HIPAA was signed into law by President Bill Clinton on August 21, 1996, but there have been some major updates to the legislation over the past two decades. The HIPAA Privacy Rule was enacted on December 20, 2000, the HIPAA Security Rule was enacted on February 20, 2003, and the HIPAA Omnibus Rule was enacted on January 17, 2013, all of which introduced a swathe of new requirements for HIPAA-covered entities and their business associates.
HIPAA was enacted to improve efficiency in healthcare, simplify the administration of healthcare, reduce the potential for fraud, combat wastage, and improve protections to keep health information private and confidential. HIPAA also ensured that if employees lost their job or changed employment, health insurance coverage would be maintained while they were between jobs. This is the ‘portability’ aspect of the Health Insurance Portability and Accountability Act.
HIPAA is essentially a set of standards for the healthcare industry. One of the most important elements of HIPAA was to make healthcare organizations adopt standard code sets for transactions. This greatly simplified processes for transmitting health information electronically and allowed information to be easily exchanged without human involvement. This has helped to improve efficiency, reduce the administrative burden on providers, and has allowed healthcare organizations to make significant cost savings. The HIPAA transactions and code set standards took effect in October 2002.
HIPAA is best known for introducing standards to protect the privacy of patients. The HIPAA Privacy Rule was first proposed in 1999, three years after HIPAA was enacted. While the Privacy Rule was signed into law in 2000, HIPAA-covered entities had until April 14, 2003 to comply with the provisions of the HIPAA Privacy Rule. The Privacy Rule provided a definition of protected health information (PHI), placed restrictions on the allowable uses and disclosures of that information, and gave patients the right to obtain a copy of their health data.
The HIPAA Security Rule was initially proposed on August 12, 1998, so predates the HIPAA Privacy Rule, although it was not signed into law until February 2003. HIPAA-covered entities were given until April 21, 2006 to comply with all provisions of the HIPAA Security Rule. The main aim of the Security Rule was to set standards for data security. The Security Rule requires HIPAA covered entities to identify and manage security risks and implement a range of safeguards to ensure the confidentiality, integrity, and availability of PHI.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009. The HITECH Act mandated the creation of the HIPAA Breach Notification Rule – A requirement to issue notifications within 60 days of a breach of PHI. Further HITECH Act requirements were incorporated into HIPAA in the HIPAA Omnibus Rule, which was enacted in January 2013 and had a compliance date of September 23, 2013.
HIPAA was deliberately written in a way that made it technology-agnostic. Updates are therefore not required every time there is an advance in technology; however, times change and some of the provisions in HIPAA are now deemed to redundant. Changes to HIPAA Rules are now being considered to remove certain elements that are proving burdensome which no longer serve such an important purpose.