Put simply, HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. However, the title of the act does little to explain its purpose. HIPAA essentially established standards for protecting health information and reformed aspects of the health insurance industry to make it fairer for policyholders. The act is often incorrectly referred to as the “Health Information Privacy and Portability Act”.
HIPAA was borne from a complicated healthcare insurance landscape that varied between states. Health insurance was initially offered as accident insurance (first by the Franklin Health Assurance Company of Massachusetts) or employer-sponsored disability insurance. However, many insurance providers fell foul of legislation as they indirectly provided health services to their customers, so they were banned as “unlicensed practitioners of medicine”. Improved laws regulated what services for-profit insurance companies could provide, meaning they could operate within particular remits.
The improved laws, however, had their complications. By the end of the 20th century, many separate acts governed different types of policies; individual states legislated on group health plans, while the Employee Retirement Income Security Act of 1974 (ERISA) and the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) related to employer-sponsored and individually-purchased policies. These multiple legislations created a confusing landscape pertaining to the portability of insurance plans between jobs or how individuals access benefits.
Early group health insurance had a standard premium for all of its members. Started in the 1920s at Baylor University, the first group insurance scheme collected $6 from its teachers in return for guaranteeing them coverage for 21 days of hospital care each year. The scheme (termed the “Blue Cross”) was extended nationwide and is now considered a forerunner for modern health maintenance organisations (HMOs).
However, as the premiums were not tailored to the individual’s own health and were instead a flat fee, individuals with “good” health (and who were, therefore, less likely to claim on the scheme) effectively subsidised those in poor health. This led to insurance providers charging customers based on an “experience rating” related to each individual’s risk. Individuals with pre-existing conditions were prevented from taking out policies, and there were limitations on the portability of policies between jobs, effectively creating a “job-lock”: employees could not move jobs without risking losing their health cover.
Addressing these restrictions would cost the health insurance industry. Several efforts were made to introduce legislation that would cover certain pre-existing conditions or for employees to transfer policies between employers, but failed as they did not address the costs associated with these reforms. Perhaps the most famous of these failed legislations was the Health Insurance Reform Act of 1995. Introduced by Senators Nancy Kassebaum and Ted Kennedy, the bill is often mistaken as the forerunner for HIPAA. However, Congress did not pass the act as it did not account for the financial needs of the health insurance providers.
A later bill (HR.3103, introduced by Representative Bill Archer) ensured that any costs of complying with health insurance legislation would not be passed on to consumers. It also aimed to eliminate insurance fraud, which was estimated at the time to account for 10% of insurance spending. This was achieved by standardising the administration of health insurance claims, a process which required the establishment of Transactions and Code Set Standards that governed electronic transactions and ensured safeguards to protect data. Initially, this related to data that was in transit between healthcare providers, health plans and healthcare clearinghouses, though this was then extended to “all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits”. In many ways, this provision of HR.3103 was a precursor to the HIPAA Security Rule. Additionally, HR.3103 required standards relating to the privacy of health information, which consequently led to the HIPAA Privacy Rule.
Now, the vast majority of healthcare transactions are protected by HIPAA’s Privacy and Security Rules. HIPAA has also granted patients the right to access their health data and to request any alterations to health records where they deem it incorrect or incomplete. They also have the right to know who else has access to their information. Therefore, though HIPAA was originally conceived as a means to reform the insurance industry, it is largely enacted by healthcare organisations tasked with securely storing and moving patient data. All HIPAA Covered Entities (CE) must have robust policies in place to uphold the confidentiality, integrity and availability of electronic protected health information (PHI). These policies must be documented and communicated via training to all employees. Each member of a CE’s workforce must be trained.
HIPAA is not the only piece of legislation that governs healthcare data. Some states have more stringent privacy rules that precede HIPAA; this is the case with Texas’ Medical Records Privacy Act. In addition, federal regulations, such as the Family Educational Rights and Privacy Act, may also impact HIPAA enforcement.