When was HIPAA enacted?

Anyone who has worked in the healthcare industry will have heard of HIPAA and knows of its importance in safeguarding protected health information (PHI). However, most will not know about the history of HIPAA, when it came about and how it has changed over time.

The Origins of HIPAA

The Health Insurance Portability and Accountability Act was signed by then-President Bill Clinton on the 21stAugust 1996. HIPAA is also sometimes known as the Kennedy-Kassebaum Act, named for its main sponsors Ted Kennedy and Nancy Kassebaum. However, more often than not the act is simply known as HIPAA.

However, though it eventually received enough support to pass, the introduction of HIPAA was no simple. Initially called the Health Insurance Reform Act, it was devised as a response to the developing healthcare system and an obvious need to simplify moving healthcare plans between employers. Though the legislation now concerns other aspects of health privacy, it originally was  designed to “improve the portability and accountability of health insurance coverage” when workers moved between jobs.

However, the legislation stalled in late 1995 as it received opposition for senators that were concerned about how health insurance would be moved from groups to individuals. This concern was echoed by industry representatives. Eventually, however, the bill received bipartisan report and the legislation moved through both the House and the Senate. Other versions of the Act were proposed, causing more debates between politicians, though eventually in summer 1996 the final version was settled upon.

Changes to HIPAA since its Enactment

When HIPAA was signed into law, the Department for Health and Human Services took over its administration and enforcement. They also started writing new “Rules” to be added to the Act.

The first of such rules came into effect in 2003. This “Privacy Rule” included a definition of PHI and how it was to be accessed, used, and disclosed. It also introduced other changes, making all it a rule that all business associates are also HIPAA-compliant.

Next came the Security Rule in April 2005. This rule deals specifically with electronic PHI (ePHI), establishing three categories of safeguards (administrative, technical and physical) that must be employed to protect it.

A year later, in 2006, the Enforcement Rule came into effect. This allowed the Office for Civil Rights (OCR), who oversees HIPAA within the DHHS, to issue penalties for non-compliance. They could now fine CEs for not complying with the Privacy and Security Rules. However, for a few years after its enactment, the OCR was criticised for not properly enforcing HIPAA.

In 2009, the OCR added the Breach Notification Rule to HIPAA. This stipulated how, if a breach was discovered, the CE should go about reporting it and what actions should be taken to minimise the impact of the breach in the short term.

The most recent addition to HIPAA was the Omnibus Rule. This was designed to bring HIPAA up to date with the HITECH Act (2009), specifically making changes to how ePHI was accessed and protected. It also added strength to the Enforcement Rule.

HIPAA Enactment: Summary

HIPAA had a rocky start, initially failing to gain support with politicians. Even as it advanced through the House of Representatives and the Senate, protracted debates delayed its introduction until 1996. Now, however, it is a powerful piece of legislation safeguarding patient privacy, made stronger through a series of updates.