Who Created HIPAA?


HIPAA was created by many people including members of the Clinton Health Plan Task Force, Senators Kennedy and Kassebaum, Rep. Bill Archer, and Donna Shalala and her team at the Department of Health and Human Services.

There is no single person answer to the question who created HIPAA. This is because HIPAA evolved from the Clinton administration’s ambitious plans to reform the health system. The plans were created over many months by a Health Plan Task Force and proposed to Congress in the Health Security Act of 1993. Congress did not support the Act and it was declared dead in September 1994.

When the Clinton Health Plan failed, the proposals to reform employer-based health insurance programs were adopted by Senators Ted Kennedy and Nancy Kassebaum. The proposals were reintroduced as the Health Insurance Reform Act of 1995, but – despite often being credited as the Senators who created HIPAA – HIPAA would not have passed without the contribution of Rep. Archer.

Why Rep. Bill Archer’s Contribution was Important

The issue with the Kennedy-Kassebaum proposals was they assumed the cost of compliance would not result in an increase in health insurance premiums – despite HHS Secretary Donna Shalala warning that up to 40% of Americans could see their premiums increase. It was also overlooked that, if tax deductible premiums increased, this would also result in a decrease in federal tax revenues.

Rep. Archer’s contribution to HIPAA was to introduce a companion bill that included measure to reduce health insurance fraud and abuse, and make the administration of healthcare transactions (such as eligibility checks, authorization requests, claims, billing etc.) more efficient – thus saving health insurance companies money and neutralizing the cost of compliance.

Congress integrated the Kennedy-Kassebaum proposals into Rep. Archer’s bill – the Health Coverage Availability and Affordability Act – and renamed the proposals as the Health Insurance Portability and Accountability Act. After a few compromises were made and a few more Titles added, Congress approved HIPAA and the bill was signed into law by President Clinton on August 21, 1996.

Who Created HIPAA As We Know It?

The text of HIPAA approved by Congress in 1996 did not include standards for health transactions, the security of health information maintained or transmitted electronically, or the privacy of health information in general. Instead, the text of HIPAA instructs the Secretary for Health and Human Services to adopt standards for transactions and security, and make recommendations for privacy.

Therefore, in the context of who created HIPAA as we know it, the creators of HIPAA were not Bill Clinton, Ted Kennedy, Nancy Kassebaum, or Bill Archer, but rather Secretary Donna Shalala and her team at the Department of Health and Human Services. However, the creation of HIPAA as we know it was not fast, and it took a year before the privacy recommendations were delivered to Congress.

Because Congress had given itself three years to pass its own privacy legislation, the privacy recommendations were not published as a HIPAA Rule until 2000. In the same year, the first transaction standards were published; and, although proposals for security standards were  announced in 1998, it was not until 2003 that the HIPAA Security Final Rule was published.

The Creation of HIPAA Did Not Stop in 2003

Subsequent to the publication of the transaction standards and the Privacy and Security Rules, HIPAA continued to evolve. An Enforcement Rule was published in 2006 to incentivize HIPAA compliance, and an interim Breach Notification Rule was published in 2009 following the passage of the HITECH Act. Further changes were made to all of HIPAA’s Rules by the Final Omnibus Rule in 2013.

Since 2013, the evolution of HIPAA has not been so dramatic. There have been a few minor changes to the HIPAA Privacy Rule over the past ten years; and, since 2015, the amount a covered entity or business associate can be fined for a violation of HIPAA has increased year-on-year to account for inflation. However, multiple proposals are currently being considered that could impact future HIPAA compliance.   

These proposals include enhanced protections for reproductive health information and Part 2 records, Privacy Rule changes to accommodate CMS’ Interoperability and Patient Access Rule, measures to comply with the HITECH Act’s “revenue sharing” requirements, and standards for electronic signatures – twenty years after they were dropped from the original Security Rule.

If you would like to find out more about the proposed changes to HIPAA, you should review this article or speak with a HIPAA compliance expert.