HIPAA was signed into law on August 21, 1996, when President Bill Clinton signed the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
The date HIPAA became law is separate from the dates when the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule became enforceable requirements for regulated entities. HIPAA is the statute enacted by Congress, while the HIPAA rules are federal regulations issued by the U.S. Department of Health and Human Services to implement statutory requirements, including the Administrative Simplification provisions.
After enactment, federal rulemaking established standards for transactions and code sets, unique identifiers, and safeguards for protected health information. The HIPAA Privacy Rule created nationwide standards for the use and disclosure of protected health information and for individual rights related to access and privacy. The HIPAA Security Rule established administrative, physical, and technical safeguards for electronic protected health information. The HIPAA Breach Notification Rule established notification requirements for breaches of unsecured protected health information.
Compliance programs often track multiple HIPAA milestones. The enactment date, August 21, 1996, marks when the statute took legal effect. Operational compliance obligations for HIPAA regulated entities are generally tied to the effective and compliance dates of the applicable regulations, amendments, and related federal statutes, along with any applicable state law requirements that are more protective of privacy.