August 2024 marked 28 years since the Health Insurance Portability and Accountability Act (HIPAA) became law — a landmark regulation that safeguards patient data across the U.S. healthcare system. Over nearly three decades, HIPAA has continuously evolved, adapting to emerging technologies and ever-changing cybersecurity threats to keep patient information secure.
A Brief History of HIPAA (and the Role of Cybersecurity)
HIPAA was signed into law in 1996 with two key purposes: to ensure individuals could maintain their health insurance coverage when transitioning between jobs (portability) and to protect the privacy and security of health information (accountability). The latter has become increasingly important in the digital age as healthcare entities have adopted electronic health records (EHRs) and other digital systems.
Cybersecurity has also become a focus of HIPAA thanks to the skyrocketing number of cyberattacks targeting the healthcare sector. The HIPAA Security Rule, published in 2003, outlines specific safeguards covered entities must implement to protect electronic protected health information (ePHI). These include administrative, physical, and technical safeguards like encryption, user access controls, and regular security audits. As cyber threats have grown, so too have the penalties for non-compliance with HIPAA’s security requirements.
Recent Changes
In recent years, HIPAA has undergone several updates to enhance patient rights, increase data security, and adapt to the growing use of digital health technologies.
HHS modifies the HIPAA Privacy Rule
On April 26, 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule modifying HIPAA’s Privacy Rule to enhance protections for reproductive health information. These changes, part of the Biden-Harris Administration’s response to the Supreme Court’s Dobbs v. Jackson Women’s Health Organization decision, limit the circumstances under which healthcare providers can share reproductive health data, particularly in cases involving legal proceedings related to seeking or providing lawful reproductive care.
The rule, which received tens of thousands of public comments, primarily seeks to ensure people feel safe accessing reproductive health services and aren’t afraid of privacy violations. Effective June 25, 2024, with full compliance required by December 22, 2024, the amendments will prevent the use of health data for law enforcement investigations in states where reproductive health services remain legal. Covered entities must update their privacy policies and practices to reflect these new protections.
Telehealth adjustments during COVID-19
During COVID-19, telehealth services became essential, prompting the temporary relaxation of certain HIPAA rules to enable remote care. These allowances permitted healthcare providers to use non-HIPAA-compliant platforms like Zoom and Skype.
It ensured that healthcare providers would not face penalties for HIPAA Privacy, Security, and Breach Notification Rule violations if they occurred during the good faith delivery of telehealth services during the COVID-19 national public health emergency.
The Cost of HIPAA Failures
HIPAA violations are not uncommon. The Office for Civil Rights (OCR), which acts as the watchdog for HIPAA compliance, has imposed hefty fines on those found to have violated the standards.
One of the most notable HIPAA violations happened when health insurer Anthem experienced a massive data breach affecting nearly 79 million people. In 2023, the company was fined a whopping $16 million by the OCR — one of the largest HIPAA settlements to date. This breach highlighted the vulnerabilities healthcare providers face from cyberattacks as well as the importance of proactive cybersecurity measures.
Another newsworthy violation involved New York-Presbyterian Hospital, which permitted TV crews to film patients without their consent, violating the Privacy Rule. The hospital settled for $3.1 million in 2023, again emphasizing that patient consent is critical, even in media-related situations.
Common Misperceptions & Misinformation about HIPAA
Despite its long-standing presence, HIPAA is widely misunderstood. A frequent misconception is that it governs all organizations handling health data. In truth, HIPAA applies only to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and their business associates. Organizations outside these categories are not subject to HIPAA, even if they manage health-related information.
Another common misunderstanding is that HIPAA strictly prohibits any sharing of health information without patient consent. While HIPAA imposes rigorous controls on the use and disclosure of protected health information (PHI), it explicitly allows sharing in specific, legally sanctioned circumstances — such as for treatment, payment, healthcare operations, or when required by law.
Finally, many assume HIPAA violations occur solely when information is shared without consent. In reality, violations can also stem from failing to provide patients timely access to their records or from inadequate safeguards for electronic PHI (ePHI). HIPAA’s reach extends beyond consent, encompassing comprehensive protections to ensure patient data is both accessible and secure.
Proposed Changes
Looking ahead, the proposed changes to the HIPAA Privacy Rule in 2024 will reshape the landscape of healthcare privacy and data protection even further. Updates worth mentioning include:
- Patients will be able to inspect and photograph their PHI in person.
- Healthcare providers will have to respond to records requests within 15 days instead of the current 30-day window.
- The definition of EHRs will be broadened to include billing records.
- Covered entities will need to post fee schedules on their websites to provide access to PHI, improving transparency.
Moreover, the Substance Abuse and Mental Health Services Administration (SAMHSA) and OCR are proposing updates to better align HIPAA with Part 2 regulations, which protect the privacy of substance use disorder records. These changes aim to ease the complexity of compliance and improve care coordination without compromising the heightened protections for sensitive health information.
Healthcare firms have until February 2026 to comply with the Final Rule, but they can begin benefiting from its new flexibilities immediately.
Future Directions: The Next Chapter for HIPAA
As healthcare continues its rapid digital transformation, HIPAA must evolve to meet emerging privacy and security challenges. Innovations such as artificial intelligence, telehealth, and other advanced technologies are creating new questions about data protection, and upcoming updates are expected to address these critical areas.
For healthcare organizations, staying ahead of HIPAA changes is critical. The proposed 2024 updates aim to streamline administrative processes while simultaneously strengthening requirements for patient access to health information. Compliance will demand careful planning, staff training, and updated operational workflows.
With cyber threats increasingly targeting the healthcare sector, HIPAA’s role in safeguarding patient data remains more vital than ever. It ensures that health information is both secure and accessible, preserving trust in the healthcare system as technology continues to evolve.
Learn more on how Fortra’s Alert Logic can collaborate with you on your HIPAA compliance strategy.
Additional resources:
Security Compliance Solutions | Alert Logic Managed Security
