The Role of HIPAA Omnibus Rules in Reducing the Frequency of Medical Data Breaches: Insights From an Empirical Study

Policy Points: Frequent data breaches in the US health care system undermine the privacy of millions of patients every year-a large number of which happen among business associates of the health care providers that continue to gain unprecedented access to patients' data as the US health care system becomes digitally integrated. Implementation of the HIPAA Omnibus Rules in 2013 has led to a significant decrease in the number of privacy breach incidents among business associates. CONTEXT Frequent data breaches in the US health care system undermine the privacy of millions of patients every year. A large number of such breaches happens among business associates of the health care providers that continue to gain unprecedented access to patients' data as the US health care system becomes digitally integrated. The Omnibus Rules of the Health Insurance Portability and Accountability Act (HIPAA), which were enacted in 2013, significantly increased the regulatory oversight and privacy protection requirements of business associates. The objective of this study is to empirically examine the effects of this shift in policy on the frequency of medical privacy breaches among business associates in the US health care system. The findings of this research shed light on how regulatory efforts can protect patients' privacy. METHODS Using publicly available data on breach incidents between October 2009 and August 2017 as reported by the Office for Civil Rights (OCR), we conducted an interrupted time-series analysis and a difference-in-differences analysis to examine the immediate and long-term effects of implementation of HIPAA omnibus rules on the frequency of medical privacy breaches. FINDINGS We show that implementation of the omnibus rules led to a significant reduction in the number of breaches among business associates and prevented 180 privacy breaches from happening, which could have affected nearly 18 million Americans. CONCLUSIONS Implementation of HIPAA omnibus rules may have been a successful federal policy in enhancing privacy protection efforts and reducing the number of breach incidents in the US health care system.

[1]  M. Buntin,et al.  Implementation Of Prescription Drug Monitoring Programs Associated With Reductions In Opioid-Related Death Rates. , 2016, Health affairs.

[2]  Gregory Luke Larkin,et al.  From Hippocrates to HIPAA: Privacy and confidentiality in Emergency Medicine—Part I: Conceptual, moral, and legal foundations , 2004, Annals of Emergency Medicine.

[3]  S. Devore,et al.  Driving population health through accountable care organizations. , 2011, Health affairs.

[4]  G. Annas HIPAA regulations - a new era of medical-record privacy? , 2003, The New England journal of medicine.

[5]  E. Stuart,et al.  Federal parity law associated with increased probability of using out-of-network substance use disorder treatment services. , 2015, Health affairs.

[6]  S. Soumerai,et al.  Effects of professional and media warnings about the association between aspirin use in children and Reye's syndrome. , 1992, The Milbank quarterly.

[7]  Robert B. Penfold,et al.  Use of interrupted time series analysis in evaluating health care quality improvements. , 2013, Academic pediatrics.

[8]  Rob J. Hyndman,et al.  Yule‐Walker Estimates For Continuous‐Time Autoregressive Models , 1993 .

[9]  C Jason Wang,et al.  The HIPAA conundrum in the era of mobile health and communications. , 2013, JAMA.

[10]  Ranjit Singh,et al.  Drivers of information disclosure on health information exchange platforms: insights from an exploratory empirical study , 2015, J. Am. Medical Informatics Assoc..

[11]  Mark A. Rothstein,et al.  The Hippocratic Bargain and Health Information Technology , 2010, Journal of Law, Medicine & Ethics.

[12]  Fang Zhang,et al.  Changes in antidepressant use by young people and suicidal behavior after FDA warnings and media coverage: quasi-experimental study , 2014, BMJ : British Medical Journal.

[13]  A K Wagner,et al.  Segmented regression analysis of interrupted time series studies in medication use research , 2002, Journal of clinical pharmacy and therapeutics.

[14]  I. Sim,et al.  Physicians' use of electronic medical records: barriers and solutions. , 2004, Health affairs.

[15]  Young B. Choi,et al.  Challenges Associated with Privacy in Health Care Industry: Implementation of HIPAA and the Security Rules , 2006, Journal of Medical Systems.

[16]  A. Singhal,et al.  Eliminating Medicaid adult dental coverage in California led to increased dental emergency visits and associated costs. , 2015, Health affairs.

[17]  ETA S. BERNER,et al.  Review Paper: Will the Wave Finally Break? A Brief View of the Adoption of Electronic Medical Records in the United States , 2004, J. Am. Medical Informatics Assoc..

[18]  Melissa Steward Electronic Medical Records , 2005, The Journal of legal medicine.

[19]  Latanya Sweeney,et al.  Putting health IT on the path to success. , 2013, JAMA.