The Milbank Quarterly
Volume 96, Issue 1 p. 144-166
Original Scholarship

The Role of HIPAA Omnibus Rules in Reducing the Frequency of Medical Data Breaches: Insights From an Empirical Study

NIAM YARAGHI

Corresponding Author

NIAM YARAGHI

School of Business, University of Connecticut

Center for Technology Innovation, Governance Studies, the Brookings Institution

Address correspondence to: Niam Yaraghi, School of Business, University of Connecticut, 1 University Pl, Stamford, CT 06901 (email: [email protected]).Search for more papers by this author
RAM D. GOPAL

RAM D. GOPAL

School of Business, University of Connecticut

Search for more papers by this author
First published: 05 March 2018
https://doi.org/10.1111/1468-0009.12314
Citations: 23

Abstract

Policy Points:

  • Frequent data breaches in the US health care system undermine the privacy of millions of patients every year—a large number of which happen among business associates of the health care providers that continue to gain unprecedented access to patients’ data as the US health care system becomes digitally integrated.
  • Implementation of the HIPAA Omnibus Rules in 2013 has led to a significant decrease in the number of privacy breach incidents among business associates.

Context

Frequent data breaches in the US health care system undermine the privacy of millions of patients every year. A large number of such breaches happens among business associates of the health care providers that continue to gain unprecedented access to patients’ data as the US health care system becomes digitally integrated. The Omnibus Rules of the Health Insurance Portability and Accountability Act (HIPAA), which were enacted in 2013, significantly increased the regulatory oversight and privacy protection requirements of business associates. The objective of this study is to empirically examine the effects of this shift in policy on the frequency of medical privacy breaches among business associates in the US health care system. The findings of this research shed light on how regulatory efforts can protect patients’ privacy.

Methods

Using publicly available data on breach incidents between October 2009 and August 2017 as reported by the Office for Civil Rights (OCR), we conducted an interrupted time-series analysis and a difference-in-differences analysis to examine the immediate and long-term effects of implementation of HIPAA omnibus rules on the frequency of medical privacy breaches.

Findings

We show that implementation of the omnibus rules led to a significant reduction in the number of breaches among business associates and prevented 180 privacy breaches from happening, which could have affected nearly 18 million Americans.

Conclusions

Implementation of HIPAA omnibus rules may have been a successful federal policy in enhancing privacy protection efforts and reducing the number of breach incidents in the US health care system.

The full text of this article hosted at iucr.org is unavailable due to technical difficulties.