Are HIPAA Rules Outdated and is an Update Overdue?

Are HIPAA Rules outdated? Is an update long overdue? An article recently published in the journal JAMIA explores potential updates to HIPAA to keep the legislation relevant.

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton in 1996 at a time when the Internet was in its infancy. Now, almost two decades later, a lot has changed. The majority of healthcare organizations have now switched from paper records and films to electronic forms of protected health information. ePHI is now being used and shared in ways that could not have been predicted in 1996, and the security risks to the confidentiality, integrity, and availability of ePHI and risks of patient privacy being violated have increased considerably.

If HIPAA Rules were written today, they would look very different. Privacy protections would need to cover a much wider range of uses of ePHI and HIPAA Rules would likely be extended to cover mobile health devices, telehealth services, and social media in more detail. Currently, HIPAA does cover these devices and uses of PHI, although there are notable gaps in HIPAA Rules. Many have been addressed with further rulemaking and guidance issued by the Office for Civil Rights (OCR), although not all.

HIPAA Rules may have been written many years ago, but the legislation does cover the appropriate core elements regarding the privacy of patients and security of their health information. HIPAA was deliberately not technology-specific, as the legislation was designed to stand the test of time. However, so much has changed in the past few years that now is surely the time to consider some amendments and updates.

In a recent article published in the Journal of the American Medical Informatics Association (AMIA), a number of suggestions have been made to improve understanding of HIPAA Rules and bring the legislation up to date.

The AMIA article calls for clarification of the HIPAA Privacy Rule covering patient access rights to their data. While patient access rights have been clarified in recent guidance issued by both the OCR and the Office of the National Coordinator of Health IT (ONC), some patients are still confused about what data they are entitled to access. AMIA suggests further clarification is required to ensure patients understand their rights under HIPAA allow them to access “all data maintained by a covered entity’s designated record set or, to a digital copy of their legal medical record.” Further, that patients should be provided with their data in a format that allows them to easily share it with other healthcare organizations without any further requirement for data processing.

AMIA suggests “A new framework is needed to fit today’s highly connected world,” one that would accommodate a much broader range of data and other stakeholders that are relevant to patient health. Medical device manufacturers for instance.

While it has been suggested that HIPAA Rules be extended to cover currently non-covered entities that hold personal health information, AMIA suggests there should at least be ‘HIPAA-like requirements’ for those entities to ensure that patients’ data are not misused or inappropriately disclosed, and also to ensure that individuals have the same rights to access data stored by non-covered entities that they do when the same information is stored by HIPAA-covered entities.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of