HIPAA was created to help individuals with health problems obtain health insurance and to make it easier for employees who change jobs or lose their jobs to maintain adequate coverage. The Act also enabled group purchasing by small businesses to increase their purchasing power in the health insurance market.
The Background to HIPAA
When Bill Clinton won the presidential election in 1992, one of the reasons for his success was a campaign promise to reform the healthcare system. Within a year the Clinton administration delivered an ambitious plan in the form of the Health Security Act; but, due to opposition from stakeholders in the healthcare industry, the Act never progressed beyond a second reading.
One of the less contentious proposals in the Clinton plan was to reform the health insurance industry. At the time, it was estimated that 81 million Americans suffered a preexisting medical condition that either excluded them or made it harder for them to obtain health coverage. Up to 43 million more experienced gaps in coverage each year when they changed or lost their jobs.
It was also the case that small employers – who were considered economically fragile in the Clinton plan – paid more for employee health coverage than large employers, but many were prohibited from grouping together to increase their purchasing power by state regulations. Small employers could also not count on coverage being continued at the same price; or, in some cases, at any price.
The Health Insurance Reform Act of 1995
The provisions of the Health Security Act designed to reform the health insurance industry were adopted by Senators Edward Kennedy and Nancy Kassebaum and introduced into the Senate under the title of the Health Insurance Reform Act of 1995 (S.1028). In addition to addressing the issues of preexisting conditions, coverage gaps, and the purchasing power of small employers, the Act also:
- Guaranteed the renewability of insurance coverage as long as premiums were paid.
- Enabled individuals leaving employer coverage to maintain coverage as an individual.
- Guarantee the availability of insurance coverage to employers with two or more employees.
- Allow disabled employees to extend their coverage until they become eligible for Medicare.
- Preempted state regulations that prevented or restricted any of the above provisions.
The cost analysis of the proposed legislation suggested there would be minimal impact on employers, employees, or the federal government as 38 states had already enacted legislation containing some or all of the federal proposals. However, concerns existed that insurance carriers would pass on the cost of complying with the Act to employers in the form of higher premiums.
How HIPAA Was Created
As the final touches were being put to the Health Insurance Reform Act, a companion bill – the Health Coverage Availability and Affordability Act (HR.3103) – was introduced into the House by Representative Bill Archer. The bill was not as comprehensive in its health insurance reforms as the Kennedy-Kassebaum Act, but it included provisions to neutralize the cost of compliance by reducing healthcare insurance fraud and making the administration of healthcare transactions more efficient.
The Senate decided to adopt the House bill, replace its health insurance reforms with those of the Kennedy-Kassebaum Act and rename the legislation as the Health Insurance Portability and Accountability Act (HIPAA). The health insurance reforms of the Kennedy-Kassebaum Act became known as Title I of HIPAA, while the provisions to neutralize the cost of compliance in the Health Coverage Availability and Affordability Act became known as Title II of HIPAA.
As HIPAA progressed through Congress, further Titles were added and some concessions were made to ensure bipartisan support; and, on August 21, 1996, President Clinton signed HIPAA into law. However, it was still some years before the Rules that most people associate with HIPAA (i.e., the HIPAA Privacy Rule and the HIPAA Security Rule) were published – and even longer before they were effectively enforced.
How “Healthcare HIPAA” Evolved
Several resources attempting to explain why was HIPAA created start at this point in the history of HIPAA – leaving a contextual gap in their explanations between the passage of HIPAA in 1996 and the publication of the first HIPAA Rules in 2000. To put the gap into context, the administrative simplification provisions of HIPAA instructed the Secretary for Health and Human Services (HHS) to do three things:
- Adopt standards for the electronic exchange of health information in transactions such as eligibility checks, encounter reports, and claims for payment.
- Adopt security standards for health information transmitted electronically in covered transactions or maintained electronically by covered entities.
- Make recommendations for standards with respect to the privacy of individually identifiable health information that included patients’ rights.
The challenge with complying with the first request was that different healthcare providers and different insurance carriers used different transaction codes for the same services, diagnoses, treatments, prescription drugs, and medical supplies. HHS had to standardize the transaction codes for each data element in such a way that covered entities could apply them with minimal costs. The process took more than four years, and the first transaction Rule was published in December 2000.
Developing security standards for health information was even more complicated due to speed at which technology was evolving (the dot.com bubble was just reaching its peak) and the prospect of future technologies (AWS did not launch until 2002, and the first iPhone was announced in 2007). Consequently, although the Notice of Proposed Rule Making for the Security Rule was published in August 1998, it was not until February 2003 that the Final Security Rule was published.
The evolution of the Privacy Rule has a different storyline. When Congress instructed HHS to make recommendations for privacy standards, the standards were only to be promulgated into a Rule if Congress did not pass federal privacy legislation within three years – the reason being there were still bills under consideration that, like HIPAA, addressed provisions of the Health Security Act. HHS made its recommendations; and, when the deadline passed, published v1 of the Privacy Rule in 2000.
However, v1 of the Privacy Rule was difficult for many covered entities to comply with. In February 2021, HHS acknowledged many covered entities were confused by the regulations and how they operated, while others had raised concerns over the complexity and workability of the Privacy Rule. The period for stakeholder comments was extended in order to resolve the issues, and v2 of the Privacy Rule was published in August 2002 with a compliance date of April 2003.
Enforcing Healthcare HIPAA Took Even Longer
Following the publication of the Privacy and Security Rules, HHS stated in 2003 the best way to protect health information was voluntary HIPAA compliance. However, by 2005, the agency was receiving more than 500 complaints per month about HIPAA violations; and, in 2006, HHS published the HIPAA Enforcement Rule.
The Enforcement Rule gave HHS’ Office for Civil Rights (OCR) the authority to impose civil monetary penalties of $100 per violation attributable to willful neglect, up to a maximum of $25,000 per year per violation type. However, this authority was rarely exercised. In 2008 and 2009, OCR issued one financial penalty each year; and, in 2010 and 2011, only three penalties per year were issued.
The HITECH Act in 2009 introduced the breach notification rule, a new four-tier penalty structure for HIPAA violations, and made business associates directly liable for HIPAA violations. When these measures were adopted in the 2013 HIPAA Omnibus Final Rule, the number of enforcement actions increased dramatically. The number of fines issued by OCR increased four-fold over the next four years, and have doubled again since.
Why Was HIPAA Created? Conclusion
Although HIPAA led to the development of standards to protect the privacy and security of individually identifiable health information, this was not the primary reason why HIPAA was created. HIPAA was created to reform the health insurance industry following the failure of Congress to support President Clinton’s Health Security Act.
Nonetheless, provided those who HIPAA was intended to protect are protected – individuals with health problems, employees between jobs, and small businesses – it does not matter why HIPAA was created, only that it worked. The protection of individually identifiable health information can be seen as a bonus, but it is only a byproduct bonus of why HIPAA was created.