Health Policy$ense

HIPAA Turns 25, and It’s Adapting Nicely

From contact tracing to vaccination status, the pandemic brought with it a wide range of issues around privacy and the sharing of health information, often telegraphed as “HIPAA” concerns. But few people understand the origins of the Health Insurance Portability and Accountability Act, or HIPAA, and how it strikes a delicate and changing balance between protecting private health information and facilitating data sharing. A recent NEJM Perspective piece by Anita L. Allen and accompanying interview with the author provides a clear and informative history of HIPAA and how it has evolved to respond to changes in health information technology.

Anita Allen, JD, PhD
Anita Allen, JD, PhD is an LDI Senior Fellow, Henry R. Silverman Professor at Penn Law and a Professor of Philosophy in the School of Arts and Sciences at the University of Pennsylvania.

HIPAA was signed into law in 1996, but much of the privacy protections we associate it with were actually codified in Privacy Rule regulations published four years later, and full compliance wasn’t required for all covered health care entities until 2006. Since then, covered providers and health plans must protect identifiable patient health information and obtain consent before disclosing or using that information for treatment or business operations.

As Allen outlines, HIPAA Privacy Rule regulations balance two critical, but potentially conflicting, needs: protecting consumer privacy while also facilitating access to information and technology that improves health care and makes it more efficient. Innovation and scientific advances have tested this balance over time, necessitating revisions. For example, the George W. Bush-era Genetic Information Nondiscrimination Act (GINA) of 2008 amended HIPAA to prohibit payers and employers from using genetic information in health insurance and employment decisions. A year later, the Obama Administration’s Health Information Technology for Economic and Clinical Health (HITECH) Act was established to encourage adoption of electronic health records, but also enhanced HIPAA and GINA to better protect consumer privacy. An Omnibus Rule made further privacy-related changes to HIPAA, GINA, and HITECH in 2013, and even now, the Department of Health and Human Services is seeking additional information-sharing modifications to facilitate care coordination, value-based payments, and individual patient access.      

In recounting the law’s history and evolution, Allen highlights a real strength of HIPAA—its dynamism. As she points out, it isn’t always easy to adapt existing policy to the changing times, even when change is desperately needed. But HIPAA isn’t perfect, and she advocates for two major changes to protect consumers against new and emerging privacy threats. First, she notes that the law only protects against the sharing of identifiable health information, and hackers are becoming increasingly adept at re-identifying and using for malicious purposes once de-identified information is shared. Policymakers should thus expand HIPAA to address this gap. She also notes that HIPAA should be strengthened to address not only the privacy of information, but also invasions of physical privacy (for example, through hidden cameras) by health care entities.

In this piece, Dr. Allen gives us reason to appreciate policymaking that works: HIPAA filled a critical gap and, along with its companion laws and regulations, has kept pace with changing policy needs over the past 25 years. Will HIPAA be as successful in meeting the challenges of the next 25 years?  We’ll have to check back with Dr. Allen before then to find out.

The perspective piece, HIPAA at 25 — A Work in Progress, was published in New England Journal of Medicine on June 10, 2021. Anita L. Allen is the author.