For many organizations, in its current form, the Health Insurance Portability and Accountability Act (HIPAA) is an essential building block when it comes to safeguarding regulated healthcare data and in turn, mitigating cyberattacks.

The Department of Health and Human Services’ Office for Civil Rights reiterated its importance just last week, stressing that organizations that fully comply with the HIPAA Security Rule can greatly help curb healthcare hacking incidents.

But with concerns around data privacy mounting at a federal level and a growing need for organizations to demonstrate that patients’ private health information is being kept secure, many say HIPAA needs a rewrite.

That's partially why a group of senators are looking to form a group to study how personal health information (PHI) is collected, stored, and used these days and in the process, update HIPAA to reflect the problems of today.

To potentially make more changes to HIPAA, two Senators, Bill Cassidy (R-LA) and Tammy Baldwin (D-WI), introduced the Health Data Use and Privacy Commission Act last month. The legislation has a few goals, including the creation of a new group, the Commission on Health Data Use and Privacy Protection.

The group would analyze how PHI is collected and stored, look at existing protections in place and then make recommendations to update HIPAA to address the advent (and modernization) of digital health and telemedicine over the last decade.

In addition to studying the issues related to PHI, it will also be tasked with looking at the following issues:

1. Collection of PHI by Governments — the monitoring, collection and distribution of PHI by federal, state and local governments, such as the collection of information to combat the spread of diseases such as COVID-19 and the threat of substance use disorders involving opioids.
2. Current Laws — current federal and state laws designed to protect PHI, including HIPAA, the Common Rule, the Federal Trade Commission Act, the Privacy Act of 1974 and the 21st Century Cures Act.
3. Private-Sector Activities — privacy protection efforts undertaken by the private sector, including self-regulatory efforts initiated to respond to and mitigate privacy issues and liabilities.
4. Enforcement — current enforcement of privacy laws and rules, by federal and state governments and private rights of action, and the potential for consolidation of enforcement.
5. Comparability of Rules — the differences and similarities among federal, state and international rules for protecting PHI and the degree to which such similarities or differences create or address problems related to data privacy.
6. Sale of PHI — the degree to which PHI is sold with or without consent, and the uses of such information.
7. Consent — challenges and potential solutions to consent requirements and processes in medical research.
8. De-identification — the need for consistency in de-identification standards for health data to avoid conflicting requirements that impede advancements in healthcare, such as through clinical trials or technology development.
9. Technology Advancements — advancements in technologies currently used for treatment, payment and healthcare operations, compared to the technologies used when the HIPAA privacy regulations were issued in 2000.
10. Non-covered Entities — gaps in privacy protections under HIPAA resulting from data collection and use by non-covered entities.
11. Employee Health Data — employer practices with respect to the health information of employees.
12. Data Use Notices — varying notices of privacy practices and whether such practices are effective in informing consumers of their rights and responsibilities.

While HIPAA requires organizations implement access controls that regulate access to electronic PHI and has requirements that encourage organizations have solutions in place to address phishing attacks and mitigate weak authentication, there's no denying it's a bit dated. It was first signed into law back in 1996.

If the legislation moves forward and the group is successful, it won't be the first time that HIPAA has gotten an update; the last update to the HIPAA Rules was in 2013 when the HIPAA Omnibus Rule introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

In December 2020, the Department of Health and Human Services (HHS) announced proposed major revisions to the HIPAA Privacy Rule to allow patients to review their PHI, shorten covered entities' response times from 30 to 15 days, and require healthcare professionals and health plans to respond to record requests as instructed by patients. Those changes, in the form of a final rule for modifications to the HIPAA privacy rule, are expected this year.