Editors’ Note:  This is the seventh and last in our third annual series examining important trends in data privacy and cybersecurity during the new year.  Our previous entries were on political advertisingcryptocurrencyemerging threatsstate law trends, comparing the GDPR with COPPA, and energy and security.

HIPAA was signed into law on August 21, 1996, over 22 years ago.  As a 22 year-old, HIPAA is no longer a child, but not quite a full-fledged adult.  And, as a 22 year-old, it could be considered a part of the Millennial generation.  As we look to the year ahead for HIPAA, what can its status as a Millennial tell us about what is to come?

Wikipedia says Millennials are characterized by “increased use and familiarity with communications, media, and digital technologies,”  That sounds like the current issues that are challenging HIPAA covered entities:  communications (e.g., the growing use of email and testing by patients); media (e.g., the impact of social media on the provision of health care); and digital technologies (e.g., EHRs, blockchain).  Of course, Millennials also like craft beer and poke bowls, so this analogy does have some limits.

What else is in store for HIPAA in 2019?

  • More data from non-HIPAA regulated data sources (e.g., remote monitoring devices and wearables), which will challenging HIPAA’s goal of greater interoperability and creating more concerns about privacy and data security.
  • Nevertheless, there will be more data exchange and more sophisticated uses of data (as Cigna’s merger with Express Scripts and CVS’s merger with Aetna start to be effectuated).
  • More methods of accessing and moving data:
  • Increasing state privacy regulation (e.g., California Consumer Privacy Act) and a Democratic House of Representatives will drive a push for revisions and updated to the HIPAA statute and regulations:
  • State attorneys general will take a larger role in enforcing HIPAA, as the ones from Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin did in December 2018, when they sued Medical Informatics Engineering, Inc., operating as Enterprise Health, LLC and K&L Holdings, and NoMoreClipboard, LLC, and joined an existing civil suit over a HIPAA breach impacting 3.9 million individuals.
  • More and bigger breaches will occur (because there’s more data, more uses of data, more movement of data, and more value to data).
  • More and bigger efforts by the plaintiff’s class action bar to turn HIPAA breaches into $$$.