Cross-Case Analysis of Data Security Measures Before and After the 1996 HIPAA Enactment

Abstract

The protection of sensitive healthcare information has been a concern since the Common Law of Confidentiality and its protection of the doctor-patient relationship. Although there was no legislation specifically mentioning electronic healthcare data disclosure until The Health Insurance Portability and Accountability Act (HIPAA) of 1996, there was other legislation related to personal data security such as the Freedom of Information Act of 1966, the Privacy Act of 1974, and laws protecting the medical records of alcohol and drug abuse patients in 1983. The enactment of HIPAA in 1996 and the following Privacy and Security Standards that were an outgrowth of the original legislation, became the impetus for more comprehensive and specific legislation and standards relating to healthcare data security. As technology and data sharing has advanced exponentially, it would seem the need for improved security measures, standards and policies would also increase. Although there are still inconsistencies between some state and federal statutes, standardization of messaging, access, and data transmission in all aspects of healthcare has become the norm, allowing the rapid identification and implementation of best practices based on outcomes and patient safety, and the improvement of public healthcare through real-time trending and bio-surveillance. Nationally there are now certification procedures for specific vendor products, based on suggested interoperability standards, including data security. The development and implementation of interoperability standards between the Electronic Health Record (EHR) and the Personal Health Record (PHR) will enable any patient to control the provider access to personal medical information and still enable rapid access to accurate information from multiple healthcare entities. The documents selected reflected the presence of 21 specific data security measures, in legislation or standards, prior to, and after HIPAA enactment in 1996. A cross case analysis was conducted to determine if these measures have increased or decreased since enactment. Measures were grouped into related categories of legislation, access, breach, enforcement, security, policy, and communication. Results show that most of the same measures existed prior to HIPAA enactment, but the number of documents containing these measures, either in legislation or standards, has markedly increased. The greatest increase was in the categories of breach and enforcement.