Editors’ Note:  This is the seventh and last in our third annual series examining important trends in data privacy and cybersecurity during the new year.  Our previous entries were on political advertising, cryptocurrency, emerging threats, state law trends, comparing the GDPR with COPPA, and energy and security.

HIPAA was signed into law on August 21, 1996, over 22 years ago.  As a 22 year-old, HIPAA is no longer a child, but not quite a full-fledged adult.  And, as a 22 year-old, it could be considered a part of the Millennial generation.  As we look to the year ahead for HIPAA, what can its status as a Millennial tell us about what is to come?

Wikipedia says Millennials are characterized by “increased use and familiarity with communications, media, and digital technologies,”  That sounds like the current issues that are challenging HIPAA covered entities:  communications (e.g., the growing use of email and testing by patients); media (e.g., the impact of social media on the provision of health care); and digital technologies (e.g., EHRs, blockchain).  Of course, Millennials also like craft beer and poke bowls, so this analogy does have some limits.

What else is in store for HIPAA in 2019?

• More data from non-HIPAA regulated data sources (e.g., remote monitoring devices and wearables), which will challenging HIPAA’s goal of greater interoperability and creating more concerns about privacy and data security.
• Nevertheless, there will be more data exchange and more sophisticated uses of data (as Cigna’s merger with Express Scripts and CVS’s merger with Aetna start to be effectuated).
• More methods of accessing and moving data:
  • Telemedicine (a Baby Boomer) will finally start to fulfill its promise, but along the way will bring more concerns about data privacy and security.
  • As more patient-accessible gateways and portals for health information are created, privacy and security solutions will struggle to keep up.
• Increasing state privacy regulation (e.g., California Consumer Privacy Act) and a Democratic House of Representatives will drive a push for revisions and updated to the HIPAA statute and regulations:
  • We’re already seeing more guidance on what HIPAA means, with HHS’s December 28, 2018 release of voluntary cybersecurity practices to the healthcare industry in an effort to move organizations “towards consistency” in mitigating cyber threats; expect these “voluntary” practices to become industry standard in short order.
  • And the Office for Civil Rights issued a request for information in December 2018 about existing HIPAA provisions that may limit or discourage information sharing (“Request for Information on Modifying HIPAA Rules To Improve Coordinated Care”).
• State attorneys general will take a larger role in enforcing HIPAA, as the ones from Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin did in December 2018, when they sued Medical Informatics Engineering, Inc., operating as Enterprise Health, LLC and K&L Holdings, and NoMoreClipboard, LLC, and joined an existing civil suit over a HIPAA breach impacting 3.9 million individuals.
• More and bigger breaches will occur (because there’s more data, more uses of data, more movement of data, and more value to data).
• More and bigger efforts by the plaintiff’s class action bar to turn HIPAA breaches into $$$.