President Bill Clinton sighed the Health Insurance Portability and Accountability Act into law on August 21, 1996. Legislators originally designed HIPAA to ensure that people who were temporarily out of work would still have access to health insurance. HIPAA has evolved since then to include rules on patient data privacy, data security in the healthcare industry, and data breach responses. HIPAA also encourages providers to improve the efficiency of the healthcare system and reduce administrative hurdles that could affect patient wellbeing.
New rules were added to HIPAA’s legislation over the years to tackle different issues faced by the healthcare industry. These include the Privacy Rule, the Security Rule, the Breach Notification Rule, the Omnibus Rule, and the incorporation of the Health Information Technology for Economic and Clinical Health Act, and the Enforcement Rule.
These updates to HIPAA legislation helped to ensure that healthcare organisations place proper security provisions on patient healthcare data. The rules also forced healthcare organisations to adequately inform patients and plan members in the event of a breach of their protected health information. It should be noted that HIPAA Rules also apply business associates of HIPAA covered entities.
Legislators first proposed the HIPAA Privacy Rule on November 3, 1999, but only enacted the HIPAA Final Privacy Rule of HIPAA enacted on December 20, 2000. HIPAA covered entities were required to comply with the Privacy Rule from April 14, 2003.
The HIPAA Privacy Rule defines PHI and informs CEs and BAs of their responsibilities to protect patient data. The Minimum Necessary Rule is also part of the Privacy Rule, and stipulates that should PHI be handed over to a third party, only the minimum amount of data necessary to complete the specific task should be handed over.
The HIPAA Security Rule was first proposed on August 12, 1998, with the final Security Rule of HIPAA enacted on February 20, 2003. CEs had to comply with the HIPAA Security Rule from April 21, 2006.
The HIPAA Security Rule outlines the minimum physical, technical, and administrative safeguards needed to protect electronic PHI.
The HIPAA Security Rule also requires covered entities to conduct a risk analysis to identify risks to the confidentiality, integrity, and availability of PHI and to manage those risks and reduce them to a reasonable level.
The Breach Notification Rule was created when the Health Information Technology for Economic and Clinical Health (HITECH) Act was incorporated into HIPAA on February 17, 2009. HITECH was enforceable from February 27, 2010.
The Breach Notification Rule outlines procedures that must be followed in the aftermath of a breach to ensure that the risk of damage to patients is minimal.
HITECH introduced increased penalties for HIPAA violations and expanded HIPAA’s scope to include the business associates of covered entities.
The Enforcement Rule was first proposed on April 18, 2005, and finalised on February 16, 2006. The Enforcement Rule contains guidance on the fines and penalties that may be levied against a CE should a data breach occur. (OCR and Department of Health and Human Services can alter punishments at their discretion.)
Legislators enacted HIPAA Omnibus Rule of 2013 on January 17, 2013. Organisations had to comply with the new rule by September 23, 2013.
The Omnibus Rule overs a wide range of privacy-related areas, from the length of time a patient’s records, can be held to the encryption requirements of PHI.
Copyright © 2023 ComplianceHome