HIPAA was introduced on August 21, 1996 when President Bill Clinton signed the legislation into law. One of the key targets of the legislation was to improve the portability health insurance coverage – making sure employees retained health insurance coverage when moving between jobs. HIPAA also holds healthcare organizations accountable for health data and helped to ensure health information stays private and confidential.
HIPAA also tackled wastage in healthcare and helped to stop fraud and abuse in healthcare delivery and health insurance, while also streamlining the administration of healthcare.
There have been major updates to HIPAA legislation over the years, chiefly the introduction of the HIPAA Privacy Rule, The HIPAA Security Rule, the incorporation of HITECH Act requirements and the HIPAA Omnibus Rule.
These updates brought in many new provisions to HIPAA legislation and ensured that patient privacy was safeguarded, healthcare data was appropriately secured, patients and plan subscribers were notified in the event of a breach of their protected health information, and business associates of HIPAA covered entities also had to adhere with HIPAA Rules.
The introduction of the HIPAA Enforcement Rule in 2006 allocated the Department of Health and Human Services’ Office for Civil Rights the power to police HIPAA. Since then, it has been possible for the HHS to pursue financial penalties for non-compliance with HIPAA Rules.
HIPAA Privacy Rule Introduction Date
The HIPAA Privacy Rule was first put before the House on November 3, 1999 with the HIPAA Final Privacy Rule of HIPAA enacted on December 20, 2000, although amendments were made almost immediately. The most important date is April 14, 2003 when HIPAA-covered groups were required to comply with the HIPAA Privacy Rule.
The HIPAA Privacy Rule defined Protected Health Information (PHI) and regulated the use of PHI by HIPAA covered groups, stating to whom the information could be shared and under what circumstances. The HIPAA Privacy Rule requires proper safeguards to be put in place to protect the privacy of patients. Patients were also given the right to obtain copies of the PHI held by HIPAA-covered groups.
HIPAA Security Rule Introduction
The HIPAA Security Rule was initially proposed on August 12, 1998, with the final Security Rule of HIPAA enacted on February 20, 2003. Compliance with the HIPAA Security Rule became mandatory on April 21, 2006.
The HIPAA Security Rule is mainly concerned with the establishment of national standards for security to safeguard electronic protected health information. The HIPAA Security Rule requires administrative, physical, and technical security measures to be implemented to ensure the confidentiality, integrity, and availability of PHI. The HIPAA Security Rule also requires covered groups to complete a risk analysis to spot risks to the confidentiality, integrity, and availability of PHI and to manage those risks and reduce them to an acceptable level.
HITECH Act Incorporated into HIPAA
The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed into law on February 17, 2009. Certain elements of HITECH became effective the same month, such as higher penalties for violations of HIPAA Rules. Most of the provisions of the HITECH Act became effective and were enforceable as of February 27, 2010.
The HITECH Act’s incorporation into HIPAA lead to the creation of the HIPAA Breach Notification Rule which requires covered entities to alert individuals when PHI is exposed or compromised. HITECH also required business associates of HIPAA-covered entities to adhere with HIPAA Rules and made them directly accountable for HIPAA breaches.
The HIPAA Omnibus Rule of 2013 finalized and included many provisions of the HITECH Act into HIPAA with the the HIPAA Omnibus Rule of HIPAA enacted on January 17, 2013. The compliance deadline was September 23, 2013.
Main Dates in the History of HIPAA
- August 21, 1996 – HIPAA passed into law
- December 20, 2000 – HIPAA Final Privacy Rule released
- February 20, 2003 – HIPAA Final Security Rule released
- April 14, 2003 – HIPAA Privacy Rule compliance deadline date
- April 21, 2006 – HIPAA Security Rule compliance deadline date
- March 16, 2006 – HIPAA Enforcement Rule becomes enforceable
- February 17, 2009 – HITECH Act legislation signed
- February 27, 2010 – HITECH Act compliance deadline date
- January 17, 2013 – HIPAA Omnibus Final Rule released
- September 23, 2013 – Omnibus Rule compliance deadline date