HIPAA was created by the United States Congress when it passed the Health Insurance Portability and Accountability Act of 1996, and the law took effect when President Bill Clinton signed it on August 21, 1996, with the statute directing the U.S. Department of Health and Human Services to implement national standards for administrative simplification that later developed into the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule.
HIPAA is federal legislation, not an agency policy statement. Congress enacted HIPAA as Public Law 104-191 during the 104th Congress, with provisions addressing health insurance portability and continuity of coverage, limits on preexisting condition exclusions in certain contexts, and measures related to fraud and abuse. The statute also included tax-related provisions and directives tied to medical savings accounts and other coverage mechanisms that were part of the legislative package.
The statute established a framework for standardizing electronic health care transactions and protecting health information through required federal rulemaking. Congress directed the U.S. Department of Health and Human Services to adopt standards for electronic transactions and code sets and to create unique identifiers for certain entities. Congress also set conditions for privacy protections by directing the issuance of privacy standards if Congress did not enact comprehensive privacy legislation within the timeline set in the statute.
Day-to-day HIPAA compliance obligations come primarily from federal regulations issued under that statutory authority. The HIPAA Privacy Rule defines protected health information, sets limits on uses and disclosures, and grants individuals rights such as access and amendment within defined parameters. The HIPAA Security Rule establishes administrative, physical, and technical safeguard requirements for electronic protected health information. The HIPAA Breach Notification Rule sets notification duties for breaches of unsecured protected health information, with different reporting pathways based on the number of affected individuals.
Compliance documentation should distinguish between Congress as the creator of the HIPAA statute and the U.S. Department of Health and Human Services as the agency responsible for issuing and updating implementing regulations and compliance guidance under the statutory mandate.