The Future of HIPAA in 2024 and Beyond: Are We In Trouble?

Since its enactment in 1996, HIPAA has done its best to undergo important changes to adapt to evolving technologies, industry practices, and emerging threats. But, despite the most rigorous federal oversight, the technology industry has still managed to leave patient data vulnerable.

So, what new threats lie on the horizon, and how can healthcare keep up? In this blog, we’ll explore the anticipated changes and challenges for HIPAA and what experts have to say about it.

Bridging the Gap Between HIPAA and Emerging Technologies

The integration of emerging technologies, such as artificial intelligence (AI), the Internet of Things (IoT), and telehealth, is revolutionizing healthcare delivery. These advancements raise questions about how existing HIPAA regulations will adapt to encompass these technologies while maintaining patient privacy and data security.

As AI algorithms analyze vast amounts of patient data to generate insights, protecting that data becomes paramount. Similarly, IoT devices connected to healthcare networks pose unique challenges in terms of data encryption, device authentication, and data storage. Finding a balance between innovation and compliance will be an interesting aspect of the future of HIPAA.

However, some technologies that do collect protected health information (PHI) are not covered by HIPAA at all. Some examples include genealogical databases like 23andMe and Ancestry or health devices like mHealth apps. HHS and the OCR technically cannot handle any complaint regarding a breach of data - any and all issues go to the Federal Trade Commission. 

The Need for Future Adaptation

From the initial establishment of broad privacy rules to the inclusion of the Security and Breach Notification Rules, HIPAA regulations have progressively evolved to address the complex challenges posed by the digital age and the increasing reliance on electronic health records.

These changes have resulted in a more comprehensive and stringent framework for protecting the sensitive health information of patients.

As technology continues to advance, so do the methods used by cybercriminals to breach healthcare systems. The ever-increasing number of data breaches and cyberattacks indicates the pressing need for enhanced security measures.

Recognizing this need, the Department of Health and Human Services (HHS) initiated a request for information (RFI) process to solicit public input on HIPAA reforms in 2019 and recently published a cybersecurity framework implementation guide.

This proactive approach demonstrated the intention of policymakers to address the evolving challenges and ensure that HIPAA remains effective in protecting patient data in the future.

But, per a recent caustic JAMA article, AI chatbots cannot comply with HIPAA in any meaningful way despite industry assurances. It highlights the increasing use of AI-powered chatbots in providing medical advice through websites and smartphone apps.

While these chatbots can save time and offer accurate answers, there are concerns about their potential harm as they rely on large language models (LLMs) that may make mistakes, reflect biases, and even manipulate people. The article mentions a specific instance where a user reportedly died by suicide after being encouraged to harm themselves by the chatbot.

Per the Health Law Policy, Biotechnology, and Bioethics department at Harvard Law School, HIPAA is “outdated and inadequate” to address AI-related privacy concerns.

Critics argue that the existing HIPAA law was written two decades ago and does not adequately address the challenges posed by emerging technologies and the digital healthcare environment.

The proliferation of digital health data, the increased use of telehealth apps, and consumers' active involvement in healthcare management have created new challenges not covered by the current legal framework.

The digitization of healthcare and the use of digital health tools, such as patient portals, health information exchanges, wearables, and mobile health applications, have created a void in the protection of health data. These technological advancements have outpaced privacy regulations, resulting in challenges in safeguarding the privacy and security of health information.

HIPAA Regulatory Changes on the Horizon

Several potential changes to HIPAA regulations are being considered, aiming to strengthen patient data protection and streamline compliance processes. These changes include modifications in areas such as breach notification requirements, patient access to health records, and sharing of information for research purposes.

As a recent example, UnitedHealthcare is due to pay an $80,000 fine to HHS for failure to provide a patient with his or her records in a timely fashion. They will also be monitored for one year by the Office for Civil Rights (OCR) to ensure they follow a corrective action plan.

Perhaps the most significant proposed change is the introduction of a national unique patient identifier (UPI).

The Joint Commission provides guidance on the use of two patient identifiers for healthcare organizations to reliably identify patients for whom services or treatment are intended. This includes various acceptable identifiers, such as names, identification numbers, telephone numbers, and electronic identification technology coding.

Advocates argue that a UPI would improve patient matching, data synchronization, and interoperability among healthcare providers. However, concerns about privacy and security have ignited debates on the feasibility and potential risks associated with implementing a UPI.

Although there were temporary exemptions to HIPAA enforcement for telehealth providers during the COVID-19 pandemic, these exemptions expired on May 11, 2023. Telehealth is still alive and strong (and expanding with the advent of remote patient monitoring, another IoT liability), so it remains to be seen how HHS and the OCR adapt to the widespread implementation of telehealth.

The Rise of Health Data Sharing

In an era of big data and precision medicine, health data sharing has become the cornerstone for research, patient care, and population health management. HIPAA regulations have historically imposed stringent limitations on the sharing of patient data, often hindering progress in these areas.

However, policymakers are recognizing the need to strike a balance between privacy and data exchange for public health purposes. Efforts to develop frameworks that allow secure and responsible data sharing are gaining traction (like storing information in the cloud), which encourages collaboration while addressing privacy concerns.

Unfortunately, this has pushed lawmakers to create a patchwork of state and international laws. In the absence of comprehensive updates to federal privacy laws, many states have individually passed stricter privacy laws that may conflict with or go beyond the scope of HIPAA.

The Challenges Ahead for Healthcare Providers

As future HIPAA regulations become more robust, healthcare providers will face significant challenges in ensuring compliance. Many healthcare organizations struggle with limited resources and expertise to implement and maintain comprehensive data security measures.

To alleviate the burden, many companies are considering implementing AI into the fold, but….

Critics tell a cautionary tale. They highlight the many threats that artificial intelligence (AI) poses to HIPAA compliance. This includes the increasing use of AI algorithms in healthcare for various purposes, such as diagnostics, chatbots, predictive analytics, and administrative tasks.

The reliance of AI algorithms on large datasets, including electronic health records and patient demographics, raises privacy concerns.

One of the key challenges is the potential for unauthorized access to sensitive patient information. The extensive use of data by AI systems may unveil patterns or correlations that could potentially re-identify individuals, posing a risk to patient privacy and HIPAA compliance.

The deployment of AI introduces new attack vectors, making it possible for malicious actors to exploit vulnerabilities within AI systems to gain unauthorized access to patient information.

As an example, in 2020, an artificial intelligence (AI) company mistakenly exposed over 2.5 million medical records on the internet. The security researcher discovered two folders containing detailed medical information, including names, insurance records, medical diagnosis notes, and payment records.

The data was labeled as "staging data" and was hosted by the AI company Cense AI. It is believed that the data was sourced from insurance companies and primarily pertained to car accident claims and referrals for neck and spine injuries, mainly affecting individuals in New York.

Cense AI was notified, and public access to the records was restricted. However, the potential damage had already been done, as medical data is highly valuable on the black market, with each record fetching as much as $250.

This story highlights the importance of conducting thorough risk assessments and privacy impact assessments to identify vulnerabilities associated with AI systems. Implementing robust encryption protocols, access controls, and regular security monitoring are crucial steps to protect patient data, mitigate data breaches, and ensure HIPAA compliance.

Embrace the Future of HIPAA

As we look ahead to the year 2024 and beyond, it is clear that the landscape of HIPAA will have to evolve to align with the realities of the digital age.

So, are we in trouble? Not necessarily.

While the challenges may be significant, they also present opportunities for healthcare organizations to elevate their data security practices, adopt emerging technologies responsibly, and enhance patient trust.

By embracing the future of HIPAA and proactively adapting to changes, healthcare providers can navigate the regulatory landscape successfully while prioritizing patient privacy and security.

360training is the solution to all of your online training and certification needs. Do you or your staff need HIPAA training? We’ve got it. OSHA healthcare worker safety training? We’ve got that too. Our courses are 100% online and available 24/7 for your convenience. Check out our complete catalog of courses on our website and enroll today!