The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill.
Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud.
Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced.
There have been several important dates in the past two decades since HIPAA was originally passed – Notably the introduction of the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule.
The HIPAA Privacy Rule introduced many provisions to better protect the privacy of patients. The Security Rule was primarily concerned with the security of electronic protected health information. The Breach Notification Rule ensures that all breaches of protected health information are reported, while the Omnibus Rule introduced a broad range of changes, including new requirements required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Four key updates to HIPAA legislation are detailed below.
The Privacy Rule of HIPAA Passed into Legislature
The Privacy Rule of HIPAA was passed into legislature on December 28, 2000. The official name of the update to HIPAA is the “Standards for Privacy of Individual Identifiable Health Information.” The HIPAA Privacy Rule compliance date was April 14, 2003.
The HIPAA Privacy Rule details the allowable uses and disclosures of protected health information without first obtaining consent from patients. The HIPAA Privacy Rule also gives patients the right to obtain copies of their health data from HIPAA-covered entities.
The Security Rule of HIPAA Passed into Legislature
The Security Rule of HIPAA was passed into legislature on April 21, 2003, although the effective date was not until April 21, 2005. While the HIPAA Privacy Rule was concerned with all forms of protected health information, the HIPAA Security Rule is primarily concerned with the creation, use, storage and transmission of electronic PHI. The HIPAA Security Rule requires administrative, physical, and technical safeguards to be introduced to keep PHI secure. The Security Rule also introduced requirements for when PHI is no longer required.
The Breach Notification Rule of HIPAA Passed into Legislature
The HIPAA Breach Notification Rule came from the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed on February 17, 2009. The HIPAA Breach Notification Rule took effect from August 24, 2009.
The Breach Notification Rule requires HIPAA-covered entities to submit notifications of breaches of protected health information to the Secretary of the Department of Health and Human Services within 60 days of the discovery of a breach if the breach involved 500 or more records. Smaller breaches must still be reported, no later than 60 days after the end of the year in which the breach was discovered. The Breach Notification Rule also requires notifications of a breach to be sent to affected patients within 60 days of the discovery of the breach.
The Omnibus Rule of HIPAA Passed into Legislature?
The HIPAA Omnibus Final Rule was issued on January 17, 2013. The HIPAA Omnibus Rule introduced several changes to the HIPAA Privacy, Security, and Breach Notification Rules.
One of the most important changes affected HIPAA business associates – individuals or entities that are contracted to HIPAA-covered entities to provide services that require access to PHI.
Since the passing of the HIPAA Omnibus Rule, business associates of HIPAA-covered entities, and their subcontractors, must implement safeguards to protect ePHI as required by the HIPAA Security Rule. Since the introduction of the Omnibus Rule, business associates of HIPAA-covered entities can be fined directly for HIPAA violations.
Another important update was clarification of “significant harm.” Prior to the introduction of the Omnibus Rule, many covered entities failed to report breaches as there was determined to have been no significant harm caused to patients as a result of the breach. After the Omnibus Rule, covered entities must be able to prove there was no significant harm if they decide not to report a breach.
Infographic Summary of Milestones in the History of HIPAA
In addition to the above major changes to HIPAA legislation, there have been numerous milestones in the history of HIPAA, which have been summarized in the infographic below. The infographic details legislation changes, clarifications of HIPAA Rules, major enforcement actions, and HIPAA audits – Click the image below to view the graphic in full size.