GILDED, BUT NOT GOLD: HOW AN OBSOLETE HIPAA IS UNABLE TO FIGHT MEDICAL SOFTWARE BREACHES.

Author:Thai, Cecilia
  1. Introduction

    During this day and age, data breach paranoia has been sweeping the nation. (1) In 2017, Equifax, a credit report company, suffered a data breach that affected 143 million Americans. (2) Even Facebook, the world's most popular social media platform, recently faced a data breach of its own. (3) There have been many other similar occurrences in the past few years. (4) Despite the security concerns posed by such breaches, consumers continue to use online networks that may be vulnerable to hackers. (5) This includes the use of mobile applications ("apps") which carry their own inherent security risks. (6) As of January 2020, there are roughly 4.41 million mobile applications in the Google Play and Apple Stores combined. (7) Despite the apparent vulnerabilities of smart phones, the public continues to use mobile apps because of their convenience and easy accessibility. (8)

    Mobile apps have made their way into the health sector as well. (9) These health-based apps are for consumer purposes, with programs such as MyFitnessPal, Weight Watchers, and the American Red Cross's First Aid being rated among the best health mobile apps. (10) Many of these apps are intended to directly help with assisting people with certain health conditions. (11) in contrast, there are also numerous mobile apps that allow patients to access their medical records directly from their healthcare providers. (12)

    These mobile health ("mHealth") apps have the ability to mitigate the cumbersome process of obtaining one's medical record. (13) The mHealth apps serve as patient portals, allowing users to directly access their medical records without going through the traditional process. (14) Regardless of the type, all mHealth apps lack a stable regulatory framework that would protect against privacy and security breaches. (15) Security risks can result from a non-secure server, network, or application. (16) Even the Health Insurance Portability and Accountability Act ("HIPAA"), is not capable of protecting mHealth users, nor will it ever be able to in its current form. (17)

    Though HiPAA carries weight in the medical community now, it was widely considered "better than nothing" among health reformers when its original form, the Kennedy-Kassebaum Bill, first became law. (18) To make matters worse, over the past several years the United States Department of Health and Human Services ("HHS") has been amending HiPAA by enacting rules that it hopes will solve the problem of medical-based technology breaches. (19) Instead of helping the medical profession, the abundance of new rules has muddied HIPAA with confusion. (20) Many doctors dislike HIPAA because it is "making doctors' jobs more difficult and, in some cases, affecting current and future patient care." (21) Moreover, HIPAA is outdated and cannot handle the new technological advances that have arisen in the health industry. (22) HIPAA already struggles to provide security to patient information stored in electronic health records ("EHRs"), and it is surely not equipped to protect patients using mHealth. (23)

  2. History

    1. Before the Enactment of HIPAA

      Long before HiPAA, when doctors used mostly paper in providing healthcare services, medical professionals were held by simple standards to protect patients' confidential information. (24) One historic standard that is still applied today is the Hippocratic Oath, which originated in ancient Greece and states as follows: "What I may see or hear in the course of the treatment or even outside of the treatment in regard to life of men, which on no account one must spread abroad, i will keep to myself, holding such things shameful to be spoken about." (25) Unfortunately, the Hippocratic Oath alone was not enough to prevent medical professionals from releasing patients' confidential information. (26)

      After the birth of the United States, patient confidentiality gained another layer of protection under the United States Constitution's Bill of Rights, which provides the right to privacy in medical records. (27) In a recent case, Hancock v. County of Rensselaer, (28) the Second Circuit held that "even individuals with non-stigmatizing medical conditions have a right to privacy in their medical records, even if their interest in privacy might be less." (29) Although this falls under the fundamental right to privacy, the right itself is not absolute. (30) In Whalen v. Roe, (31) the Supreme Court held that medical information pertaining to drug use did not fall within the constitutional "zone of privacy." (32) Even though there is a constitutional right to medical privacy, legislators wanted more assurance that patients' information would be protected. (33)

      HIPAA became the successor of the Health Security Act of 1993 and 1994 after President Bill Clinton signed the Kennedy-Kassebaum Bill. (34) The Kennedy-Kassebaum Bill had two named objectives: (1) Health Insurance Portability, which ensured that patients could keep health insurance between jobs; and (2) Accountability, which ensured security and confidentiality. (35) The main focus of the Kennedy-Kassebaum Bill was on its insurance provisions, but recently the focus of HIPAA has shifted to addressing privacy and security concerns in healthcare. (36)

    2. HIPAA Before its "Rules"

      Initially, HIPAA consisted of five main objectives: (1) protecting health insurance coverage for those who changed or lost their jobs; (2) preventing healthcare-related fraud and abuse; (3) establishing guidelines for pre-tax medical spending accounts; (4) establishing guidelines for group health plans; and (5) governing company-owned life insurance policies. (37) Yet, only "covered entities" and their business associates are required to follow HIPAA regulations. (38) Since its enactment, HIPAA has undergone numerous revisions to account for advancement in electronic healthcare technology. (39) However, despite the purpose of these amendments, HIPAA was not originally designed with the intent to protect against harms caused by electronic healthcare systems. (40) Over the years, HIPAA has grown to include numerous Rules: (1) the Privacy Rule; (2) the Security Rule; (3) the Enforcement Rule; (4) the Omnibus Rule; and (5) the Breach Notification Rule. (41) These Rules are specifically tailored towards improving the technological standards within the healthcare system. (42)

    3. The First Set of Technology-Based Rules: The Privacy and Security Rules

      The Privacy Rule was one of the first major technology-based revisions that the HHS has made to HIPAA. (43) At the time of the proposal of the Privacy Rule, patients were concerned with lost privacy of their healthcare information both within and outside of the healthcare system. (44) At the same time, the individual states had varying and inconsistent privacy standards, and the Privacy Rule was intended to make "a clear and consistent set of privacy standards [that] would improve the effectiveness and the efficiency of the health care system." (45) This new revision to HIPAA was designed to reduce the concerns about the risk of disclosure or improper use of information that came from using electronic records instead of paper. (46) At the same time, the HSS still wanted the benefits that came from using electronic information despite its risks. (47)

      As it stands now, the Privacy Rule sets specific standards for healthcare plans, healthcare associates, healthcare clearinghouses, and other healthcare providers who transmit health records electronically ("covered entities"). (48) Yet, for healthcare providers, the use of electronic transmissions, alone, is not enough to qualify the provider as a covered entity. (49) Instead, they must additionally "transmit health information electronically in connection with a 'standard transaction.'" (50) Additionally, covered entities can elect to be a "hybrid entity," and thus may be held to all of the HIPAA requirements. (51) Nonetheless, even if a healthcare provider seeks third-party assistance during the electronic transmission of patients' health information, not only must they still follow the standards set forth by HIPAA, they are also still responsible for meeting the requirements under the Privacy Rule. (52)

      The Privacy Rule specifically covers "individually identifiable health information" or "protected health information" ("PHI"). (53) Protected patients' health information held by a covered entity must be disclosed both when an individual requests access to their own records, as well as when the HHS requests access in furtherance of a compliance investigation or enforcement action. (54) Yet, a covered entity may, without the consent of the individual, disclose or use PHI if it involves a "health care operation." (55) If use is permitted, the health information must be limited to what is "[minimally] necessary" for the covered entity "to accomplish the intended purpose of the use, disclosure or request." (56) Further, the covered entity must give notice of their privacy practices to the individual whose medical information is being or can be used. (57) The Privacy Rule also establishes that covered entities need to have reasonable safeguards in place to protect that information. (58)

      Another notable revision that the HSS made to HIPAA was the Security Standards for the Protection of Electronic Protected Health Information ("Security Rule"). (59) Similar to the Privacy Rule's PHIs, the Security Rule established standards for covered entities to protect individuals' electronic protected health information ("e-PHI"). (60) Both the Security Rule and the Privacy Rule had similar goals: allowing technology to make healthcare more efficient, while still protecting the privacy of individual's healthcare information. (61) Unlike the Privacy Rule, however, the Security Rule designed to specifically cater to electronically-stored health information. (62)

      The Security Rule had two main approaches for its safeguard standards. (63) First...

To continue reading

FREE SIGN UP