History of HIPAA

by

Why was HIPAA created?

HIPAA’s Origins

In August 1996, when the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law, the first of its kind created. Those who created HIPAA claimed that it was made to “improve the portability and accountability of health insurance coverage” for employees between jobs. Combatting waste, fraud and abuse in health insurance and healthcare delivery were further aims of the legislators. It was hoped that it would promote the use of medical savings accounts by introducing tax breaks, provides coverage for employees with pre-existing medical conditions and simplifies the administration of health insurance.

The procedures for simplifying the administration of health insurance incentivised the healthcare industry to computerize patients´ medical records. The Health Information Technology for Economic and Clinical Health Act (HITECH) was eventually created in 2009, which in turn lead to the introduction of the Meaningful Use incentive program. This program was later described by leaders in the healthcare industry as “the most important piece of healthcare legislation to be passed in the last 20 to 30 years”.

The HIPAA Privacy and Security Rules Take Shape

The US Department of Health and Human Services quickly set about creating the first HIPAA Privacy and Security Rules once the HIPAA laws were created. The Privacy Rule had an effective compliance date of April 14, 2003. One major outcome of this rule was its definition of Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.

Instructions were issued on the appropriate manners of disclosing PHI, and explicitly stated that permission should be sought from patients before using their personal information for marketing, fundraising or research. Interestingly, it also gave patients the right to withhold information about their healthcare from health insurance providers when their treatment is privately funded.

The HIPAA Security Rule came into force two years after the original legislation on April 21, 2005. It was designed to deal with new issues regarding electronically stored PHI (ePHI). The Security Rule laid down three security safeguards – administrative, physical and technical – that must be adhered to in full to comply with HIPAA.

The safeguards had the following goals:

  • Administrative – to create policies and procedures designed to clearly show how the entity will comply with the act.
  • Physical – to control physical access to areas of data storage to protect against inappropriate access
  • Technical – to protect communications containing PHI when transmitted electronically over open networks

When was HIPAA enacted?

In the twenty years since being signed into law, many additions have been made to HIPAA to increase its effectiveness. The introduction of the Privacy Rule, Security Rule, Breach Notification Rule, and the Omnibus Final Rule are some of the many examples of rules being created to serve specific purposes not covered by the initial Act.

A brief history of HIPAA additions is as follows: April 14, 2003 for the HIPAA Privacy Rule, although there was an extension of one year for small health plans, that were required to comply with the HIPAA Privacy Rule provisions by April 14, 2004.

The effective compliance date for the HIPAA Security Rule was April 21, 2005. As was the case with the HIPAA Privacy Rule, small health plans were given an additional year to comply with the provisions of the HIPAA Security Rule and had an effective compliance date of April 21, 2006. The HIPAA Breach Notification Rule became effective on September 23, 2009 and the Omnibus Final Rule became effective on March 26, 2013.

The Introduction of the Enforcement Rule

In March 2006, the Enforcement Rule was enacted to deal with the issues arising from the failure of many covered entities (CEs) to fully comply with the HIPAA Privacy and Security Rules. The Enforcement Rule gave the Department of Health and Human Services the power to investigate complaints against covered entities for failing to comply with the Privacy Rule. It further gave them the power fine CEs for avoidable breaches of ePHI due to not following the safeguards laid down in by the Security Rule.

The Department´s Office for Civil Rights was also given the power to bring criminal charges against persistent offenders who fail to introduce corrective measures within 30 days of an offence being highlighted. Individuals also have the right to pursue civil legal action against the CE if their personal healthcare information has been disclosed without their permission if it causes them to come to “serious harm”.

HITECH 2009 and the Breach Notification Rule

The Health Information Technology for Economic and Clinical Health Act (HITECH) was introduced in 2009 with the aim of compelling healthcare authorities to implement the use of Electronic Health Records (EHRs) and introduced the Meaningful Use incentive program. Stage one of Meaningful Use was rolled out a year later to begin incentivizing healthcare organizations to maintain the Protected Health Information of patients in electronic format, and cease storing data on paper files.

With the incentive program also came an extension of HIPAA Rules to Business Associates and third-party suppliers to the healthcare industry, and the introduction of the Breach Notification Rule. This new rule outlined how CEs must handle breaches of ePHI affecting more than 500 individuals. It states that the breaches must be reported to the Department of Health and Human Services’ Office for Civil Rights within a certain amount of time of the incident occurring. The criteria for reporting breaches of ePHI were subsequently extended in the Final Omnibus Rule of March 2013.

The Final Omnibus Rule of 2013

The most recent act of legislation in HIPAA history was the Final Omnibus Rule of 2013. The rule was not created with the intent of introducing new legislation, but to clear up any ambiguity in existing HIPAA and HITECH regulations. The specification of encryption standards that need to be applied to render ePHI unusable, undecipherable and unreadable in the event of a breach is one example of the many topics it covered.

The rule included several definitions to improve the clarity of the language used in the Act. For example, the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct control of the covered entity or Business Associate.

The Privacy and Security Rules were also amended to allow patient´s health information to be held indefinitely, up from fifty years as had previously been stated. The Breach Notification Rule saw new procedures introduced. New penalties were also applied – as dictated by HITECH – to covered entities that fell afoul of the HIPAA Enforcement Rule.

Amendments were also included to account for changing work practices brought about by technological advances, focussing on the use of mobile. A significant number of healthcare professionals (up to 80%) are now using their own mobile devices to access and communicate ePHI. The Final Omnibus Rule included new administrative procedures and policies to account this statistic. It was further tasked with covering scenarios which could not have been foreseen in 1996 related to other technological advances.

After multiple delays, the deadline for the United States to use Clinical Modification ICD-10-CM for diagnosis coding and Procedure Coding System ICD-10-PCA for inpatient hospital procedure coding was finally set at October 1, 2015. All HIPAA covered entities must use ICD-10-CM. Another requirement is these of EDI Version 5010.

The Final Omnibus Rule

The Final Omnibus Rule’s most important legacy was increasing CE’s awareness of HIPAA safeguards. It spurred many healthcare organizations who had been violating HIPAA –whether deliberately or by accident- to implement several measures to comply with the regulations. Many CEs introduced policies for their employees regarding the use of data encryption on portable devices and computer networks, and implemented secure messaging solutions for internal communications with care teams. They also installed web filters and taking more care to archive emails securely.

The financial penalties now being issued for data breaches along with the colossal costs of issuing breach notifications, providing credit monitoring services and conducting damage mitigation makes investment in new technology to protect data appear cheap by comparison.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]