like the one you described are important to bring to the surface that this stuff is real.

Some of the studies I’ve seen, and I believe when you compare industries about which industries are doing a better of job on computer security show that healthcare, in general, is behind, say, banking, at a large, large order, despite everyone in healthcare thinking healthcare data is more important than dollar data.

HealthExec: In your opinion, what changes need to be made to HIPAA?

Tippett: On the HIPAA regulatory side, I don’t know how this could actually be accomplished, I’d love to see a reconvening to get a sort of HIPAA 2.0.

The main things I’d like to see happen there are aligning the guidance with the reality of risk in the general world. More emphasis on countermeasures that work against the real problems that the real world is actually having, and less emphasis on the other stuff.

I’ll give you the most concrete example that jumps out to almost any information security professional is when you leave your laptop in a taxicab as a doctor and it has some patient information on it, that’s considered a breach by HHS, if it was stolen or lost and the hard drive was not encrypted. If you go on HHS’ own website and find out how many breaches happen, the vast majority of them are someone leaving their laptop or having their laptop stolen that had some patient records on them.

The vast majority (of cases), probably 10,000 to 1, huge numbers, nobody even bothers to try to look at the data on the laptop. There’s nothing there, and yet this is the number one thing that we call a breach. It is exceedingly unlikely there would be an actual loss of data.

The computer security community doesn’t call it a breach unless the laptop was lost and the data was used for something nefarious. The data was accessed or whatever. So we have different terminology in this world, so I’d like a little better alignment there.