HIPAA and Emerging Technologies

The Health Insurance Portability and Privacy Act of 1996 (HIPAA) is 15 years old this year – still acting a bit like an uncertain, wide-eyed teenager responding to new developments. Although more mature, clarified by regulations, and supplemented by the HITECH Act, at its core HIPAA has remained relatively unchanged since its enactment. Societal changes implicating HIPAA, however, have been significant. Over the past five years alone, we saw the rise of Facebook, the domination of Google, and the introduction of powerful personal electronic devices such as Apple’s iPhone and iPad. In addition, technologies such as cloud computing, wireless communication, and telemedicine have reached a level of reliability and affordability that has allowed healthcare providers to expand their reach and services. With every emerging technology, the specter of HIPAA compliance remains a key concern, while its application becomes more murky. HIPAA was designed to be technology neutral. Accordingly, the statute is worded in terms of principals of compliance instead of specific measures to be implemented. While this permits flexibility so that the law can continue to be relevant as time and technology progress, it also creates ambiguity. Indeed, so ambiguous are HIPAA statutes that there continues to be a debate over its application to a technology as ubiquitous as email. Nonetheless, HIPAA offers a methodical, step-by-step process for reviewing new programs, applications, and technologies to ensure technical safeguards are in place. The safeguards cover five areas: Access controls; audit controls; integrity controls, authentication, and transmission security. This article addresses each of these, and explains the challenges they present in evaluating compliance issues as applied to emerging technologies.