When was HIPAA enacted?

Anyone who has worked in the healthcare industry will have heard of HIPAA and knows of its importance in safeguarding protected health information (PHI). However, most will not know about the history of HIPAA, when it came about and how it has changed over time.

The Origins of HIPAA

The Health Insurance Portability and Accountability Act was signed by then-President Bill Clinton on the 21stAugust 1996. HIPAA is also sometimes known as the Kennedy-Kassebaum Act, named for its main sponsors Ted Kennedy and Nancy Kassebaum. However, more often than not the act is simply known as HIPAA.

However, though it eventually received enough support to pass, the introduction of HIPAA was no simple. Initially called the Health Insurance Reform Act, it was devised as a response to the developing healthcare system and an obvious need to simplify moving healthcare plans between employers. Though the legislation now concerns other aspects of health privacy, it originally was  designed to “improve the portability and accountability of health insurance coverage” when workers moved between jobs.

However, the legislation stalled in late 1995 as it received opposition for senators that were concerned about how health insurance would be moved from groups to individuals. This concern was echoed by industry representatives. Eventually, however, the bill received bipartisan report and the legislation moved through both the House and the Senate. Other versions of the Act were proposed, causing more debates between politicians, though eventually in summer 1996 the final version was settled upon.

Changes to HIPAA since its Enactment

When HIPAA was signed into law, the Department for Health and Human Services took over its administration and enforcement. They also started writing new “Rules” to be added to the Act.

The first of such rules came into effect in 2003. This “Privacy Rule” included a definition of PHI and how it was to be accessed, used, and disclosed. It also introduced other changes, making all it a rule that all business associates are also HIPAA-compliant.

Next came the Security Rule in April 2005. This rule deals specifically with electronic PHI (ePHI), establishing three categories of safeguards (administrative, technical and physical) that must be employed to protect it.

A year later, in 2006, the Enforcement Rule came into effect. This allowed the Office for Civil Rights (OCR), who oversees HIPAA within the DHHS, to issue penalties for non-compliance. They could now fine CEs for not complying with the Privacy and Security Rules. However, for a few years after its enactment, the OCR was criticised for not properly enforcing HIPAA.

In 2009, the OCR added the Breach Notification Rule to HIPAA. This stipulated how, if a breach was discovered, the CE should go about reporting it and what actions should be taken to minimise the impact of the breach in the short term.

The most recent addition to HIPAA was the Omnibus Rule. This was designed to bring HIPAA up to date with the HITECH Act (2009), specifically making changes to how ePHI was accessed and protected. It also added strength to the Enforcement Rule.

HIPAA Enactment: Summary

HIPAA had a rocky start, initially failing to gain support with politicians. Even as it advanced through the House of Representatives and the Senate, protracted debates delayed its introduction until 1996. Now, however, it is a powerful piece of legislation safeguarding patient privacy, made stronger through a series of updates.

Enactment of HIPAA: FAQ

When was the most recent HIPAA Rule added?

No HIPAA Rule has been added to the Act since 2013’s Omnibus Rule. However, there have been some amendments. Indeed, in 2020, the Office for Civil Rights issued a Notice of Proposed Rulemaking that included changes to the HIPAA Privacy Rule and introduced a new Final Rule. These are expected to come into force in 2022.

Who enforces HIPAA?

The Office for Civil Rights in the Department for Health and Human Services enforces HIPAA. They enforce all aspects of HIPAA, from violations that result in data breaches (where PHI has been accessed by unauthorized individuals) to complaints that have been filed by patients. In some cases, if criminal actions are suspected, cases may be referred to the Department of Justice.

Is HIPAA still in effect?

Yes, ever since HIPAA was enacted in 1996 it has been in effect. There have been several updates to the act – with more expected to come – but these have served to strengthen patient privacy protections.

What is the HITECH Act?

The Health Information Technology for Economic and Clinical Health (HITECH) Act was introduced in 2009. Its purpose included improving the efficiency of healthcare administration, increasing the degree of coordination in patient care, and improving the health status of the population. It also introduced some modifications to HIPAA, including increasing the financial penalties that can be issued by the OCR. It also introduced a legal obligation for Business Associates to be HIPAA (and HITECH) compliant.