This year, the April Journal of AHIMA marks the HIPAA Privacy Rule’s 10th birthday with a cover story. In the piece, many heavy-hitters of the healthcare world weigh in, none heavier than Leon Rodriguez, director of the Office for Civil Rights of the US Department of Health and Human Services — the top HIPAA enforcement officer in the country.
“Enforcement has matured along with industry knowledge and capacity to meet the standards,” Rodriguez said. “Early on, we placed an emphasis on learning and helping covered entities weave compliance into the fabric of treatment, payment, and healthcare operations. The HITECH Act brought a stronger enforcement arm to the HIPAA Privacy and Security Rules, resulting in $14,883,345 in resolution amounts and monetary penalties to date. Tools such as breach notification and audit are achieving our twin objectives of increasing public transparency and accountability of covered entities and their business associates.”
HIPAA’s been trumpeted by patient advocates — led by social media stalwarts Regina Holliday and “e-patient” Dave deBronkart who fight to open access to health data. Some detractors find the rule onerous and nonspecific, and at minimum wish for federal authorities to clarify where compliance ends and common sense starts. Still other folks like Texas psychiatrist and patient privacy champion Deborah Peel, M.D., believe the law doesn’t go far enough, saying at the PHI Protection Network’s recent forum in Cambridge, MA that she feels HIPAA isn’t a privacy rule at all, but a “disclosure rule,” spelling out in detail when healthcare entities have explicit permission to disclose patient information.
No matter where you stand on HIPAA there’s no denying that it at least gets healthcare providers thinking about patient privacy and helps organize their efforts to do so in a more consistent manner than no rule at all. Would they have done it without such regulatory prodding? Probably, because many providers who experience data breaches immediately understand that it’s bad for business, torpedoing trust among their customers — the patients in their communities.
Still, we’re all patients, in the end. It’s obvious we need to have control over our health data in the same way we have control over our financial data, whether we’re the CEO of a large integrated delivery network or Uncle Milt, the retired used car salesman from Dubuque. Whether the healthcare system has caught up with HIPAA’s gestalt of protecting patient data or not, you can count your own health privacy among the inalienable rights granted with U.S. citizenship. HIPAA carries that one big benefit, despite all the warts the people it regulates complain about. Here’s to the next 10 years, in which the HIPAA omnibus rule will shape health privacy and security policies for the digital age.