Co-authored by Elizabeth G. Litten and Michael J. Kline
HIPAA turns 20 today. A lot has changed in the two decades since its enactment. When HIPAA was signed into law by President Bill Clinton on August 21, 1996, DVDs had just come out in Japan, most people used personal computers solely for word processing, the internet domain myspace.com had just come online, Apple stock was at a ten-year low, and Microsoft Windows CE 1.0 would soon be released (in November of 1996 as a portable operating system solution). In December of 1996, Microsoft’s Office 97 was published in CD ROM and also available on a set of 45 3 ½ inch floppy disks. The internet did not exist in many countries, and The New York Times took the bold step of starting its own website. Google was also born in 1996, but few people had heard of it outside of Stanford University. Pokémon hit the market for the first time, but it wasn’t a game played on cell phones. Even texting was a rarity:
“Most early GSM mobile phone handsets did not support the ability to send SMS text messages, and Nokia was the only handset manufacturer whose total GSM phone line in 1993 supported user-sending of SMS text messages. According to Matti Makkonen, the inventor of SMS text messages, Nokia 2010, which was released in January 1994, was the first mobile phone to support composing SMSes easily … Initial growth was slow, with customers in 1995 sending on average only 0.4 messages per GSM customer per month.” [https://en.wikipedia.org/wiki/Short_Message_Service]
According to Wikipedia, the first secure data kidnapping attack was invented by experts at Columbia University and was presented at an IEEE Privacy and Security conference in 1996. Fast forward 20 years to the first six months of 2016, and ransomware attacks of hospitals made headlines after a hospital in Hollywood, California paid $17,000 in ransom (reportedly in bitcoins, another digital invention never considered in 1996).
The Department of Health and Human Services (HHS) released a “FACT SHEET: Ransomware and HIPAA” in July of 2016, reporting a 300% increase in ransomware attacks reported in the first 6 months of 2016 as compared with those reported in all of 2015. It’s hard to imagine that, back in 1996 (or even in 2000 or 2003, when the Privacy Rule and Security Rule, respectively, were first promulgated) HIPAA compliance would require staving off and responding to cybersecurity attacks involving data “kidnapping”.
Over the years, this blog site has addressed many issues that were not a gleam in the eyes of the federal and state governments, healthcare organizations, insurers, patients and many other stakeholders in 1996. Ten of these issues featured in the last two years on this blog and their links and posting dates are noted below.
Is Your Facility a PokéStop? (A what?) – July 20, 2016
HIPAA audits – April 10, 2016
Health Information Mobile Apps – March 31, 2016
The Federal Trade Commission becomes one of several competing new sheriffs in town for regulating healthcare privacy and security – January 11, 2016
Stolen laptops as constant sources of HIPAA privacy breaches – September 3, 2015
Dumpster diving as a common source of HIPAA breaches respecting paper records – July 31, 2015
Federal and state governments become victims of HIPAA breaches even with high levels of security – June 26, 2015
Countless cases of alleged theft and other crimes involving PHI or other HIPAA breaches by employees, including physicians – March 24, 2015
Numerous lawsuits by State Attorneys General to enforce HIPAA and state health information privacy laws – December 17, 2014
The “Wall of Shame” features many highly respected and well-known hospitals, universities, insurers, Fortune 500 companies and numerous other lesser-known victims – July 30, 2014
It can be expected that many more unanticipated and challenging issues will confront HIPAA in the future as the dizzying advance of technology surges onward, matched only by the boundless ingenuity of hackers and others seeking to profit from illegal activities relating to PHI.