HIPAA was passed on August 21, 1996, when the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, was enacted after congressional approval and presidential signature, establishing federal statutory authority for health insurance portability provisions and for Administrative Simplification requirements that later produced the HIPAA Privacy Rule, HIPAA Security Rule, and related enforcement and breach notification regulations.
The 1996 statute addressed several subject areas through separate titles. The provisions most associated with healthcare compliance programs stem from the Administrative Simplification requirements, which directed the adoption of standards for certain electronic healthcare transactions and code sets and authorized federal rulemaking for privacy and security protections associated with health information handled in regulated operations.
The HIPAA Privacy Rule and HIPAA Security Rule were issued through subsequent federal rulemaking rather than being fully contained in the 1996 statutory text. The HIPAA Privacy Rule regulates uses and disclosures of protected health information by HIPAA Covered Entities and establishes individual rights related to protected health information. The HIPAA Security Rule establishes requirements for administrative, physical, and technical safeguards to protect electronic protected health information, including risk analysis and risk management as programmatic requirements.
HIPAA obligations apply to HIPAA Covered Entities and extend to Business Associates when a vendor creates, receives, maintains, or transmits protected health information on behalf of a covered entity. This structure is operationalized through Business Associate Agreements, workforce and access controls, and vendor oversight aligned with the HIPAA Privacy Rule and HIPAA Security Rule requirements.
Breach notification and enforcement requirements were strengthened through later statutory amendments and implementing regulations. The HIPAA Breach Notification Rule created defined notification duties when unsecured protected health information is compromised, and enforcement processes support investigations, corrective action, and civil monetary penalties under the applicable regulatory standards.
The date HIPAA was passed refers to the enactment of the federal statute in 1996. Compliance deadlines for the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule occurred later and differ by regulation, which affects when regulated entities were required to implement specific privacy, security, incident response, and documentation controls.