What is the Purpose of HIPAA?

The purpose of HIPAA is sometimes explained as ensuring the privacy and security of individually identifiable health information. However, regulations relating to the privacy and security of individually identifiable health information were not enacted until some years later. So, what was the primary purpose of HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an Act of legislation with the primary purpose of reforming the health insurance industry. At the time, a large proportion of the working population and their families obtained health insurance through their employment, and a lack of health benefit portability between jobs raised concerns that some employees avoided pursuing higher-productivity positions for fear of losing their health insurance coverage.

The fears of “job lock” scenarios and a reduction in employment mobility were exacerbated by the conditions applied to new group health plan members – for example, probationary periods during which coverage was limited. There were also issues about new employees with pre-existing conditions being denied coverage, their employer (as group plan sponsor) having to pay higher premiums, or the employee having higher co-pays when healthcare was required.

However, the proposed measures to increase the portability of health benefits, guarantee renewability without loss of coverage, and prevent discrimination for pre-existing conditions came at a financial cost to the health insurance industry – a cost Congress was keen to avoid the industry passing onto employers in higher premiums and co-pays. Consequently, Congress added a second Title to the Act which had the purpose of reducing other health insurance industry costs.

The Purpose of HIPAA Title II

HIPAA Title II had two purposes – to reduce health insurance fraud and to simplify the administration of health claims. According to a report prepared for Congress during the committee stages of HIPAA, fraud accounted for 10% of all healthcare spending. To reduce the level of loss, Congress introduced a Fraud and Abuse Control Program that included higher penalties for offenders and expulsion from Medicare for healthcare providers found to be abusing the system.

With regards to the simplification of health claims administration, the report claimed health plans and healthcare providers would save $29 billion over five years by adopting uniform standards and an electronic health information system for the administration of health claims. The Act instructs the Secretary of Health and Human Services (HHS) to develop standards for electronically transmitted transactions, and the first of these (the Administrative Requirements) were published in 2000.

In addition, the Secretary was instructed to develop standards to ensure the confidentiality and integrity of data when transmitted electronically between health plans, health care clearinghouses, and healthcare providers (the Security Rule) and to submit recommendations for the privacy of individually identifiable health information collected, received, maintained, and transmitted by health plans, health care clearinghouses, and healthcare providers (the Privacy Rule)

How the Standards and Recommendations Evolved

The Security Rule standards and Privacy Rule recommendations were not enacted immediately due to the volume of comments received from concerned stakeholders. Although a proposed Privacy Rule was released in 1999, it was not until 2003 that the Final Privacy Rule was enacted. The Privacy Rule was subsequently updated in 2013 (the Final Omnibus Rule), 2014 (for the Clinical Laboratory Improvement Amendments), and 2016 (to allow criminal background checks).

A proposed Security Rule was published even earlier in 1998; but again, a volume of comments from stakeholders delayed the final enacted version until 2004. The Security Rule was also updated in the Final Omnibus Rule of 2013 to account for amendments introduced in the HITECH Act of 2009 – including the requirement for Business Associates to comply with the Security Rule, and for both Covered Entities and Business Associates to comply with a new Breach Notification Rule.

In addition, an Enforcement Rule was published in 2005 which outlined how complaints about HIPAA violations and breaches would be managed. The authority to investigate complaints and enforce the Privacy, Security, and Breach Notification Rules was delegated to HHS´ Office for Civil Rights, and the authority to investigate complaints and enforce the Administrative Requirements was delegated to the Centers for Medicare and Medicaid Services.

What is the Purpose of HIPAA Now?

More than a quarter of a century since the passage of HIPAA, it is not surprising many people associate the purpose of HIPAA with the privacy and security of individually identifiable health information – now more commonly referred to as “Protected Health Information”. However, if you or a family member have ever benefitted from the portability of health benefits or the guaranteed renewability of health coverage, it is the primary purpose of HIPAA you have to thank.

Purpose of HIPAA: FAQ

How does HIPAA protect patients?

There are a number of ways in which HIPAA benefits patients. By reforming the health insurance industry, it ensures that patients have better protections and continuity in health insurance. By ensuring that any personal information is protected by minimum safeguards, the data privacy components of HIPAA also protect patients from identity theft and fraud. Both of these can have devastating consequences for individuals, highlighting the importance of HIPAA.

Why was HIPAA enacted?

Despite its current association with patient privacy, one of the main drivers of enacting HIPAA was health insurance reform. Before HIPAA, it was difficult for patients to transfer benefits between health plans if they changed employers, and insurance could be difficult to obtain for those with pre-existing conditions.

Who enforces HIPAA?

The privacy-related aspects of HIPAA (in Title II) are enforced by the Department for Health and Human Services’ Office for Civil Rights (OCR). HIPAA violations that result in the unauthorized access of PHI are reportable to the OCR. The OCR will then investigation, and if they decide that a violation of HIPAA has occurred, they will issue a corrective action plan, a financial penalty, or refer the case to the Department of Justice if they believe there was criminal activity involved.

How does HIPAA help Covered Entities?

Though HIPAA is primarily focused on patients, there are some benefits to HIPAA Covered Entities (health plans, healthcare providers, and healthcare clearinghouses). HIPAA has improved efficiency by standardizing aspects of healthcare administration.