HIPAA History

A Guide to HIPAA History

Our guide to HIPAA history explains the motives behind the Healthcare Insurance Portability and Accountability Act, details the dates on which the Act was created, passed and enacted, and looks at further events in the history of HIPAA that have shaped the current legislation and its enforcement.

Although our guide to HIPAA history chronicles the key events over the past twenty years, and HIPAA compliance is always evolving. As new healthcare technology is developed, and working practices changed to accommodate the demands of a modern healthcare industry, Covered Entities and Business Associates should keep up-to-date with current events to ensure they remain in compliance with the Act.

Why was HIPAA Created?

HIPAA is an extremely comprehensive Act. Its final text (HR 3103) included amendments to the Employee Retirement Income Security Act and Public Health Service Act, and integrated various elements from other bills that had been introduced at the time – notably the Senate´s proposed Health Insurance Reform Act and the House´s proposed Health Coverage Availability and Affordability Act. Consequently HIPAA was created with multiple motives. These included:

  • To improve portability and continuity of health insurance coverage.
  • To prevent healthcare fraud and abuse, and simplify administration.
  • To standardize the amount that may be saved in a pre-tax medical savings account.
  • To apply and enforce group health insurance requirements.
  • To prohibit the tax-deduction of interest on life insurance loans.

The most significant passage within the Act as far as the healthcare industry is concerned came within Subtitle F of Title II – the Administration Simplification Rule. This Rule directed the Department of Health and Human Services (HHS) to develop standards in order to protect the privacy of individually identifiable health information. It was from this passage the HIPAA regulations we know today were created – particularly those relating to Protected Health Information.

When was HIPAA Passed?

HIPAA was passed by the House on 28th March 1996 just ten days after being introduced by Representative Bill Archer. The speed at which HIPAA passed the House was attributable to the content of the Act being drawn from many previously agreed proposals. The HIPAA Act was then sent to the Senate, where it was unanimously passed on 23rd April 1996.

The passage of HIPAA through the Senate was expedited due to it replacing the very similar Health Insurance Reform Act introduced by Senator Nancy Kassebaum. Kassebaum is often credited with being the architect of HIPAA, yet her proposals lacked the Administration Simplification Rule now acknowledged as the seed from which HIPAA grew.

When was HIPAA Enacted?

HIPAA was enacted – inasmuch as it was signed into law by President Bill Clinton – on August 21st 1996. However, different elements of the bill were enacted in stages. For example, one measure contained within Title V of HIPAA – a quarterly “name and shame” publication of individuals who had chosen to give up US citizenship in order to avoid paying tax – went into effect immediately.

The section of HIPAA relating to the healthcare industry was effectively not enacted until the publication of the Privacy Rule in 2000 (see “When did HIPAA Start?” below). However, in the meantime HHS had implemented code sets for electronic transactions, and been involved with the Administrative Simplification Compliance Act which requires the electronic submission of Medicare claims.

When did HIPAA Start?

The HIPAA start date for many healthcare professionals is December 28th 2000. It was on this day the final “Standards for Privacy of Individual Identifiable Health Information” (or the “Privacy Rule”) was published – more than a year after a proposed Privacy Rule had been released for public comments. Due to the numbers of standards that had to be adhered to (some of which were amended in March 2002), the effective compliance date of the Privacy Rule was 14th April 2003.

Healthcare IT has an unofficial second HIPAA start date – February 20th 2003. On this date the Final Rule on Security Standards was published containing the administrative, physical and technical safeguards intended to protect the integrity of electronically created, used, stored and shared Protected Health Information. The Security Rule had an effective date of 21st April 2003 and a compliance date of 21st April 2005; but these dates did not signify the end of HIPAA history.

Further Dates in the History of HIPAA

Since 2005, there have been several significant dates in the history of HIPAA – some more significant than others. For example, on February 16th 2006, the Enforcement Rule was issued. This Rule set the (original) civil penalties for violations of HIPAA and the procedures for HIPAA investigations. At the time, HHS lacked the resources to investigate violations, and many breaches of PHI went unpunished.

This situation was addressed with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) on February 17th 2009. HITECH signaled the start of the Meaningful Use incentive program, but also lay the foundations for the Breach Notification Rule (below) and several very significant changes to HIPAA that were to surface in the Final Omnibus Rule (also below).

On August 24th 2009, the Breach Notification Rule took effect. This Rule laid down the conditions under which a breach of unprotected PHI had to be reported to HHS and the efforts a Covered Entity or Business Associate should make in order to notify individuals affected by the breach. The definition of a reportable breach was also amended, and any unauthorized disclosure of PHI is now presumed to have caused significant harm unless it can be proven otherwise by the Covered Entity or Business Associate.

The Final Omnibus Rule was released on January 17th 2013. This Rule made few changes to the Privacy Rule other than to account for the Genetic Information Nondiscrimination Act, but – significantly – it expanded the requirements of the Security Rule and Breach Notification Rule to Business Associates. Now, Business Associates and any subcontractors with whom PHI is shared have the same responsibility as Covered Entities to protect it from unauthorized use or disclosure.

The Importance of HIPAA History

The importance of HIPAA history is understanding why, at the time, certain regulations were enacted. For example, when the final Security Rule was published in February 2003, it preceded the first iPhone by more than four years; and, when HIPAA was last updated by the Final Omnibus Rule in 2013, the first Fitbit wearable was still months away from market. Undoubtedly there will be further chapters added to HIPAA history, and the regulations currently in force will likely shape the regulations of the future.