Chapter 1: HIPPA Past, Present, and Future

OVERVIEW

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (42 U.S.C. 1320d-2) authorized the Secretary of Health and Humans Service to provide Congress with regulations mandating standards for the security and privacy of patient medical records. The Society of Professional Journalists has taken the position that this is bad news for them, which only illustrates the imperative necessity of this new law. Who the heck wants their personal medical information published for public scrutiny under the simulacrum of news? On a similar note, who would want insurance companies to have access to historical personal medical information for the purpose of attaching surcharges to health insurance premiums? Worse yet, who would want a hacker or personal enemy to login to a computer system and modify medication prescriptions for the purpose of personal injury and foul play? The different scenarios for the potential of medical record disaster stories are seemingly endless.

In the good ol' days, when we could count on Normal Rockwell to depict Americana according to assumed values of righteousness, the idea of medical record impropriety was not much of a concern. Patient records were once all stored on paper files, in ye old standard metal file cabinets that may or may not have had locks on them. No one could actually access patient records unless they walked into the doctor's office during business hours and had a professional or personal reason for doing so. What has changed is that with the momentum of the Internet, patient records can be accessed and electronically transmitted around the clock, 365 days of the year. Without being transmitted over secured communication lines, patient records are available to any miscreant who takes the time to setup a sniffer or protocol analyzer to capture the data while it is in transit for legitimate purposes. Only 30 years ago, patient records were accessible mostly through paper files. This means that if someone wanted to view your medical records, they would have to walk into your doctor's office, and convince the administrative staff in person to hand over the files. That physical logistics manipulation in itself created enough of a bother to create an assumed and acceptable de rigueur for medical record security for an era.

The Norman Rockwell days have come and gone, and today doctors have the ability to e-mail radiographs (digital X-rays) around the world. While many mail servers may not accept large image files today, in time they will, and currently digital vaults and file transfer applications offer that capability today. As biotechnology gains momentum, more and more patient images files and scans will be available digitally. We don't even know yet the possibilities that exist for personal health digital images. It could be that in the future, someone could have a DNA scan and within a matter of minutes have a read-out of the probability percentages for falling victim to a medical library of terminal diseases. Health insurance companies would wrangle that information out of any person, facility, or database if they could. One of the goals of HIPAA was to protect health insurance coverage. And one of the ways of protecting health insurance coverage is to protect the personal medical information of patients .

The possibilities for the exploit of future medical records types that have not yet been developed are endless. We need to safeguard this information today, while we still have a chance to retain some personal privacy. Though it may seem like it is already too late, we are just at the beginning of a bio-technical revolution and in the future, the digital records available about our personal bodies will be colossal. For increasing human lifespan, and recovering from debilitating accidents and illnesses, digital imagery of personal medical information is fantastic and truly an unction of fortune . Clearly we don't want to destroy the information that has been so carefully and gingerly developed over the years. The information itself is a godsend. But it can be used against us, and unless we protect it, it will be used against for the wrong reasons.

In 1993 Senator Edward Kennedy (D-Massachusetts) and Senator Nancy Kassebaum (R-Kansas) introduced the bill that sought to prevent employees from losing their health insurance coverage when they changed employers . The Kennedy-Kassebaum bill did not include any language to suggest that medical records should be kept private and later lost momentum and stalled.

In October 1995, Senator Bob Bennett (R-Utah) introduced a bill (S. 1360) known as the Medical Records Confidentiality Act of 1995. In March of 1996, a House bill known as the Health Insurance Portability and Accountability (H.R. 3103) act was introduced by The House Ways and Means Committee Chairman, Bill Archer (R-Texas). Representative Gary Condit (D-California). A year later, the Medical Privacy in the Age of New Technologies Act of (H.R. 3482) introduced by Representative Jim McDermott in May 1996. Our research has shown that the original idea of securing medical information was that of Senator Bob Bennett (R-Utah). (In September 2001, Senator Bennett introduced S. 1456, the Critical Infrastructure Information Security Act of 2001.) The timing of all these bills and concerns complemented each other, and instead of re-inventing a new wheel many times over, our law makers ironed our their differences and drafted a consolidated vision which evolved into what HIPAA is today.

HIPAA finally became known as Public Law 104-191 when signed by President Clinton on August 21, 1996. Our legislators had the foresight to anticipate all the unpropitious possibilities that could potentially arise with no laws to protect sensitive medical information. Though these legislators are not information technology professionals, their understanding of the potential for information security and privacy abuses and their goal to prevent these abuses is what created the initial impetus for reforms set forth in this guide.

HIPAA, informally dubbed the Privacy Rule, first took effect on April 14, 2003. ^[1] There are civil and criminal penalties for violating the rule, with fines from $100.00 to $250,000.00 and the potential for up to 10 years in prison for certain violations. In other words, it's a serious law, and one that will keep the information technology department of any reputable hospital or doctor's office busy for a long time. While the Year 2000 (Y2K) problem was also significant, it came and went. HIPAA is not going away. It is here to stay, and as certification and accreditation of information systems matures, compliance with its U.S. Code related to medical records will only become more critical as time moves forward.

Generally speaking, HIPAA was given minimal coverage in the media up until issues of compliance came along. That's not surprising, since positive developments do not usually make the news, since news is usually based on fear, uncertainty and doubt. However, busting people typically creates fear, and compliance has to do with busting the bad guys. Since compliance was not an issue until April 14, 2003, it's no wonder that HIPAA is only starting to get the attention it has deserved all along, recently. Without a sound information technology HIPAA program, errors will be made and organizations not in compliance will pay heavy fines. HIPAA is one of the first laws that actually gives hackers (or unauthorized users) somewhat of a break, and puts the onus of keeping information secure on the rightful custodian.

We expect that by using this guide, fewer organizations will suffer the wrath of non-compliance penalties, and innocent patients will not have their medical information exposed. HIPAA is good for everyone, though surely it will complicate the reporting of certain events that reporters would like to suggest are 'news.' The truth of the matter is that news is simply information, and as time goes on, various folks are going to start claiming ownership of that information. HIPAA is the beginning of the general public being granted ownership of their private personal information. According to a recent article in Quill, published by the Society of Professional Journalists, 'HIPAA has basically taken a big chunk of what normally was considered a piece of the public domain.'

Surely new bills will continue to be introduced with other groups of people claiming ownership to other, different, information. Particularly in America, where businesses and individuals run their lives by incessant and sometimes ridiculous litigious hippodromes, rest assured that all information will someday be owned through legislative initiatives. As ownership of information gains momentum, it will become more and more difficult for reporters to distinguish between news events, and private information. Information that is owned after all is private. To follow law, and not publish private information, news stories will likely become more generic, and probably more boring. Huge expensive efforts will be undertaken to secure private information, and clever new certification and privacy tools will emerge. SANS hopes that this guide will assist information technology practices in navigating their way through the mires of HIPAA.