HIPAA May Not Be Enough to Protect Our Health Information

Jessica Sweeb

Associate Editor

Loyola University Chicago School of Law, JD 2019

On March 1, 2019, the College of Healthcare Information Management Executives (“CHIME”) sent a six-page letter to Congress which discussed how technology has impacted health care costs. CHIME believes that too much money is being allocated towards making sure that health care organizations are complying with the Office of Civil Rights (“OCR”) and the Department of Health and Human Services (“HHS”) requirements, while not enough resources are being given towards actually protecting against cybersecurity attacks. The letter contains multiple suggestions in which patient data could be better protected, such as incentivizing health care organizations to implement more cybersecurity safety measures. However, many of CHIME’s proposals would require Congress to amend multiple provisions in acts, such as the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”).


CHIME is a professional organization for Chief Information Officers and other healthcare information technology leaders. This global organization has roughly 2,800 health care professional members. The organization is a platform for these health care professionals to exchange ideas, collaborate on projects, and offer educational programs in order to advance the health care community. Some of the members of CHIME were the first users of health IT resources, such as electronic health records (“EHRs”).

Writing to Congress

CHIME wrote to Congress on March 1, 2019 to discuss technology’s impact on rising health care costs and also how technology could improve the health care industry if used correctly. They wrote that the adaptation of the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) has significantly helped health care providers care for and engage with their patients. Some of the provisions in the HITECH Act included the Health IT Advisory Committee, the EHR Reporting Program, and the 21st Century Cures Act, all which improved the burden of health IT on different health care systems.

CHIME emphasized that HIPAA may not be sufficient to stop cybersecurity and protect patient health information because of the rapid rate that technology is advancing. Some other concerns that CHIME brought up to Congress included Telehealth policies, quality measurement, HIPAA compliance, and coordinating privacy laws and consent laws.

Why HIPAA may no longer be effective

Cybersecurity attacks, such as the 2017 WannaCry ransomware attack and the 2016 Petya cyberattack, cost a significant amount of money and can be extremely damaging. CHIME states in their letter that they believe resources are not properly allotted in order to protect patient data. Health and Human Services (“HHS”)’s privacy requirements, such as audits conducted by the Office of Civil Rights (“OCR”), are considered a burden and do not actually help the health care organization learn from the breach. CHIME asserts that a substantial amount of efforts and resources are allocated to complying with OCR requirements. However, CHIME does not think that this is addressing the major cybersecurity threats that health care providers are facing. Rather, they think that dedicating this much attention to complying with the current OCR requirements is instead lowering the providers’ ability to guard patient health information.

How to properly protect patient information according to CHIME

The letter lists a few suggestions to improve HHS’s and OCR’s practices to better protect patient information. First, CHIME suggests that organizations should offer safe harbors from Resolution agreements as an incentive for them to promote and implement more cybersecurity safety measures. In order for this plan to work, Congress would need to make amends to the HITECH Act. CHIME also proposes that HHS should encourage policies that incentivize health care providers and covered entities for actively working towards preventing cybersecurity attacks as opposed to punitive policies. For example, CHIME recommends rewarding health care providers for complying with the National Institute of Standards and Technology’s Cybersecurity Framework. In order for this to be entirely effective, health care providers would need to distribute the security measures and responsibilities to all of their business associates and covered entities working with the health care providers.

CHIME suggests that Congress should encourage more open communication among the states in order for health care providers to secure patient data safely from different locations. Recommendations, such as rethinking Telehealth policies and harmonizing privacy laws with consent laws, were written to demonstrate to Congress that there are more effective methods to protect patient data than what is currently being implemented.