Introduction to HIPAA
The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 and has since been known as one of the most influential healthcare laws in the United States. HIPAA has been amended numerous times throughout the past 23 years, with each amendment slowly expanding it into the law that is recognizable to us today.
Timeline of Passage
The law was passed during Bill Clinton’s presidency, on August 21, 1996, with the main goals of helping more Americans get health insurance coverage and guaranteeing that employees would not lose their health insurance coverage while they were changing jobs. The passing of HIPAA is also referred to as the beginning of the modernization of the flow of information within the healthcare industry. The act assigned the Secretary of Health and Human Services (HSS) to set regulation standards for the privacy of important health information which laid the groundwork for the Security Rule and the Privacy Rule.
The History of the Security Rule
Just 2 years after HIPAA was signed into law, HHS proposed the Security Rule. The purpose of this amendment was to improve the protection of a person’s health related information that is shared between healthcare providers, health plans and other organizations. Although this rule was proposed in 1998, it was not until 5 years later that it was finalized at which point it gave organizations time to become compliant.
The Privacy Rule and PHI
Another important milestone in the history of HIPAA, was the proposal and then finalization of the Privacy Rule. This rule, which was first proposed in 1999, revolves around privacy standards related to the safeguard for protected health information (PHI).
Protected health information (PHI), which was defined by the privacy rule, is any information within a person’s medical record that can identify them and is held by a covered entity. Under HIPAA and the Privacy Rule, there are 18 specific identifiers that must be handled with certain safeguards.
Here are the 18 types of information that are considered protected health information (PHI) under HIPAA:
- Address (Including any information more localized than state)
- Any dates (except years) related to the individual, including birthdays, date of death, date of admission/discharge, etc.
- Telephone Number
- Fax Number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, license plate numbers
- Device identifiers/serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voiceprints
- Full-face photos
- Any other unique identifying numbers, characteristics or codes
The Privacy Rule also looked to give patients easier access to their own personal health data. After its proposal in 1999, the Privacy Rule was finalized on December 28, 2000 in the last few weeks of President Clinton’s second term. The very next day, HHS made a few revisions, most importantly requiring The Office for Civil Rights, which is an agency within Health and Human Services, to be the group that will enforce HIPAA.
As a last step in the rulemaking process, Health and Human Services sought for public input on what adjustments needed to be made to the Privacy Rule. Following consideration of the comments that were made, the HHS announced a Proposed Modified Privacy Rule in 2002. The finalized Privacy Rule, which was passed in 2003, was adjusted to improve its usefulness and prevent unexpected consequences.
The HIPAA Enforcement Rule
In early 2005, The HIPAA Enforcement Rule was introduced after many covered entities were not fully complying with Privacy and Security Rules. This rule allows Health and Human Services (HHS) to investigate complaints that have been made about covered entities that are not complying with HIPAA. This rule also gave HHS the power to fine these entities for breaches of Electronic Protected Health Information (ePHI) that were avoidable if they had followed the safeguards required under the Security Rule.
Also under the Enforcement Rule, the Office of Civil Rights (OCR) was empowered to enforce financial penalties against those entities that remained non-compliant. If an individual’s personal healthcare information has been shared without their permission and it brings them “serious harm” then that individual can file civil legal action against the entity at fault.
The “HITECH” Act
Just after his presidency began, President Obama passed the Health Information Technology for Economic and Clinical Health Act, or the HITECH Act. HITECH had the purpose of encouraging healthcare providers to begin the usage of Electronic Health Records (EHRs).
Later in 2009, the HITECH Act Enforcement Rule was issued which created a system of financial penalties for violation of HIPAA with much higher potential fines that dramatically increased the cost of HIPAA noncompliance.
The Breach Notification Rule
In September of 2009, this simple rule was passed which mandates that any breach of ePHI by a covered entity that affects 500+ individuals be reported to OCR and notice must be sent to any individuals that could be affected by the breach.
The HIPAA Omnibus Rule
The HIPAA Omnibus Rule, which was finalized in 2012 and became effective in 2013, contained edits and updates to all of the rules we had mentioned. The modifications to the Security, Privacy, Breach Notification and Enforcement Rules were intended to enhance confidentiality and security in data sharing. The biggest changes under the Omnibus Rule were that it became mandatory for business associates to be compliant with the Privacy Rule and the Security Rules and that these associates were liable directly for any HIPAA violations.
Summary of Key Dates in HIPAA History
- August 21, 1996: President Clinton signs HIPAA into law
- April 2003: HIPAA Privacy Rule becomes effective
- April 2005: HIPAA Security Rule goes into effect
- March 2006: HIPAA Enforcement Rule Effective Date
- February 2009: HITECH Act Signed into Law by President Obama
- September 2009: Breach Notification Rule becomes effective
- March 2013: Final Omnibus Rule Effective Date