HIPAA at 25 remains a work in progress

Anita Allen argues that while HIPAA has delivered meaningful benefits to consumers, it still needs updating to address new and emerging privacy challenges.

As the Health Insurance Portability and Accountability Act of 1996(HIPAA)—which was a step toward greater health information privacy—turns 25, U.S. health disclosure norms are changing, with openness and sharing becoming more commonplace.

Folders full of alphabetized medical records on a shelf.

For many Americans, however, health information remains among the most sensitive of categories of personal information. Although its disclosure can have notable benefits, it can also lead to embarrassment, social censure, and discrimination. Confidentiality in the provider–patient relationship may encourage people to seek medical attention and discuss their symptoms and behaviors frankly.

From the perspective of privacy rights, celebrating a single birth date for HIPAA feels wrong. HIPAA’s personal privacy and security regulations arrived neither all at once nor fully formed.

Today, HIPAA is best viewed as a framework of evolving regulation that’s revised periodically in response to demands of biomedical innovation and public health in the digital age. That capacity for adaptive modification is among the greatest strengths of HIPAA and its rules—a strength lost on critics who judge HIPAA in isolation.

HIPAA was not destined to be a “one and done” law. Given innovations in medical informatics, encryption, genomics, medicine, “big data” analytics, wearable health devices, and telemedicine, it’s not surprising that its requirements have been supplemented and amended several times.

HIPAA thus gradually ushered in a sweeping new legal landscape for health information privacy. It slowly replaced the genteel approach to patient confidentiality, based largely on custom and trust, with a modern regime of technically regulated individual rights and responsibilities. Because of HIPAA regulations, patients and consumers are more able to understand and control how their health information is used and disclosed. Today, vehement opposition to HIPAA is unusual, and compliance is strong. Most HIPAA violations involve unauthorized disclosures, inadequate record disposal, poor training, dishonesty, hacking, data breaches, or identity theft.

The COVID-19 pandemic has revealed the extent to which our technology infrastructure allows employers and public health officials, for better or worse, to track, trace, and monitor people’s symptoms, illnesses, and contacts. HIPAA regulations may be an institutional headache, but medical identity theft, ransomware attacks, data breaches, weak encryption, de-anonymization risks, wearable devices generating sensitive data, big data analytics, and discrimination are bigger headaches. Strong, well-informed regulations, with periodic revisions, can continue making a positive difference.

This opinion piece is by Anita Allen. Read more at The Regulatory Review.

Anita L. Allen is the Henry R. Silverman Professor of Law and Professor of Philosophy at the University of Pennsylvania Law School.