In 2013, the U.S. Department of Health and Human Services made a significant change to the nation’s health care privacy law by finalizing the omnibus rules of the Health Insurance Portability and Accountability Act (HIPAA). The new rules expanded coverage of HIPAA to include business associates of health care providers, holding them to the same compliance standards as the providers themselves. Previously, business associates such as accounting firms, technology consultants, and others that have access to individuals’ personal health information, were not subject to civil or criminal penalties for violating HIPAA.
In a new study, Niam Yaraghi and Ram Gopal use data on breach incidents occurring in the years before and after the rules change to analyze its effect. Their results, visualized below, show that implementation of the omnibus rules led to a significant reduction in the number of privacy breaches among business associates, preventing 165 breaches that could have affected nearly 17 million Americans.