HOMEWORK NUMBER FOUR U.S. data privacy laws to enter new era in 2023 By Fredric D. Bellamy January 12, 20237:21 AM PS Updated 7 months ago January 12, 2023- The year 2023 will go down in history as marking the beginning of a profound shift in the philosophy underlying data privacy laws in the United States. Historically data privacy laws here have been rooted in a "harms-prevention- based" hodgepodge of privacy protections, seeking to prevent or mitigate harms in specific sectors. In contrast, under the broader "rights-based" approach exemplified by the European Union's General Data Protection Regulation (GDPR), individuals effectively own their personal information and thus presumptively have the legal right to control it, and who can use itis a matter for them to decide Following California's lead, four other states — Colorado, Connecticut, Utah, and Virginia — will begin enforcing new GDPR-inspired statutes in 2023. More states are sure to follow. The implications of this fundamental shift in the underlying philosophical framework regarding data privacy protection will be profound in the years and decades to come. 2023 will mark the shift. The United States has historically allowed businesses and institutions to collect personal information without express consent, while regulating those uses to prevent or mitigate harms in specific sectors. Advertisement and Accountability Act (HIPAA), education (Family Educational Rights and Privacy Act (FERPA)), children (Children's Online Privacy Protection Act (COPPA)), and other sectors, at both the federal and state levels. Page! of 24Statutes such as these create rules applicable to specific industries and types of institutions. These rules protect against and prevent misuse of certain categories of personal information. Consistent with their underlying philosophy to allow collection and uses of personal information but prevent harms, these rules impose restrictions on industries and institutions regarding their handling of personal information. In contrast to this harms-prevention-based philosophy, countries in the European Union (EU) have long pursued a rights-based regime for protecting personal information. Historically this philosophy holds that data privacy is a fundamental human right. Individuals effectively own their personal information, and who can use it is a matter for them to decide. This differing worldview of the right to privacy has roots in Europeans’ historical experience in suffering through the infamous data collection of the Nazis, who collected and catalogued information regarding individuals’ ancestry and affiliations (among other facts) and used it in committing atrocities. The enormity of these crimes against humanity was followed by the similar collection of data by the formerly communist East Germany's secret police. This tragic history resulted in the understandable necessity of regulating the collection, storage, and usage of personal information. In 1970, the German state of Hesse enacted the world’s first data protection law decades before the Internet and the World Wide Web became ubiquitous. In 1978, Germany adopted its Federal Data Protection Act. And in 1983, the German Federal Constitutional Court held that each person has a constitutional right to “informational self-determination." With this historical background in Europe, and Germany acting asa leader in developing data privacy laws, by 2016, the EU recognized the need for a modemized approach to data privacy. This recognition arose in light of advancements in information technology and accelerating use of personal data in a globally interconnected world. Accordingly, the EU adopted the General Data Protection Regulation (GDPR). The GDPR, which became enforceable in 2018, codified several key principles reflecting the Europeans’ human-rights-based philosophical foundation for data privacy protection. Understanding the underlying principles codified in the GDPR is useful in Page? of 24understanding what is going on with the new data privacy statutes slated to go into effect in the coming weeks and months of 2023. The new laws coming online in 2023 in California, Colorado, Connecticut, Utah, and Virginia (and in the additional states likely to follow in their footsteps in the coming years) reflect the influence of GDPR's rights-based philosophical framework. These new laws represent a comprehensive approach to privacy protection, applying to businesses across numerous sectors, in addition to the sector-specific laws that remain in place. GDPR categorizes between “data controllers’ and "data processors." Data controllers, as the name suggests, are the businesses and entities that control the collection and use of the data — the data controllers decide what to do with data. Data processors carry out the instructions provided by the data controllers. The obligations that apply to data controllers and their responsibilities differ from those that apply to the data processors. The new state data privacy laws contain this distinction and approach. GDPR sets forth several rights of individuals with respect to their personal information. The specific rights that apply depend on the type of data, especially data deemed highly sensitive. Details among the U.S. laws differ, but basically the rights parallel those originally established in the GDPR These rights include the following: “Access — individuals have the right to request access to inspect their personal information, “Correction — individuals have the right to request that errors in their personal information be corrected. +Portability — individuals have the right to request that their personal information be transferred to another entity. +Erasure — individuals have the right to request that their personal information be deleted Consent — individuals have the right to decide whether their personal information may be sold or whether it may be used for purposes of receiving targeted advertising. Page3 of 24«Appeal — individuals have the right to appeal a business's denial of their request. In addition to providing for these rights for individuals (called "data subjects" in GDPR’s parlance), GDPR lays out certain governing principles. These principles include the following: «Privacy or data protection by design — the data management system should be designed with privacy protection in mind (including data mapping, so you know what data are stored where, and the protections are appropriate to the level of sensitivity of the data). -Record-keeping — adequate records should be maintained regarding the collection, processing, and use of data. «Data minimization — personal information, especially that which is sensitive, should be kept, if at all, only long enough to serve its purposes. If the data aren't stored, then they can't be stolen by hackers in a breach. “Transparency, informed consent, and legitimate uses — personal information should be used with informed consent from the data subjects, ina way that is understandable to them, and only for legitimate uses allowed under law. -Data protection officers and data impact protection assessments —trained personnel should be monitoring compliance with privacy protection requirements, and data protection should be assessed using appropriate risk- management principles. Best cybersecurity practices — data should be protected using best practices for cybersecurity to minimize the risks of data breaches, including appropriate physical as well as technological defenses. ‘Data breach notifications — in the event of data breaches, a tested incident response plan should be in place to ensure that appropriate notifications can be delivered in a timely manner under the different deadlines applicable under law. ‘Employee training — employees should be trained in privacy protection Page 4 of 24practices pursuant to well-designed policies, and employee access to sensitive personal information should be limited to mitigate risks. «Requiring appropriate contractual language — contract provisions regarding data and privacy protection should be used to ensure that vendors and contractors are also guarding against misuses and breaches of personal information. The foregoing lists of rights and legal principles are not exhaustive; GDPR's 99 articles contain much more. But becoming familiar with them helps in examining the rapidly evolving data privacy laws in the U.S. and in anticipating ‘the new ones to come. Here is a list of the new state data privacy statutes slated to come online in 2023: (1) Most of the provisions of the California Privacy Rights Act (CPRA) become effective on Jan. 1, 2023. CPRA amended the California Consumer Privacy Act (CCPA), which had already created a number of individual rights modeled after the GDPR. CPRA created a new state agency, like data protection agencies in the EU countries charged with enforcing the GDPR. (2) The Colorado Privacy Act (CPA) becomes effective on July 1, 2023. In addition to creating rights patterned after the individual rights under GDPR, CPA requires data security and contract provisions for vendors and assessments for "high-risk" processing. (3) The Connecticut Data Privacy Act (CDPA), like Colorado's new privacy law, goes into effect on July 1, 2023. CDPA likewise creates a suite of GDPR1ike individual rights, and requires data minimization, security, and assessments for high risk” processing (4) The Utah Consumer Privacy Act (UCPA) becomes effective on Dec. 31, 2023. It provides for certain GDPR1ike individual rights and also requires data security and contract provisions. But UCPA does not include expressly required risk assessments. Page § of 24(5) The Virginia Consumer Data Privacy Act (VCDPA) becomes effective Jan. 1, 2023. It provides for certain GDPR-like individual rights. But in 2022, the "right-to-delete" was replaced with a right to opt out from certain processing While these new state statutes are intended to be comprehensive in scope, they contain certain carve-outs for data already protected under other laws, such as HIPAA. The statutes vary with respect to their reach, based on businesses that hit certain revenue thresholds or based on the number of residents, consumers, households, or devices with data in the applicable state. Each statute is different and should be carefully analyzed as to its scope, requirements, potential liabilities and penalties, and its means of enforcement. However, an understanding of what these new laws are getting at, and where they are coming from, will create a foundation from which to analyze and understand their requirements, and those from new laws yet to come. Data privacy laws in this country (and around the world) are changing more in 2023, and there will be no looking back. Examples of data privacy laws include: © Privacy Act Governs the collection, use, and dissemination of personally identifiable information (Pil) held by federal agencies in the United States. © Health Insurance Portability and Accountability Act (HIPAA): Protects sensitive health information. Childrer’s Online Privacy Protection Act (COPPA): Focuses on protecting children's privacy online. © Gramm-Leach-Bliley Act (GLBA): Regulates financial institutions’ handling of customer data. Fair and Accurate Credit Transactions Act (FACTA): Addresses credit reporting and consumer financial information. California Consumer Privacy Act (CCPA): Provides privacy rights for California residents. @ New York SHIELD Act and Massachusetts Data Protection Law: State- Page 6 of 24level laws aimed at data protection Here are some of the most important data privacy laws in the United States and their purposes, explained. Social medias applications are displayed on the screen of an iPhone. (Photo Illustration by ... [+] Getty Images Key Facts The United States has various federal and state laws that cover different aspects of data privacy, like health data, financial information or data collected from children. Data privacy in the United States is notably different than in the European Union, which has a comprehensive data privacy law—General Data Protection Regulation—though some states have passed their own comprehensive data privacy laws that have drawn comparisons to the EU system. Since data collected by many companies is unregulated in most states, these companies can use, sell or share your data without notifying you. The video player is currently playing an ad. Page 7 of 24Privacy Act Of 1974 The Privacy Act of 1974 governs how federal agencies can collect and use data about individuals in their system of records. The act prohibits agencies from disclosing personal information without written consent from the individual, subject to limited exceptions including to the Census Bureau for statistical purposes. Individuals reserve the right to request their records, request a change to their records if they are inaccurate or incomplete, and to be protected against unwarranted invasion of their privacy. Health Insurance Portability And Accountability Act (hipaa) President Bill Clinton signed HIPAA into law in 1996, creating standards for how healthcare providers can use a patient's personal health data. HIPAA regulations only apply to “covered entities.” which encompasses providers (like doctors, nurses, psychologists and dentists), a health plan (including healthcare insurance companies and government plans like Medicare) and healthcare clearinghouses, which process medical information. Under HIPAA guidelines, covered entities must comply with an individuat's right to see their health information, correct their health information and covered entities cannot use or share health information without the individual's written consent. HIPAA is sometimes erroneously thought to be a more sweeping health privacy law that covers all of an individual's health data, Vox reported, but health information not shared with a covered entity is not subject to HIPAA regulation, meaning health data you share with a nutrition app or on social media would not be covered. Other institutions not considered covered entities that handle health information, like schools and employers, are not subject to HIPAA regulation but may be regulated by other laws. PROMOTED The Gramm-Leach-Bliley Act The GLBA, signed into law by Clinton in 1998, covers data privacy for financial institutions. The law requires these institutions, including “companies that offer consumers financial products or services like loans, financial or investment advice, or insurance,” according to the Federal Trade Commission, to safeguard sensitive data and explain how it uses customer data. The law requiresthese institutions to have a policy in place to protect consumer data from security threats, and institutions must provide consumers with a privacy notice explaining what information is collected about the consumer and where it is Page 8 of 24shared, and it must inform the consumer of their right to opt out of the information being shared with unaffiliated parties. Children’s Online Privacy Protection Act Signed into law in 1998, COPPA places limits on what companies can do with data collected about children under 13 years of age. Companies and websites that may collect data from children under 13 must post an online private policy that details their data practices and must obtain parental or guardian consent before collecting personal information from children. Parents must have the opportunity to access their child's data, review or delete it and prevent the company from collecting further data about their child. Companies must also maintain the confidentiality of data collected from children and must only keep it as long as necessary to fulfill the purpose for which it was collected. Because of COPPA's limits on data collection for children, some companies— notably, social media sites like Facebook and Twitter—require their users to verify they are 13 years of age or older when signing up. California Consumer Privacy Act Passed in 2018 and known as the strictest data privacy law in the country, the CCPA applies to a business that collects personal information about consumers and outlines specific rights consumers have. The CCPA allows consumers the right to know what personal information a business collects and to whom it is sold, the right to delete personal information collected by the business, the right to opt-out of the sale of personal information and the right to nondiscriminatory treatment for exercising privacy rights. The CCPA was updated with a second act—the California Privacy Rights Act—which was passed in 2020 and took effect in 2023. This extended the rights of consumers to include the right to correct inaccurate data a business collected about them and the right to limit the use and disclosure of sensitive data. HIPAA (Health Insurance Portability and Accountability Act) was created ta Improve the portability and accountability of health insurance coverage. Ensure continuity of coverage between jobs. Guarantee coverage for employees with pre-existing conditions. Prevent “job lock” where individuals stay in a job to avoid losing heaith benefits. Reduce waste, fraud, and abuse in the healthcare sector. Protect the privacy and security of individuals’ health information. Establish standardized regulations for electronic health transactions. Page9 of 24Mitigate potential discrimination based on pre-existing medical conditions. 5 Sources HIPAA (Health Insurance Portability and Accountability Act) was signed. into law on August 21, 1996. It was created to hold health care providers accountable for patient privacy’. The legislation aimed to standardize health care transactions and make health care more efficient in the United States". The history of HIPAA dates back to the 1850s when the health insurance industry consisted of a handful of companies offering accident insurance* HIPAA History Posted By Steve Alder on Jan 2, 2025 HIPAA History: Why was HIPAA Created? Our HIPAA history lesson starts on August 21, 1996, when the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law. HIPAA was created to “improve the portability and accountability of health insurance coverage” and the Act introduced several measures to ensure the continuity of coverage between jobs, guarantee coverage for employees with pre-existing conditions, and prevent “job lock” - a scenario in which plan members stayed in a job to avoid losing health benefits. However, the measures introduced in the Act significantly increased costs for health insurers. To prevent the increased costs from being passed onto plan members and employers in the form of higher premiums, deductibles, and co-pays, Congress enacted further measures to combat waste, fraud, and abuse in health insurance and healthcare delivery, and to simplify the administration of health insurance transactions such as eligibility checks, authorizations, remittances, and payments. As an increasing number of health insurance transactions were being conducted electronically, the Secretary for Health and Human Services (HHS) was instructed to develop standards to safeguard health information when it was maintained or transmitted electronically. The Secretary was also instructed to recommend standards for the privacy of individually identifiable health information. These instructions resulted in the HIPAA compliance guidelines of the Security and Privacy Rules. Page 1@f 24The HIPAA Privacy and Security Rules Take Shape Once HIPAA had been signed into law, the US Department of Health and Human Services set about creating the first HIPAA Privacy and Security Rules. The first “proposed” HIPAA Privacy Rule was published in November 1999; but, due to the volume of comments from stakeholders, the “final” HIPAA Privacy Rule was not published until August 2002. The HIPAA Privacy Rule defines Protected Health Information (PHI), stipulates permissible uses and disclosures, lists the circumstances in which an authorization is required, and gives individuals rights over their PHI. The HIPAA Privacy Rule had an effective compliance date of April 14, 2003. eee Get The Free wok HIPAA Compliance Checklist comune HECHT : DP Free Checkli 33 Ly ~~) The HIPAA Security Rule took even longer to progress from “proposed” to “final”. First “proposed” in August 1998, it was not until February 2003 that the “final” Rule was published; and, due to the number of implementation specifications, organizations were given longer to comply with the standards - the effective date of the HIPAA Security Rule being April 21, 2005. Dealing with the subset of PHI that is created, collected, used, maintained, or transmitted electronically (ePHI), the HIPAA Security Rule includes three sets of safequards that must be complied with by covered entities and business associates: Administrative — covering topics such as risk analyses, workforce clearance, security training, access management, and contingency planning. Physical - covering topics such as physical access to devices maintaining ePHI, device security, data back-ups, and the secure disposal of data and devices. Technical — covering topics such as password management, automatic logoff, data encryption, audit controls, and transmission security. When Did HIPAA go into Effect? The HIPAA effective date varies by provision. Many of the provisions in Page 1 bf 24Title | — the title relating to the portability and accountability of heaith insurance coverage — went into effect within a year, while some of the tax-related provisions in Titles II and V were effective immediately. The first two “Administrative Simplification Rules” — the HIPAA Privacy and Security Rules - evolved from Title Il of HIPAA, and each had a different HIPAA effective date depending on the size and nature of the organization. For example: The HIPAA Privacy Rule became effective in April 2003 for most organizations. However, small health plans were given an extension of one year and the HIPAA Privacy Rule became effective for small health plans in April 2004. The HIPAA Security Rule became effective in April 2005 for most organizations. However, small health plans were again given an extension of one year and the HIPAA Security Rule became effective for small health plans in April 2006. The HIPAA Breach Notification Rule became effective in September 23, 2009, regardless of the size or nature of the organization, and there was no distinction between compliance capabilities in March 2013 when the Omnibus HIPAA Final Rule made changes to the HIPAA Privacy and Security Rules as required by the HITECH Act - although covered entities and business associates were not required to comply until September 2013. The Introduction of the Enforcement Rule Although the Department of Health and Human Services already had the authority to investigate complaints against covered entities for failing to comply with the HIPAA Privacy Rule, the Enforcement Rule of March 2006 explained how the agency would conduct investigations and issue civil monetary penalties if a suitable resolution could not be achieved by voluntary compliance. The Enforcement Rule also expanded the compliance and investigation provisions toall the HIPAA Rules, rather than just the HIPAA Privacy Rule. The authority to investigate complaints related to the HIPAA Privacy and Security Rules (and later the HIPAA Breach Notification Rule) was delegated to HHS’ Office for Civil Rights (OCR), while the authority investigated complaints related to the Administrative Requirements (Part 162) was delegated to HHS’ Centers for Medicare and Medicaid Services (CMS). HITECH 2009 and the Breach Notification Rule HIPAA history continued in 2009 with the introduction of the Health Page 12f 24Information Technology for Economic and Clinical Health Act (HITECH). HITECH had the primary goal of incentivizing healthcare providers to implement Electronic Health Records (EHRs) by introducing the Meaningful Use incentive program. Stage one of Meaningful Use was rolled out the following year and continued until 2018 when it was replaced with the Promoting Interoperability Program. With the incentive program also came an extension of HIPAA Rules to business associates and third-party suppliers to covered entities, and the introduction of the HIPAA Breach Notification Rule - a Rule that stipulated all breaches of PHI must be notified to affected individuals and to the Department of Health and Human Services’ Office for Civil Rights. The criteria for reporting breaches of ePHI were subsequently extended in the Omnibus HIPAA Final Rule of March 2013. The Omnibus HIPAA Final Rule of 2013 One of the most significant events in HIPAA history was the Omnibus HIPAA Final Rule of 2013. The Rule barely introduced any new legislation but filled gaps in existing HIPAA standards — for example, specifying the encryption standards that need to be applied in order to render ePHI unusable, undecipherable, and unreadable in the event of a breach. Many definitions were amended or added to clear up grey areas - for example, the definition of “workforce” was amended to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of the covered entity or business associate. The HIPAA Privacy and Security Rules were also amended to allow patient's health information to be held indefinitely (the previous legislation had stipulated it be held for fifty years), while new procedures were written into the Breach Notification Rule. New penalties were also applied — as dictated by HITECH — to covered entities that fell afoul of the HIPAA Enforcement Rule. HIPAA History Timeline August 1996 — HIPAA Signed into Law by President Bill Clinton April 2003 — Effective Date of the HIPAA Privacy Rule. April 2005 — Effective Date of the HIPAA Security Rule March 2006 — Effective Date of the HIPAA Breach Enforcement Rule. September 2009 — Effective date of the Breach Notification Rule. March 2013 — Effective Date of the Final Omnibus Rule. Page 1f 24In certain circumstances, covered entities and business associates were given an extended period to comply with the provisions of each Rule. For example, although the effective date of the Omnibus HIPAA Final Rule was March 2013, covered entities and business associates were allowed 180 days to comply. Further key data in HIPAA History can be found in our infographic below. Consequences of the Omnibus HIPAA Final Rule What the Omnibus HIPAA Final Rule achieved more than any previous rulemaking was to make covered entities and business associates more aware of the HIPAA safeguards they had to adhere to. Many healthcare organizations — who had been in breach of HIPAA for almost a decade — paid closer attention to the requirements of the HIPAA Privacy Rule, invested in technology to better protect ePHI, and trained members of the workforce on HIPAA policies and procedures and security awareness. The financial penalties that could now be imposed for data breaches — along with the colossal costs of issuing breach notifications, providing credit monitoring services, and conducting damage mitigation - made investments in new technology to protect data and workforce compliance appear cheap by comparison. Page 14f 24shcbech to dently the cause ora ensure 3 Temporary idtlentify Theft Prevention rosea nontorng snetacetty tet 7 Regulatory Fines ~ Attomey Generals Offices upto Stecoo parvlation eateaoy 9 Class Action Lawsuits HIPAA BREACH COSTS 2 Remediation ‘tthe Omen torch ante 4 Breach Notification Letters “helnohest ne sheet ata wae $4 lion a rcrchirwatg Seo wet 8 Lost Business / Loss of Reputation 10 Website/Helpline For Breach Victims Page 16f 24The HIPAA Compliance Audit Program In 2011, HHS’ Office for Civil Rights (OCR) commenced a series of pilot HIPAA compliance audits to assess how well healthcare providers were implementing HIPAA Privacy and Security Rules. The first round of audits was completed in 2012 and highlighted the dire state of compliance. Audited organizations registered numerous violations of the HIPAA Breach Notification Rule, Privacy Rule, and Security Rule, with the latter resulting in the highest number of violations. OCR issued action plans to help those organizations achieve compliance; however, for the second round of audits, it is not expected to be as lenient. Audits are expected to target the specific areas that proved problematic for so many healthcare providers, while a permanent audit plan is being planned to ensure continued HIPAA compliance. The age of lax security standards has now passed and the healthcare industry, like the financial industry before it, must raise standards to ensure confidential data remains confidential. Any covered entity that does not implement the required controls faces financial penalties, sanctions, potential loss of Medicare eligibility, and even criminal proceedings for failing to secure PHI. How to Achieve HIPAA Compliance Our “HIPAA Compliance Checklist” covers the elements of the Health Insurance Portability and Accountability Act relating to the storage, transmission, and disposal of electronic Protected Health Information, the actions organizations must take in response to a breach, and the policies and procedures which must be adopted to achieve compliance. HIPAA regulations may be strict, yet covered organizations are allowed some flexibility on the privacy and security safeguards used to protect data. Data encryption, for instance, must be addressed but not necessarily implemented if other controls provide the necessary protection. Some of the main technical safeguards used to protect and control ePHI help to streamline communication and information flow, and organizations that have adopted secure communications channels and implemented data controls have benefited from improved efficiency, faster response times, and improved patient outcomes, while ensuring that patient health data remains fully always protected. More technical safeguards to secure ePHI and personal identifiers are no doubt in the planning stage now and will impact HIPAA history in the Page 1éf 24future. In the meantime, here is a brief HIPAA history timeline. Why is HIPAA Important? Posted By Steve Alder on Jan 10, 2025, HIPAA is important because, due to the passage of the Health Insurance Portability and Accountability Act, the Department of Health and Human Services was able to develop standards that protect the privacy of individually identifiable health information and the confidentiality, integrity, and availability of electronic Protected Health Information. HIPAA was introduced in 1996, primarily to address one issue: Insurance coverage for individuals between jobs and with pre-existing conditions. Without HIPAA, employees faced a potential loss of insurance coverage between jobs. Because of the cost of HIPAA's primary objective to health insurance companies ~ and the risk that the cost would be passed onto employers and individuals as higher premiums, Congress instructed the Secretary for Health and Human Services to develop ‘standards that would reduce healthcare insurance fraud and simplify the administration of healthcare transaction. Due to the increased number of transactions being conducted electronically, standards were also developed to protect the confidentiality, integrity, and availability of electronic Protected Health Information when it was collected, received, maintained and transmitted between healthcare providers, health plans, and healthcare clearinghouses. Further standards were developed to protect the privacy of individually identifiable health information (in any format) and to give individuals increased rights and control over their health information. The standards became known respectively as the HIPAA Security Rule and HIPAA Privacy Rule. Why is HIPAA Important for Healthcare Organizations? HIPAA introduced a few important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure that Protected Health Information is shared securely. Page 1Bf 24ours Get The Free “en HIPAA Compliance Checklist copURNCE ‘CHECHLIST eedarece nae, The standards for recording health data and electronic transactions reduce the complexity of processing healthcare transactions. Since all HIPAA-covered entities must use the same code sets and nationally recognized identifiers, this helps enormously with the transfer of electronic health information between healthcare providers, health plans, and other entities. HIPAA's training requirements are also important for healthcare providers as they provide a structure which other healthcare training requirements can be attached to — for example, combining HIPAA contingency planning requirement for ePHI with CMS’ Emergency Action Plan requirements. Why is HIPAA Important for Patients? Arguably, the greatest benefits of HIPAA are for patients. HIPAA compliance is important because it ensures healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA- covered entities must implement multiple safeguards to protect sensitive personal and health information. While no healthcare organization wants to expose sensitive data or have health information stolen, without HIPAA there would be no requirement for healthcare organizations to safeguard data - and no repercussions if they failed to do so - potentially resulting in widespread medical identity theft. HIPAA established rules that require healthcare organizations to control who has access to health data, restricting who can view health information and who that information can be shared with. HIPAA helps. to ensure that any information disclosed to healthcare providers and health plans, or information that is created by them, transmitted, or stored by them, is subject to strict security controls. Patients are also given control over who their information is released to and who it is shared with. Page 1@f 24HIPAA is important for patients who want to take a more active role in their healthcare and want to obtain copies of their health information. Even with great care, healthcare organizations can make mistakes when recording health information. If patients are able to obtain copies, they can check for errors and ensure mistakes are corrected. Obtaining copies of health information also helps patients when they seek treatment from new healthcare providers — information can be passed on, tests do not need to be repeated, and new healthcare providers have the entire health history of a patient to inform their decisions. Prior to the Introduction of the HIPAA Privacy Rule, there were no requirements for healthcare organizations to release copies of patients’ health information. Why is HIPAA Important? FAQs What might happen to healthcare data if it were not protected by HIPAA? What might happen to healthcare data if it were not protected by HIPAA is that it could be stolen and used to commit healthcare fraud. Healthcare data is a valuable commodity on the black market because it can be used by uninsured or underinsured individuals to obtain expensive healthcare treatment. Healthcare fraud results in increased insurance costs, which are passed down to employers and individuals in the form of increased insurance premiums. What are the financial benefits for healthcare providers of complying with HIPAA? The financial benefits for healthcare providers of complying with HIPAA include better patient outcomes and higher satisfaction scores, increased staff morale and employee retention rates, and fewer readmissions — a key factor in avoiding CMS payment penalties under the Hospitals Readmissions Reduction Program and other value-based initiatives. Why is it important for healthcare professionals to comply with HIPAA? Itis important for healthcare professionals to comply with HIPAA to build a culture of trust with patients. If a patient feels any confidential information shared with a healthcare professional will remain confidential, they are more likely to be more forthcoming about health issues and the symptoms they are experiencing. With more information available to them, healthcare professionals can make better informed diagnoses and treatment decisions. This results in better patient outcomes, which leads to higher morale. Effectively, by complying with HIPAA, healthcare professionals enjoy more rewarding Page 19f 24experiences and get more from their vocation. If patients are unable to exercise their patients’ rights allowed by HIPAA, what might happen? If patients are unable to exercise their patients’ rights allowed by HIPAA, the likely outcome will be a complaint to the Privacy Officer or HHS’ Office for Civil Rights. This could result in a significant financial penalty anda time-consuming corrective action plan Allowing patients to exercise their rights under HIPAA is important because it is not unheard of for mistakes to be made with patients’ records that can result in misdiagnoses, the wrong treatment being provided, or the wrong medication being prescribed By giving patients, the right to inspect their medical records and make corrections, when necessary, the risks of incorrect diagnoses, treatments, and medications are mitigated. Having access to their records can also help patients take more responsibility for their own wellbeing. How do patients control who their information is released to and shared with? Patients control who their information is released to and shared with by having the right to request privacy protection for protected health information (45 CFR §164.522). This right enables patients to request restrictions on how PHI is used and disclosed for treatment, payment, and health care operations, and for involvement in the individual's care and notification purposes. HIPAA Privacy Rule unless a state law offers more stringent privacy protections or greater rights for individuals. How does HIPAA protect sensitive health information? HIPAA protects sensitive health information via regulations, standards, and implementation specifications. Covered entities and business associates are required to comply with applicable regulations, standards, and implementation specifications or potentially face a civil monetary penalty from HHS’ Office for Civil Rights — even if no breach of unsecured PHI has occurred. Who must comply with HIPAA rules? Entities that must comply with HIPAA Rules include health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services has developed standards (collectively known as “covered entities”). Businesses that provide services for or on behalf of covered entities that Page 20f 24involve the use of disclosure of Protected Health Information are also required to comply with applicable HIPAA Rules. Why is the HIPAA Breach Notification Rule important? The HIPAA Breach Notification Rule is important because it requires covered entities and business associates to notify individuals when unsecured PHI has been accessed impermissibly so that individuals can take steps to protect themselves against theft and fraud. The Rule is also important because it makes covered entities and business associates accountable for shortcomings in their compliance efforts. How does HIPAA support the digitization of health records? HIPAA supports the digitalization of health records by laying the foundations of a cybersecurity framework to protect electronic health records from unauthorized access. The framework enabled Congress to incentivize the digitalization of health records via the Meaningful Use Program (now the Promoting Interoperability Program), which in turn improved the flow of health information between healthcare providers. How has HIPAA evolved to meet the changing needs of health information technology? HIPAA has evolved to meet the changing needs of health information technology via several HIPAA updates. The biggest recent HIPAA update was the Omnibus HIPAA Final Rule in 2013. However, multiple changes to HIPAA have been proposed since 2020 onward, which would support the further evolution of HIPAA to meet the changing needs of health information technology. How is compliance with HIPAA enforced? Compliance with HIPAA is enforced by two offices within the Department for Health and Human Services ~ the Office of Civil Rights (responsible for compliance with Parts 160 and 164 of the HIPAA Administrative Simplification Regulations) and the Centers for Medical and Medicaid Services (responsible for compliance with Part 162). The Federal Trade Commission also enforces compliance with HIPAA for health appliance vendors that do not qualify as HIPAA covered entities, but who are required to comply with the Health Breach Notification Rule under Section 5 of the FTC Act. Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist in healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep Page 2bf 24understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve's editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor of Science degree from the University of Liverpool. You can connect with Steve via Linkedin or email via stevealder(at)hipaajournal.co Why Was HIPAA Created? A Brief History of the HIPAA Law April 1, 2019 HIPAA law is used in every pharmacy, medical office, health insurance company, and more. But did you know that the original goal of HIPAA was not to protect electronic patient information at all? How did HIPAA evolve into the laws that govern our protected health information? Why was HIPAA created, if not to hold providers accountable for patient privacy? Read on to discover the fascinating history of how our legal system has used HIPAA to adapt to the changing face of digital information. Why Was HIPAA Created? Though we know that the HIPAA of today deals with governing health privacy regulations, privacy was not the original intent of the HIPAA law. President Clinton signed the Health Insurance Portability and Accountability Act into law in August of 1996. The intent was to “improve the portability and accountability of health insurance coverage.” The other provisions included sections on waste management, health insurance fraud, and abuse. HIPAA also created tax breaks for medical savings accounts, pre- existing Condi HIPAA also created tax breaks for medical savings accounts, pre- existing conditions coverage, and improved health insurance administration. Only after the passage of HIPAA was there a movement to streamline the digital conversion of patient medical files. These digital files needed protection from privacy violations. The Evolution of Medical Privacy Laws Page 22f 24After HIPAA became law, the Health and Human Services Department created the first rules for Privacy and Security. As of April 14, 2003, HIPAA Privacy defined PHI (Protected Health Information) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.” These privacy laws governed the use and sharing of PHI on a wide scale. Although a young law, HIPAA forever changed the rights of patients and the way providers share information about them. The guidelines require permission for the use of patient health records. The patient must approve the sharing of their PHI with marketers, researchers, or fundraisers. Patients were also given the right to withhold private funding information from health insurers. Digital Security in HIPA ‘As of April 21, 2005, mandatory Security compliance also went into effect. This section of HIPAA deals with electronic PHI, creating safeguards to protect digital health records. The three safeguards created by HIPAA Security were physical, administrative, and technical. Physical safeguards control actual access to data storage areas, protecting against unauthorized access. Administrative safeguards created procedures designed to control how covered entities comply with HIPAA. And finally, technical safeguards govern the communication of PHI information over electronic networks. The Enforcement Rule Covered entities were given significant lead times on gaining compliance. Even so, their failure to adopt HIPAA policies led to the creation of the Enforcement Rule as of March 2006. Enforcement is a tool of the Department of Health and Human services that allows for investigation of non-compliance. Under the Enforcement Rule, fines can be levied against entities who fail to enact the safeguards outlined in HIPAA law aw. The Office for Civil Rights can criminally charge offenders who don't correct violations within 30 days. Individuals can also bring civil charges for “serious harm” due to unauthorized PHI disclosure. Additional Provisions HIPAA laws expanded again in 2009 with the introduction of the Health Information Technology for Economic and Clinical Health Act, or HITECH. HITECH furthered the expansion and use of EHR, or electronic Page 2@f 24health records. HIPAA regulations were in full compliance. The 2012 results of these audits made it clear that HIPAA violations were still an issue. Asa result, the OCR created programs to help providers reach full HIPAA compliance. With the new penalties from the Omnibus, covered bodies risk serious penalties and sanctions. It is possible for these bodies to lose licensure and even face criminal charges for non-compliance. Thanks to HIPAA improvements under the Omnibus, organizations under years of non-compliance are now taking action to comply with regulations. New software, encryption tools, and secure communications standards are making it easier for covered entities to follow compliance procedures and protect PHI Omnibus also creates an incentive for companies to invest in compliance. Technology investment is far less costly than the price of HIPAA violations. Meanwhile, the OCR continues to develop auditing procedures that ensure entities are compliant. Protecting Patient Health Information Why was HIPAA created? For the last twenty years, the law has protected the privacy and well- being of individuals under HIPAA law. Not only does the law serve to protect the health of Americans but also ensure that their constitutional right to privacy evolves. Our privacy needs are always changing to match the advances of the information age. Without HIPAA, PHI could be used without patient consent in research, sales, and more. HIPAA may be a model for how we deal with private data on platforms such as social media in the future. As our digital reach expands, so too must the laws that govern our rights as citizens. Page 2f 24