“Private” Health Information: The Good, the Bad, and the Ugly

January 23, 2017

Did you know that your private health information is protected by law? In 1996, the federal government signed the Health Insurance Portability and Accountability Act (HIPAA) into law. HIPAA’s primary function is to protect workers and their families from losing health insurance coverage when they change or lose their jobs (portability). HIPAA also protects the privacy and security of individually identifiable health information (accountability). HIPAA turned twenty last year. Let’s see how it’s doing.

The Good

In my opinion, HIPAA’s best qualities are longevity and responsiveness. Since 1996, HIPAA has seen numerous updates which expand patient privacy and increase organizational accountability. After being signed into law, the HCC began writing the privacy Privacy Rule, which went into effect in 2003. The Privacy Rule defined Private Health Information (PHI) as any healthcare-related information which can be linked to a particular individual. The Security Rule followed in 2005 and established administrative, physical, and technical guidelines for handling electronic Private Health Information (ePHI).


In 2006, the Enforcement Rule gave HSS the ability to investigate complaints related to the Privacy and Security Rules. It also allowed HSS to fine organizations which failed to comply with these guidelines. 2009 heralded the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH). This update incentivized organizations to store PHI in digital formats, but required them to report data breaches in excess of 500 people. The HITECH rule also required healthcare organizations to update Business Associate Agreements for HIPAA compliance


In 2013, the final OMNIBUS rule strengthened existing HIPAA and HITECH regulations. While it allowed healthcare organizations to keep PHI indefinitely, it also required organizations to encrypt protected health information. In 2011, HHS also began conducting compliance audits in order to motivate organizations to reach compliance. The federal government hasn’t released their results, so I decided to do some digging.

The Bad

In 2014, Forbes magazine asked the question, “is anyone HIPAA compliant?” Unsurprisingly, the answer was complicated. Many healthcare organizations adhere to HIPAA regulations, but many more are not compliant. According to one HIPAA compliance survey, only 58% of organizations had a compliance plan in 2014. In 2016, that number rose to 70%, a marked change, but compliance also decreased in a number of areas. Between 2014 and 2016, the number of organizations that provide HIPAA training decreased from 62% to 58%. During the same time period, the number of organizations which employ a security officer decreased from 56% to 53%, and the number of organizations which employ a privacy officer decreased from 56% to 54%. Given that more organizations have plans to become compliant, it’s alarming to see that compliance has actually decreased in three key areas.


As I mentioned in the last section, the OMNIBUS rule was finalized in 2013. Three years later, only 69% of healthcare organizations are aware of HIPAA’s latest update. This trend can also been seen in Business Associate Agreements (BAAs). 2014 marks five years since the HITECH Rule was passed. Nevertheless, only 60% of the surveyed healthcare organizations were aware that they needed to update their BAAs for HIPAA compliance. By 2016, that number increased to 68%. Compliance, on the other hand, did not see the same improvements. Between 2014 and 2016 the number of organizations who reviewed and updated their BAAs only increased from 45% to 48%.

The Ugly

HIPAA compliance is lowest when it comes to electronic devices. Between 2014 and 2016, the number of organizations who have cataloged electronic devices, which contain PHI, has only increased from 27% to 33%, while the number of those who haven’t begun cataloging their devices has shrunk from 27% to 22%. Additionally, as of 2016, only 37% of surveyed organizations are confident that their electronic devices comply with HIPAA regulations.


Furthermore, more organizations are using electronic means of communication to reach patients. Since 2014, email and social media usage have increased by 1% and 2%, while text messaging increased from 29% to 35%. On the other hand, the same organizations report low levels of confidence that communications are HIPAA compliant. Since 2014, confidence levels regarding mobile and email have flat lined, while confidence that text and social media are HIPAA compliant has increased by 1% and 3%, respectively. In light of recent election interference and increasing rates of cyber terrorism, it’s concerning that less than half of the surveyed healthcare organizations are confident in their means of electronic communication.


Though our private health information is protected, organizations are inconsistent when it comes to compliance. As I mentioned in “the good,” the HCC began conducting compliance audits in 2011 in order to raise compliance levels. However, only 40% of healthcare organizations are even aware that these audits are occurring. That number is up from 32% in 2014, but it’s troubling nonetheless. As we move forward, awareness is key. Talk to your healthcare provider and local lawmakers and make sure they know that HIPAA compliance needs to be a priority.

Leave a Reply

Your email address will not be published. Required fields are marked *