On August 21, 1996 then US President Bill Clinton added his signature to the Health Insurance Portability and Accountability Act and HIPAA was passed into legislature.
At first it envisaged that HIPAA would enhance the portability and continuity of health insurance coverage, especially for employees that were moving from job to job. In addition to this, HIPAA standardized amounts that could be saved in pre-tax medical savings accounts, outlawed tax-deduction of interest on life insurance loans, enforced group health plan obligations, simplified the administration of healthcare with standard codes and practices, and brought in measures to prevent healthcare fraud.
Many of the details of the five titles of HIPAA took some time to be formulated, and many years passed before HIPAA Rules became legally enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose fines for noncompliance with HIPAA Rules, was not brought in until February 16, 2006, ten years after HIPAA was first introduced.
There have been a number of pivotal dates in the past two decades since HIPAA was originally passed – particularly the introduction of the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule.
The HIPAA Privacy Rule added a number of provisions to better protect the privacy of patients. The Security Rule was primarily linked to the security of electronic protected health information. The Breach Notification Rule ensures that all breaches of protected health information are made known officially, while the Omnibus Rule introduced a broad variety of amendment, including new requirements required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Four key updates to HIPAA legislation are described here.
The Passing of the HIPAA Privacy Rule into Legislature
The Privacy Rule of HIPAA was passed into legislature on December 28, 2000. with the official name the “Standards for Privacy of Individual Identifiable Health Information.” The HIPAA Privacy Rule deadline for compliance was April 14, 2003.
The HIPAA Privacy Rule list the permissible uses and disclosures of protected health information without first obtaining permission from patients. The HIPAA Privacy Rule also gives patients the right to obtain copies of their health data from HIPAA-covered groups.
The HIPAA Security Rule
On April 21, 2003 the Security Rule of HIPAA was passed into legislature, although the effective date was not until April 21, 2005. While the HIPAA Privacy Rule was in relation to all forms of protected health information, the HIPAA Security Rule is primarily linked to the creation, use, storage and transmission of electronic PHI. The HIPAA Security Rule requires administrative, physical, and technical security measures to be introduced to keep PHI secure. The Security Rule also introduced requirements for when PHI is no longer necessary.
The HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule originated in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed on February 17, 2009. The HIPAA Breach Notification Rule became enforceable on August 24, 2009.
The Breach Notification Rule obligates HIPAA-covered groups to submit notifications of breaches of protected health information to the Secretary of the Department of Health and Human Services within 60 days of the identification of a breach if the breach involved 500 or more records. Smaller breaches must still be made known, no later than 60 days after the end of the year in which the breach was first identified. The Breach Notification Rule also requires notifications of a breach to be transmitted to impacted patients within 60 days of the discovery of the breach.
The HIPAA Omnibus Rule
On January 17, 2013 The HIPAA Omnibus Final Rule became enforceable. The HIPAA Omnibus Rule added a number of amendments to the HIPAA Privacy, Security, and Breach Notification Rules.
One of the most important amendments impacted HIPAA business associates – individuals or groups that are contracted to HIPAA-covered entities to provide services that need access to PHI.
Since the passing of the HIPAA Omnibus Rule, business associates of HIPAA-covered entities, and their subcontractors, must configure security measures to safeguard ePHI as required by the HIPAA Security Rule. Since the introduction of the Omnibus Rule, business associates of HIPAA-covered entities can be penalized directly for HIPAA breaches.
Another vital update was clarification of “significant harm.” Before the introduction of the Omnibus Rule, many covered entities did not report breaches as there was determined to have been no serious harm caused to patients due to the breach. After the Omnibus Rule, covered entities must be in a position to show that there was no major damage if they decide not to report a breach.