The HIPAA law many people are familiar with today evolved from proposals to reform the way in which the health insurance industry worked. Following on from Acts such as the Employee Retirement Income Security Act (ERISA) in 1974 and the Consolidated Omnibus Reconciliation Act of 1985 (COBRA), the proposals were intended to increase the transferability of health insurance schemes between employers and prevent employees with pre-existing conditions being disqualified from health insurance benefits.

As the Senate´s proposed Health Insurance Reform Bill travelled through the House, extra titles were added to promote the use of medical savings accounts and simplify the administration of health insurance. Legislation was also absorbed into the Bill to combat waste, fraud and abuse in health insurance and healthcare delivery, and it was the “Administrative Simplification Provisions” within this legislation that many people consider to be the cornerstone of HIPAA law.

How the Administrative Simplification Provisions Evolved into HIPAA Law

The Administrative Simplification Provisions required the Department of Health & Human Services (HHS) to develop standards governing the permissible uses and disclosures of individually identifiable health information. The publication of the “Standards” (also known as the HIPAA Privacy Rule) was delayed until 2000 while HHS waited to see if Congress enacted separate privacy legislation that would contradict its proposals, and while the provisional standards were made available for public comment.

The HIPAA Privacy Rule was the first of a trio of Rules that evolved from the Administrative Simplification Provisions. In 2003, HHS published the HIPAA Security Rule and – three years later – the HIPAA Enforcement Rule, which set the procedures for investigating reported breaches of Protected Health Information (PHI) and the penalties for violating HIPAA law. The penalties for violating HIPAA applied to all Covered Entities – healthcare providers, health plans and health insurance clearinghouses.

HIPAA Law Evolves Further with HITECH and the Breach Notification Rule

The evolution of HIPAA law did not stop with the publication of the HIPAA Enforcement Rule. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed – an Act intended to make the healthcare system more efficient by encouraging the adoption and meaningful use of health information technology. The Act extended the requirements of HIPAA to include PHI used to carry out treatment when a healthcare provider uses an electronic health record.

The HHS also used HITECH to introduce the HIPAA Breach Notification Rule – a Rule stipulating that unauthorized disclosures of PHI affecting more than 500 individuals must be notified to the HHS´ Office for Civil Rights within sixty days of the breach being discovered. The Rule also stipulates breach notification letters have to be sent to the affected individuals, and that the unauthorized disclosure must be reported to the local media and announced on the Covered Entity´s website.

The Reach of HIPAA Law Extended by the Final Omnibus Rule

In 2013, the reach of HIPAA law was extended by the Final Omnibus Rule to include Business Associates – entities that perform services on behalf of Covered Entities that involve the use, storage or disclosure of PHI. Following the publication of the Final Omnibus Rule, Business Associates and subcontractors to whom PHI is disclosed have the same responsibility to protect the confidentiality, integrity and security of PHI as the Covered Entities from which it originated.

A further significant change concerned how “significant harm” is defined. Prior to the Final Omnibus Rule, it was the responsibility of the HHS to prove significant harm had occurred due to the unauthorized disclosure of PHI before it could commence enforcement action. Under a new definition of the term, Covered Entities have to prove no significant harm has occurred to individuals whose PHI has been exposed if they fail to notify HHS´ Office for Civil Rights.

The Difficulty in Complying with HIPAA Law

The difficulty in complying with HIPAA law is partly caused by the Privacy and Security Rules being written in such a way to be sufficiently flexible to cover the many different uses of PHI. Even when the law only applied to Covered Entities, there were issues with how the Rules should be interpreted in specific circumstances. This was not made any easier by the technology-neutral language of the HIPAA Security Rule and the “required” and “addressable” requirements of the administrative, technical and physical safeguards.

Now that Business Associates and subcontractors are required to comply with HIPAA law – and Covered Entities have an obligation to conduct due diligence on their Business Associates – compliance is not going to get any easier. It has to be remembered that the primary function of Business Associates is not usually healthcare-related. They could be any service provider from a lawyer to a software vendor that does not usually deal with the use, storage or disclosure of PHI, and who will now have to comply with HIPAA law. It is recommended that Covered Entities and Business Associates unsure about their compliance obligations seek professional help from a HIPAA compliance service.