The Limited Reach of the HIPAA Security Rule

Font Size:

A comprehensive legal mandate for health data holders could better protect electronic health information.

Font Size:

The HIPAA Security Rule is far less familiar to the public than the HIPAA Privacy Rule, but it is equally important. Unlike the Privacy Rule, the Security Rule focuses on data security, which refers to mechanisms and practices that prevent unauthorized individuals from accessing patient medical records.

Although the Security Rule protects patient data, its scope is restricted because of the narrow range of entities that it covers. As health related data proliferate at an accelerating pace, the rule’s narrow range creates an increasingly troubling regulatory gap.

The Security Rule went into effect in 2005, two years after the Privacy Rule. It delineates administrative, physical, and technical safeguards to promote the confidentiality, integrity, and availability of electronic health information (EHI).

The Security Rule requires various administrative, security, and technical safeguards designed to protect EHI.

For instance, the rule’s administrative safeguard standards include security management processes and workforce security, such as clearance procedures, information access management, security awareness and training, security incident procedures, and contingency plans.

Its physical safeguards focus on facility access controls, workstation security, and device and media controls.

Its technical safeguards include procedures to control access to EHI, such as encryption, auditing activities associated with processing EHI, preventing improper EHI modification or elimination, and authenticating the identity of those seeking EHI access.

The Security Rule, however, does not govern all actors who store or process EHI. Originally, it covered only health plans, health care clearinghouses, and health care providers that transmit health information electronically for purposes of HIPAA relevant transactions.

In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH)  extended coverage to these entities’ business associates, such as organizations that assist with billing or administrative matters. The U.S. Department of Health and Human Services (HHS) has developed an extensive list of resources to help organizations achieve regulatory compliance.

The HITECH Act also added breach notification provisions to HIPAA. Covered entities that experience hacking or other privacy breaches of unsecured data must notify affected individuals and HHS. In the case of breaches involving over 500 residents of a state or jurisdiction, these entities must notify the media as well. The breach notification requirement provides an added incentive for entities to safeguard data security, but civil and criminal penalties can also be imposed for Security Rule violations.

Health data circulate broadly outside of the health care field, though, which exacerbates the limitations of the Security Rule.

For instance, employers often conduct employment related medical examinations and offer wellness programs. Life, disability, and long-term care insurers collect health data in the process of assessing applicants.

In addition, various websites and social media applications store data that individuals voluntarily upload. For example, WebMD’s Symptom Checker asks users to provide details about their age, sex, zip code, email, and symptoms to suggest potential health conditions and treatments.

People freely post details of their health habits, diagnoses, and other medical information on Facebook and elsewhere.

Furthermore, an entire industry of data brokers has emerged in recent years in response to the proliferation of health data, with as many as 4,000 such brokers in existence around the world.

Data brokers collect and purchase information about individuals, process it, and then sell data to interested third parties. Data brokers are known to gather details from records relating to criminal convictions, online purchasing, retail loyalty programs, voter registration, and more. They may use information to develop risk scores indicating data subjects’ likelihood of becoming addicted to opioids or becoming seriously ill and sell them to health care providers. Data brokers also sell information to marketers who use it to tailor advertising to people’s individual health needs and preferences.

Furthermore, entities that are not covered by the Security Rule are not required to implement its security safeguards. Although other confidentiality mandates may apply, non-covered entities are not bound by the Security Rule’s detailed security standards.

For example, the Americans with Disabilities Act’s medical examinations and inquiries provision instructs employers to maintain confidentiality with respect to medical information that they possess. It provides no guidance, however, as to how confidentiality is to be protected. Employers are thus left to their own devices and are not obligated to implement any of HIPAA’s administrative, physical, or technical safeguards.

Health care institutions also experience data breaches all too often, as attackers become increasingly aggressive and sophisticated. According to one report, there were 599 such breaches in 2020, a number that represented a startling 55.1 percent increase since 2019 with breaches affecting over 26 million individuals.

Many more breaches, however, occur outside the health care field. One source estimates that almost 300 million consumers had their personally identifiable information exposed in 2020. And the pace has not slowed in 2021. Data broker activity is particularly vulnerable to data breaches because of careless security practices.

The Security Rule provides no guaranteed mechanisms to avoid data breaches, but it does furnish guidance, oversight, and accountability. Because so much health information flows outside of the medical realm, the rule’s regulatory scope must be broadened, as I have argued in other work. The Security Rule should apply to any entity that stores or processes electronic health data for business purposes.

To further promote data protection, the government and data security industry must continue to develop tools and guidance for health data holders. These entities in turn must remain vigilant and meticulous about security measures to minimize the success of attackers.

Businesses are generally motivated to avoid data breaches. Large breaches can lead to adverse publicity, embarrassment, and loss of customers. A comprehensive legal mandate, however, could provide vital guidance to entities that lack security expertise. It could also induce all EHI data holders to make investing in proper security measures and combating the growing trend of health data theft a top priority.

Sharona Hoffman

Sharona Hoffman is a professor of law and bioethics and co-director of the Law-Medicine Center at Case Western Reserve University School of Law.

This essay is part of a six-part series, entitled Reflecting on 25 Years of HIPAA.