Stricter federal rules have protected the privacy of millions of patients

a doctor works on his laptop
Editor's note:

Niam Yaraghi and Ram Gopal have published a paper titled “Profiles in patient privacy protection: How HIPAA omnibus rules effectively reduced the number of data breaches among health care providers’ business associates”. Read the full paper here.

As healthcare systems become more complex and more digitally connected, the number of professionals involved in a patient’s medical care that need access to confidential information increases. In many instances, the professionals with access to patient data are not caregivers, nor do they provide medical services directly to patients. Examples of these professionals, formally known as business associates, include third party administrators that process claims for health plans, pharmacy benefits managers that operate the insurers’ pharmacy networks, and hospital consultants. Despite their increased access to patient data, business associates are especially vulnerable to privacy breaches. Data released by Office for Civil Rights (OCR) at the department of Health and Human Services revealed that breach incidents among business associates have undermined the privacy of at least 27 million Americans since 2009.

not held accountable

Given the growing importance of business associates in today’s digitized and connected healthcare system, OCR’s January 2013 publication of the final omnibus rules to Health Insurance Portability and Accountability Act (HIPAA) represents the most significant changes to healthcare privacy law in a decade. Prior to the omnibus rules, only healthcare providers were subject to HIPAA regulations, and business associates did not have strong market based incentives to protect patients’ privacy. HIPAA omnibus rules filled this gap by holding business associates to the same standards as all other healthcare providers. By creating civil and criminal penalties to hold them accountable, the omnibus rules also encouraged business associates to invest in complying with HIPAA and safeguarding patients’ privacy.

180 privacy breaches PREVENTED

Using publicly available data on breach incidents between October 2009 and January 2017, my colleague Ram Gopal and I empirically test how the implementation of HIPAA omnibus rules reduced the frequency of privacy breaches among business associates. We find that implementation of the omnibus rules led to a significant reduction in the number of breaches among these entities, preventing 180 privacy breaches that could have affected nearly 18 million Americans.

guaranteeing patient Privacy

The successful adoption of modern technologies and economic plans necessary to support the provision of medical care hinges on free flow of data between different parties. Without addressing patients’ privacy concerns, technologies such as health information exchanges and economic and managerial plans such as accountable care organizations will not succeed. Our findings show that the implementation of Omnibus rules has been a successful strategy in protecting patients’ privacy.

Stricter oversight, better privacy protection

OCR intends to investigate smaller breach incidents that affect less than 500 individuals. Given the volume of resources required to conduct such audits, it is necessary to understand their potential benefits. This research estimates the effects of the omnibus rules and therefore enables the regulators to conduct a cost-benefit analysis of their decision to enforce the rules on smaller breaches. Given the findings of this research about the positive role of omnibus rules on reducing breach incidents among business associates, the OCR’s decision to enforce the regulation on smaller breach incidents should further reduce their number. While this study reveals the benefits of omnibus rules, OCR should also carefully examine the omnibus rules to gain a comprehensive understanding of the costs and benefits of further expansion and stricter enforcement.