INTRODUCTION TO HIPAA: EVOLUTION OF DATA PROTECTION STANDARDS

The rapid proliferation of information technology has driven the healthcare sector to transition from paper-based medical records to comprehensive electronic health record (EHR) systems. Although paper charts are subject to certain physical vulnerabilities, and despite the convenience and storage capacity afforded by digital platforms, electronic systems confront a range of cyber-threats, such as network intrusions, malware, and data breaches.[1] These risks were further exacerbated in the 1990s by the widespread adoption of smart-card technologies for accessing medical information, emphasizing the acute need for rigorous security and privacy standards. Such standards must both prevent unauthorized parties from accessing Protected Health Information (PHI) and enable patients, physicians, nurses, technicians, pharmacists, and other authorized personnel to leverage the benefits of EHRs. A notable illustration of the dangers posed by inadequate protections is the case of Harvard researcher Latanya Sweeney, who, while still a student, re-identified the “de-identified” hospital discharge records of Massachusetts’s governor by linking those records to publicly available voter-registration data.[2] This case fully demonstrated how easily patient privacy can be compromised in the absence of appropriate safeguards.

Historically, the principle of medical confidentiality finds its origins in the Hippocratic Oath—an ethical canon of ancient Greek medicine dating to the fifth century B.C.—in which physicians vow to keep “whatsoever they see or hear in the course of treatment . . . secret,” regarding such knowledge as “sacred and inviolable.” This ancient injunction provided the foundation for modern concepts of patient privacy in Western medicine.[3] Today, the protection of patient information is not merely an ethical obligation but a statutory requirement codified in contemporary legislation, most prominently in the United States by the Health Insurance Portability and Accountability Act (HIPAA).

History and Principal Objectives of the HIPAA with Respect to Protected Health Information

Enacted as Public Law 104-191 on August 21, 1996, the HIPAA arose from several principal motivations: ensuring the portability of health insurance for workers changing employment; rectifying the lack of uniform data-protection standards among states; facilitating the burgeoning use of EHRs and health-information technology; and combating pervasive fraud and abuse in healthcare.[4]

Although its initial purpose was to guarantee continuity and portability of coverage for millions of Americans, the HIPAA also contained critical Administrative Simplification provisions, which directed the Department of Health and Human Services (HHS) to establish national standards for electronic transactions, privacy, and security of health data—and specifically empowered HHS to issue privacy regulations if Congress failed to enact a privacy law within forty-two months.

Because Congress did not meet this deadline, HHS published its first Privacy Rule proposal on November 3, 1999 and received over 50,000 public comments, before finalizing the Privacy Rule on December 28, 2000, with an effective date of April 14, 2003.[5] The Privacy Rule’s principal objectives were to (i) safeguard the confidentiality of patients’ health information against unauthorized access; (ii) secure health data processed in electronic form; (iii) enable healthcare providers, payers, and related entities to exchange health information without compromising privacy or security; and (iv) reduce administrative costs by standardizing data-exchange processes.[6] In 2024, these provisions were further amended to strengthen protections for reproductive-health information.[7]

Subsequently, recognizing the distinct threats posed to electronic PHI, HHS promulgated the Security Rule in 2003, effective April 21, 2005, which mandated administrative, technical, and physical safeguards to uphold the triad of confidentiality, integrity, and availability of ePHI.[8] This Rule was announced in 2003 and officially took effect on April 21, 2005. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 introduced a Breach Notification Rule requiring covered entities and their business associates to notify affected individuals and HHS of unauthorized disclosures of PHI. Finally, the Omnibus Rule of 2013 integrated HITECH’s enhancements into the HIPAA, extended compliance obligations to business associates, reinforced patient rights, and increased civil and criminal penalties for non-compliance.[9]

These provisions are intended to ensure that protected health information is rigorously protected, while simultaneously permitting healthcare organizations to make reasonable use of such information in the delivery of high-quality health care services.

Scope of HIPAA Regulations

Since the HIPAA does not expressly prescribe a territorial boundary, its applicability is instead governed by the categories of regulated entities set forth in 45 CFR § 160.102, namely covered entities and their business associates which are engaged to perform functions or activities involving PHI—and by the type of the processed information. In practice, any processing of protected health information by the aforementioned entities falls within the HIPAA’s ambit. Thus, the HIPAA’s scope is determined not by geographic considerations but by (i) the legal status of the actor and (i) the nature of the data in question.

Firstly, covered entities and Business Associates

Under 45 C.F.R § 160.103, HIPAA’s regulatory scope extends comprehensively across two principal categories of entities: covered entities and their business associates, each bearing distinct but complementary obligations to safeguard protected health information.`

Covered entities include any organization that performs standard electronic transactions as defined by the HIPAA: health plans (ranging from private insurers and health maintenance organizations (HMOs) to federal programs such as Medicare Parts A–D, Medicaid, the Children’s Health Insurance Program (CHIP), and multi-employer welfare arrangements), health care providers (including physicians, dentists, hospitals, clinics, long-term care facilities, pharmacies, and other practitioners who transmit any health information in electronic form in connection with transactions for which HHS has adopted a standard), and health care clearinghouses (entities that convert non-standard health information received from another entity into a standard format or data content, or vice versa).[10]

Business associates, by contrast, are any persons or organizations, such as cloud-service vendors, billing companies, data-management firms, or information-technology support providers, that create, receive, maintain, or transmit PHI on behalf of a covered entity. By regulation, covered entities must execute a written Business Associate Agreement (BAA) with each business associate, thereby imposing on them the same requirements to protect PHI as apply directly to covered entities under the Privacy, Security, and Breach Notification Rules. Entities that only incidentally encounter PHI, such as postal carriers, janitorial services, or equipment repair firms, are expressly excluded from the business associate definition, provided they do not perform functions that involve the use or disclosure of PHI beyond incidental exposure.[11]

Secondly, Protected Health Information

PHI itself is defined as any individually identifiable health information, whether in paper records, electronic files, or oral communications, that relates to an individual’s past, present, or future physical or mental health condition, the provision of health care, or payment for health care, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Such information may only be used or disclosed in strict accordance with the HIPAA, either pursuant to one of the statute’s enumerated permitted uses, with the individual’s valid authorization, or under two mandatory circumstances: when the individual requests access to their own record, or in the course of an HHS compliance investigation. In contrast, data that have been de-identified, either by the removal of all eighteen the HIPAA-specified identifiers or via a statistical method recognized under safe-harbor provisions, are not subject to the HIPAA’s privacy or security requirements and may be freely used or disclosed.[12]

To ensure the confidentiality, integrity, and availability of all PHI, both covered entities and business associates must implement and maintain a comprehensive framework of safeguards, including administrative, technical and physical safeguards. Together, these multilayered protections form the foundation of the HIPAA’s mandate to protect patients’ protected health information in an increasingly digital healthcare environment.

Proposed Amendments to the HIPAA

HHS has been actively pursuing updates to strengthen HIPAA’s privacy and security framework. In January 2021, HHS initiated a Notice of Proposed Rulemaking (NPRM) titled “Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens,” aimed at enhancing individual rights (including expanded accounting of disclosures), refining the “minimum necessary” standard to facilitate care coordination, and eliminating obstacles to data sharing; this NPRM still remains under review. Subsequently, in November 2022, HHS and SAMHSA jointly issued a proposal to align 42 CFR Part 2—governing substance-use-disorder confidentiality—with HIPAA’s terminology, consent protocols, and breach-notification requirements, thereby streamlining behavioral-health data exchange without undermining privacy safeguards.

Most recently, in response to escalating cybersecurity threats within the healthcare sector, the U.S. Department of Health and Human Services, through its Office for Civil Rights, issued a NPRM on December 27, 2024, aiming to substantially revise the HIPAA Security Rule.[13] This initiative represents the most significant update since 2013, reflecting the need to address the evolving landscape of ePHI security.

These proposed modifications aim to fortify the confidentiality, integrity, and availability of ePHI, aligning regulatory requirements with contemporary cybersecurity standards and practices. The public comment period for the NPRM concluded on March 7, 2025, with over 4,000 submissions, indicating significant stakeholder engagement in shaping the future of healthcare data security.[14]

Reference:

[1] CalystEMR. (n.d.). Security Issues Between Maintenance of Paper Medical Records and EHR. Retrieved from https://calystaemr.com/security-issues-between-maintenance-of-paper-medical-records-and-ehr/ on May 21, 2025.

[2] Herveg, J., & Hoffman, S. (2020). Privacy and integrity of medical information. In A. M. Boggio & A. D. Price (Eds.), The Oxford Handbook of Comparative Health Law (pp. 1-47). Oxford University Press.

[3] Moskop, J. C., Marco, C. A., & Kass, N. (2005). From Hippocrates to HIPAA: Privacy and confidentiality in Emergency Medicine—Part I: Conceptual, moral, and legal foundations. Annals of Emergency Medicine, 45(1), 53-59.

[4] Veernapu, K. (2021, May). Comprehensive Analysis of HIPAA: Privacy, Security, and Compliance in the Digital Healthcare Era. International Journal of Leading Research Publication (IJLRP), 2(5), 1-7. Retrieved from https://www.ijlrp.com/papers/2021/5/1193.pdf.

[5] U.S. Department of Health & Human Services. (n.d.). Summary of the HIPAA Privacy Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html on May 21, 2025.

[6] ibid

[7] U.S. Department of Health & Human Services. (n.d.). HHS Strengthens HIPAA Privacy Protections for Reproductive Health Care. Retrieved from https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html on May 21, 2025.

[8] 45 C.F.R Part 164 Subpart C of HIPAA

[9] HIPAA Journal. (n.d.). The History of HIPAA. Retrieved from https://www.hipaajournal.com/hipaa-history/ on May 21, 2025.

[10] ibid

[11] ibid

[12] ibid

[13] The proposal was was published in the Federal Register on January 6, 2025. Retrieved from https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf on May 29, 2025.

[14] Amy S. Leopard & Eric Setterlund (2025), Top 10 takeaways from the new HIPAA security rule NPRM. Retrieved from https://www.reuters.com/legal/litigation/top-10-takeaways-new-hipaa-security-rule-nprm-2025-03-14/ on May 29, 2025.