HIPAA was enacted on August 21, 1996, when the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, was signed into law in the United States.
The 1996 law included multiple titles that addressed health insurance portability, tax-related provisions, fraud and abuse, and administrative simplification for health care transactions. The provisions that drive most healthcare privacy and security compliance activity are the Administrative Simplification requirements, which directed the U.S. Department of Health and Human Services to adopt national standards for the electronic exchange of health information and to establish privacy and security protections.
The HIPAA Privacy Rule and the HIPAA Security Rule were implemented through federal regulations issued after enactment. The HIPAA Privacy Rule set national standards for the use and disclosure of protected health information and established individual rights over protected health information. The HIPAA Security Rule set standards for protecting electronic protected health information through administrative, physical, and technical safeguards.
HIPAA compliance obligations apply to HIPAA Covered Entities and, through the business associate framework, to Business Associates that create, receive, maintain, or transmit protected health information on behalf of a covered entity. HIPAA enforcement and breach notification requirements were also implemented and expanded through subsequent rulemaking and statutory amendments, including the Health Information Technology for Economic and Clinical Health Act.
Enactment refers to when the statute became law. Effective dates and compliance deadlines for specific HIPAA regulations occurred later and vary by rule, which affects when regulated entities were required to implement specific privacy, security, and breach notification controls.