The History of HIPAA
What is HIPAA Regulation?
To understand where HIPAA is moving, you'll first need to understand why it began and how it expanded. If you're interested in learning a (brief) history of HIPAA. The regulations are very complex with far-reaching consequences, but the act can also be very confusing because it does not provide clear standards for how to achieve comply with the law
What does HIPAA Stand for?
The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 and has since grown the most well known healthcare laws in the United States. HIPAA was signed into law in 1996 with the original intention of helping more Americans gain health insurance coverage and ensuring that employees would not lose their health insurance if they changed jobs.
While its initial function primarily focused on regulating the health insurance industry, the act also allowed the Department of Health and Human Services (HHS) to set standards for the safeguarding of identifiable health information by legitimizing and protecting an individual's rights to their healthcare information as well as seeking to increase the efficiency and effectiveness of the healthcare industry as a whole. The scope of the law was later defined and expanded via the passage Privacy Rule, Security Rule, HITECH Act, and other expansions of the original HIPAA law.
Related: What is the GDPR?
Timeline of Passage
The law was passed during Bill Clinton’s presidency, on August 21, 1996, with the main goals of helping more Americans get health insurance coverage and guaranteeing that employees would not lose their health insurance coverage while they were changing jobs. The passing of HIPAA is also referred to as the beginning of the modernization of the flow of information within the healthcare industry. The act assigned the Secretary of Health and Human Services (HSS) to set regulation standards for the privacy of important health information which laid the groundwork for the Security Rule and the Privacy Rule.
The Privacy Rule and PHI
Another important milestone in the history of HIPAA, was the proposal and then finalization of the Privacy Rule. This rule, which was first proposed in 1999, revolves around privacy standards related to the safeguard for protected health information (PHI).
Protected health information (PHI), as defined by the privacy rule, is any information within a person’s medical record that can identify them and is held by a covered entity. Under HIPAA and the Privacy Rule, there are 18 specific identifiers that must be handled with certain safeguards.
Here are the 18 types of information that are considered protected health information (PHI) under HIPAA:
- Address (Including any information more localized than state)
- Any dates (except years) related to the individual, including birthdays, date of death, date of admission/discharge, etc.
- Telephone Number
- Fax Number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, license plate numbers
- Device identifiers/serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voiceprints
- Full-face photos
- Any other unique identifying numbers, characteristics or codes
Some of this information is notably broad. Something as simple as a full-face photo or fingerprint could require your company to maintain HIPAA compliance.
The Privacy Rule also looked to give patients easier access to their own personal health data. After its proposal in 1999, the Privacy Rule was finalized on December 28, 2000 in the last few weeks of President Clinton’s second term. The very next day, HHS made a few revisions, most importantly requiring The Office for Civil Rights, which is an agency within Health and Human Services, to be the group that will enforce HIPAA.
As a last step in the legislative process, Health and Human Services sought for public input on what adjustments needed to be made to the Privacy Rule. Following consideration of the comments that were made, the HHS announced a Proposed Modified Privacy Rule in 2002. The finalized Privacy Rule, which was passed in 2003, was adjusted to improve its usefulness and prevent unexpected consequences.
HIPAA-History of the Security Rule
Just 2 years after HIPAA was signed into law, HHS proposed the Security Rule. The purpose of this amendment was to improve the protection of a person’s health related information that is shared between healthcare providers, health plans and other organizations. Although this rule was proposed in 1998, it was not until 5 years later that it was finalized at which point it gave organizations time to become compliant.
The History Behind the HIPAA Enforcement Rule
In early 2005, The HIPAA Enforcement Rule was introduced after many covered entities were not fully complying with Privacy and Security Rules. This rule allows Health and Human Services (HHS) to investigate complaints that have been made about covered entities that are not complying with HIPAA. This rule also gave HHS the power to fine these entities for breaches of Electronic Protected Health Information (ePHI) that were avoidable if they had followed the safeguards required under the Security Rule.
Also under the Enforcement Rule, the Office of Civil Rights (OCR) was empowered to enforce financial penalties against those entities that remained non-compliant. If an individual’s personal healthcare information has been shared without their permission and it brings them “serious harm” then that individual can file civil legal action against the entity at fault.
The “HITECH” Act
Just after his presidency began, President Obama passed the Health Information Technology for Economic and Clinical Health Act, or the HITECH Act. HITECH had the purpose of encouraging healthcare providers to begin the usage of Electronic Health Records (EHRs).
Later in 2009, the HITECH Act Enforcement Rule was issued which created a system of financial penalties for violation of HIPAA with much higher potential fines that dramatically increased the cost of HIPAA noncompliance.
Related: How to Comply with the HITECH Act
The Breach Notification Rule
In September of 2009, The Breach Notification Rule was passed which mandates that any breach of ePHI by a covered entity that affects 500+ individuals be reported to OCR and notice must be sent to any individuals that could be affected by the breach.
The History behind the HIPAA Omnibus Rule
The HIPAA Omnibus Rule, which was finalized in 2012 and became effective in 2013, contained edits and updates to all of the rules we had mentioned. The modifications to the Security, Privacy, Breach Notification and Enforcement Rules were intended to enhance confidentiality and security in data sharing. The biggest changes under the Omnibus Rule were that it became mandatory for business associates to be compliant with the Privacy Rule and the Security Rules and that these associates were liable directly for any HIPAA violations. These business associates would now be required to sign a BAA or Business Associate Agreement which stated the aforementioned requirements of agreeing to maintain HIPAA compliance as a result of handling PHI or ePHI. In a way, the Omnibus Rule served to expound and enforce some of the changes introduced in the Security rules and standards requirements for both Covered Entities and Business Associates with the introduction of the BAA requirement.
Summary of Key Dates in HIPAA History
- August 21, 1996: President Clinton signs HIPAA into law
- April 2003: HIPAA Privacy Rule becomes effective
- April 2005: HIPAA Security Rule goes into effect
- March 2006: HIPAA Enforcement Rule Effective Date
- February 2009: HITECH Act Signed into Law by President Obama
- September 2009: Breach Notification Rule becomes effective
- March 2013: Final Omnibus Rule Effective Date
At face value, it appears not much has happened for about 7 years since the passing of the Omnibus Rule back in 2013, however as recently as December 2020, there have been some proposed updates to HIPAA. These proposed changes are being put in place specifically to both increase the accessible patients have to their PHI as well as decrease the administrative burden on the healthcare system itself. With the recent events of the pandemic , there has been a major increase on the workload of the healthcare industry. Now more than ever it is important to ensure that our PHI is accessible, but by the same token that the infrastructure of our healthcare system is not overburdened by a sea of PHI requests. The proposed changes specifically look to decrease the response time on a healthcare provider fulfilling a PHI request from 30 days to 15 days. In addition to this, others are interested in increasing the patients' accessibility to their PHI specifically to assist in instances where clients may need assistance that requires the involvement of a family member. Another component to this issue is that CE can charge their patients or customers fees associated with the administrative costs of procuring PHI, however these fees are discretionary and currently not regulated. While it is important to ensure our healthcare system is not stressed with both the administrative and financial burden that comes with a decreased processing period for PHI requests.
While HIPAA has been around for years, it is clear to see that it has changed quite a bit since its original interaction in 1996. As technology continues to change the way we do business, it can often seem overwhelming and what might have worked 10 years ago is now completely obsolete. Accountable is committed to being a cutting edge resource on the most current and up to date changes and requirements for our clients. Take the guesswork out of compliance and leave the heavy lifting to us. For more information on how Accountable can help you meet your HIPAA compliance needs feel free to watch our demo or schedule a call with one of our HIPAA Compliance Specialists today!