What is HIPAA?

by

HIPAA is a federal law that had the objective of reforming the health insurance industry. Due to concerns that the cost of the reforms would be passed onto employers and plan members – and that this would impact federal tax revenues – Congress added further Titles to the Act to neutralize the cost of the reforms. The Administrative Simplification provisions of Title II led to the publication of the HIPAA Privacy and Security Rules.

When the Health Insurance Portability and Accountability Act was passed by Congress in 1996, the establishment of federal standards for safeguarding Protected Health Information (PHI) was not one of the primary objectives. Indeed, the long title of the Act doesn´t even mention patient privacy or data security:

“An Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”

So how did HIPAA evolve from being a vehicle for improving the portability and continuity of health insurance coverage to being one of the most comprehensive and detailed federal privacy laws?  The answer can be found deep in the Administrative Simplification provisions of HIPAA Title II.

What is HIPAA Title II?

HIPAA consisted of five Titles addressing the primary objectives of the Act:

  • Title I: Health care access, portability, and renewability.
  • Title II: Preventing health care fraud and abuse; administration simplification; medical liability reform.
  • Title III: Tax-related health provisions governing medical savings accounts.
  • Title IV: Application and enforcement of group health plan requirements.
  • Title V: Revenue offsets governing tax deductions for employers.

Most of HIPAA Title II concerns measures to control health plan fraud and abuse (rather than health care fraud and abuse), the allocation of funds to pay for the measures, and sanctions against individuals or organizations that defraud or abuse a health plan or program. The provisions related to administrative simplification are discussed below, while the provisions for medical liability reform (of which there are few) only relate to whistle blower protection for reporting fraud and abuse.

With regards to the Administrative Simplification provisions, the preamble states their purpose is to improve the Medicare and Medicaid programs, and the efficiency of the health care system via a “the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information”. The responsibility for accomplishing this purpose is delegated to the Secretary for Health & Human Services (HHS).

The preamble could give the impression that the Administrative Simplification provisions of HIPAA Title II will improve accessibility to and affordability of the Medicare and Medicaid programs, or that the development of a health information system would streamline the provision of healthcare between providers. However, when you read the Administrative Simplification provisions, their primary purpose is to reduce the administrative costs of providing and paying for health care.

The Administrative Simplification provisions were important in the context of improving the portability and continuity of health insurance coverage because it was necessary to improve portability and continuity without increasing administration costs. Any increase in administration costs would have been passed on by covered health plans as increased costs to healthcare providers and as increased premiums for insurance coverage – something Congress was keen to avoid.

The final Administrative Simplification provision is possibly the most important of all – requiring the Secretary for Health & Human Services to develop “recommendations on standards with respect to the privacy of individually identifiable health information”. If Congress did not enact federal privacy legislation within three years, the Secretary was to issue the recommendations as a Final Rule. Ultimately this short passage of HIPAA Title II was to become the HIPAA Privacy Rule.

The Regulatory Landscape when HIPAA was Passed

So far, we´ve answered the question what is HIPAA by providing an overview of the Act, identifying where the provisions were within the Act that triggered the Privacy and Security Rules, and specifying who was delegated responsibility for developing the Rules. To best explain what happened next, it is important to understand the regulatory landscape at the time and the patchwork of legislation that influenced the development of the Privacy and Security Rules.

Prior to the passage of HIPAA, only ten states granted individuals privacy rights in their constitutions, while the privacy of individuals with specific conditions was required by certain federal laws. For example, the Veterans Omnibus Health Care Act 1976 protects the privacy of medical records held by the Dept. of Veterans Affairs relating to drug abuse, alcohol abuse, and AIDS. In addition, consumers of federal programs such as Medicare and Medicaid also have privacy rights under the Privacy Act 1974 – but only for records maintained by the Centers for Medicare & Medicaid Services (CMS).

The patchwork of legislation often failed to prevent unauthorized disclosures of personal health or payment information. Furthermore, unless a patient’s data was protected by an existing state or federal law, data could be freely exchanged between (for example) health plans and finance agencies – which could affect the patient´s ability to apply for a home mortgage. Similarly, a health plan could find out about a patient’s condition or treatment through non-regulated channels and increase the patient´s premiums or deductible – even if the patient had paid for treatment privately.

In addition to accommodating existing state and federals laws, the Secretary of Health & Human Services was given guidelines to work within. In respect of reducing the administrative costs of providing and paying for health care, HHS had to develop standards for the electronic exchange, privacy, and security of health information in financial and administrative transactions, while the recommendations on standards with respect to the privacy of individually identifiable health information had to cover:

  • The rights that an individual who is a subject of individually identifiable health information should have.
  • The procedures that should be established for exercising of such rights.
  • The uses and disclosures of such information that should be authorized or required.

Because the standards relating to the privacy of individually identifiable information were subject to a three year delay, the Notice of Proposed Rulemaking for the Security Rule was the first to be issued in 1998. The Notice of Proposed Rulemaking for the Privacy Rule was issued in 1999; but due to several years of revisions due to stakeholder comments, public hearings, and other issues, the Privacy Rule was not published until 2002, and the Security Rule until the following year.

Rules Extend Privacy Rights and Data Security Nationwide

The Privacy and Security Rules introduced minimum privacy, technical, physical, and administrative requirements that apply to all “Covered Entities” nationwide, unless state laws, alternative federal legislation, or professional regulations have more stringent requirements. HIPAA preempts all other federal, state, and professional regulations. The safeguards also apply to Business Associates who provide services for Covered Entities, and contractors who provide services for Business Associates.

An Enforcement Rule was introduced in 2006 to tackle noncompliance with HIPAA; and, in 2009, the HHS´ Office for Civil Rights issued its first financial penalty for a violation of HIPAA – CVS Pharmacy Inc. being ordered to pay $2.25 million for the improper disposal of patient health records. Multiple penalties have since been issued – not only by the Office for Civil Rights, but also by State Attorney Generals. The DoJ has also pursued several successful criminal convictions for violations of HIPAA.

Further Rules have reinforced the importance of HIPAA compliance. The Breach Notification Rule in 2009 made it a requirement for Covered Entities and Business Associates to report data breaches to individuals, the Office for Civil Rights(OCR), and – in some cases – the media. The Rule also shifted the burden of proof. Previously, OCR would have to establish a breach had occurred. Now, organizations have to prove an unauthorized disclosure of unsecured PHI does not constitute a breach.

In 2013, the Omnibus Final Rule enacted provisions of the HITECH Act which made changes to the Security Rule to improve data security and further restrict access to ePHI. The Omnibus Final Rule also enhanced HHS´ powers to enforce HIPAA, updated the Breach Notification Rule, and made Business Associates directly liable for data breaches and HIPAA violations. Changes to the Privacy and Security Rule are currently under consideration that may affect the answer to what is HIPAA in the future.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]