It has been 26 years since it was enacted, but is HIPAA still in effect? Yes, it is, but it is now quite different from its original form. Numerous additions over the decades have strengthened parts of the legislation, ultimately providing greater protections to patients and their data.
HIPAA (short for the Health Insurance Portability and Accountability Act) was signed into law in 1996. One of its primary aims was to reform the health insurance industry, and whilst much of the act does focus on this reform, it is now best known as an Act that relates to protecting the privacy of patient data.
The HIPAA Rules that lay out the requirements for safeguarding patient data were added after HIPAA originally came into effect. The HIPAA Privacy Rule was the first such rule, enacted in 2022. This required that all Protected Health Information (PHI; essentially, information that contained one of 18 identifiers that could be used to trace the identity of the patient) was protected. The minimum technical, administrative, and physical safeguards required to protect the information were established by the HIPAA Security Rule in 2009. Other rules include the Enforcement Rule and the Breach Notification Rule. All of these HIPAA Rules are stall in effect.
As HIPAA is still in effect, all HIPAA covered entities (CE) must be HIPAA compliant. Generally, a CE would be a health plan, healthcare clearinghouse, or healthcare provider, though there are some exceptions. Any third party that enters a Business Associate Agreement with the CE must also be HIPAA compliant.
However, there are some situations where HIPAA is not in effect in what would be considered the “usual” way. This includes if there is a public health emergency, or if data is being used for public health research. Additionally, if the PHI has been anonymized (i.e. the identifiers have been removed), it is not considered to be PHI under HIPAA and HIPAA is not in effect.
Even with proposed changes to Federal privacy laws, HIPAA is still in effect. The new ADPPA will complement HIPAA, but not render it obsolete. There may be new changes to HIPAA in the coming year: in 2020, the OCR proposed new HIPAA regulations (such as allowing patients to take photos of PHI, or defining “electronic health records”).