Healthcare

20 Years of the HIPAA Security Rule: What Have We Learned?

The HIPAA Security Rule was established to protect any individual’s electronic personal health information created, received, used, or maintained by a covered entity.HIPAA may be twenty-two years old but the HIPAA Security Rule—which assures the security of confidential electronic patient information—hit its twenty-year mark just this year.  HIPAA was signed into law in 1996 to protect Americans from losing health insurance coverage when changing jobs or dealing with a lay off and to protect the privacy and security of individual health information. Rules that govern HIPAA’s implementation requirements include the Privacy Rule and the Security Rule, which followed the initial rule 2 years later, issued in 1998.

The HIPAA Security Rule was established to protect any individual’s electronic personal health information created, received, used, or maintained by a covered entity. Covered entities must protect this information from unintended disclosures—which could occur as the result of any type of information breach such as a ransomware attack or through the sharing of information with an unintended recipient—by accidentally forwarding information, for example. Under the HIPAA Security Rule, safeguards must be in place to ensure electronically transmitted or stored protected health information (ePHI) is not compromised.

Although HIPAA has been a guiding force in how information is shared and protected throughout healthcare, it is important to note that a lot has changed in the past twenty years.  The internet of things has evolved, blockchain has been introduced and at the time of rule passing, cell phones were still brand spanking new and texting was not yet a “thing”.  These days, more and more healthcare organizations are turning to email, text messaging, messaging apps and social media to communicate with patients. So when we consider how technology has evolved – Does the HIPAA Security Rule need a major update then?

The important thing to also keep in mind when we consider questions like this is that rules do not always translate into practice. Making stricter rules may not necessarily result in better protection of ePHI.

If we take a brief glance at the news, the situation for healthcare security seems bleak. In 2017, 477 healthcare breaches affected 5.579 million patient records. In part, we hear about these breaches because healthcare compliance laws are so strict. However, these breaches highlight the need – not for necessarily for stricter laws or even updated rules — but for better prevention.

Yes, HIPAA should be updated to reflect more recent technological advances, however only focusing on regulation is not enough for healthcare organizations to protect patient data. Human behavior and preventative training must be promoted and made accessible.

Patients live in a world where everything occurs on their phones, laptops, tablets and even wearables.  They receive information through email, text messages and even social media today. This has likely contributed to the rise in healthcare breaches and yet, healthcare organizations need to be able to meet the communication preferences and demands of their patients.

Healthcare organizations should take advantage of new easy-to-use technologies that help them remain HIPAA compliant while also making it simple to securely handle ePHI. One such example of this is secure communication platforms like  Vaporstream. These tools mimic the look and feel of SMS texting—making it easy for patients to use them—without compromising on security or compliance.


To learn more about how secure messaging can assist healthcare organizations in protecting ePHI download our white paper Healthcare Communications in a HIPAA World.

Contributor: The Vaporstream Team