When was HIPAA passed?

President Bill Clinton sighed the Health Insurance Portability and Accountability Act into law on August 21, 1996. Legislators originally designed HIPAA to ensure that people who were temporarily out of work would still have access to health insurance. HIPAA has evolved since then to include rules on patient data privacy, data security in the healthcare industry, and data breach responses. HIPAA also encourages providers to improve the efficiency of the healthcare system and reduce administrative hurdles that could affect patient wellbeing.

New rules were added to HIPAA’s legislation over the years to tackle different issues faced by the healthcare industry. These include the Privacy Rule, the Security Rule, the Breach Notification Rule, the Omnibus Rule, and the incorporation of the Health Information Technology for Economic and Clinical Health Act, and the Enforcement Rule.

These updates to HIPAA legislation helped to ensure that healthcare organisations place proper security provisions on patient healthcare data. The rules also forced healthcare organisations to adequately inform patients and plan members in the event of a breach of their protected health information. It should be noted that HIPAA Rules also apply business associates of HIPAA covered entities.

When was the HIPAA Privacy Rule Introduced?

Legislators first proposed the HIPAA Privacy Rule on November 3, 1999, but only enacted the HIPAA Final Privacy Rule of HIPAA enacted on December 20, 2000. HIPAA covered entities were required to comply with the Privacy Rule from April 14, 2003.

The HIPAA Privacy Rule defines PHI and informs CEs and BAs of their responsibilities to protect patient data. The Minimum Necessary Rule is also part of the Privacy Rule, and stipulates that should PHI be handed over to a third party, only the minimum amount of data necessary to complete the specific task should be handed over.

When was the HIPAA Security Rule Introduced?

The HIPAA Security Rule was first proposed on August 12, 1998, with the final Security Rule of HIPAA enacted on February 20, 2003. CEs had to comply with the HIPAA Security Rule from April 21, 2006.

The HIPAA Security Rule outlines the minimum physical, technical, and administrative safeguards needed to protect electronic PHI.

The HIPAA Security Rule also requires covered entities to conduct a risk analysis to identify risks to the confidentiality, integrity, and availability of PHI and to manage those risks and reduce them to a reasonable level.

When was the HIPAA Breach Notification Rule Introduced?

The Breach Notification Rule was created when the Health Information Technology for Economic and Clinical Health (HITECH) Act was incorporated into HIPAA on February 17, 2009. HITECH was enforceable from February 27, 2010.

The Breach Notification Rule outlines procedures that must be followed in the aftermath of a breach to ensure that the risk of damage to patients is minimal.

HITECH introduced increased penalties for HIPAA violations and expanded HIPAA’s scope to include the business associates of covered entities.

When was the HIPAA Enforcement Rule Introduced?

The Enforcement Rule was first proposed on April 18, 2005, and finalised on February 16, 2006. The Enforcement Rule contains guidance on the fines and penalties that may be levied against a CE should a data breach occur. (OCR and Department of Health and Human Services can alter punishments at their discretion.)

When was the HIPAA Omnibus Rule Introduced?

Legislators enacted HIPAA Omnibus Rule of 2013 on January 17, 2013. Organisations had to comply with the new rule by September 23, 2013.

The Omnibus Rule overs a wide range of privacy-related areas, from the length of time a patient’s records, can be held to the encryption requirements of PHI.

Important Dates in the History of HIPAA

• August 21, 1996 – HIPAA signed into law
• December 20, 2000 – HIPAA Final Privacy Rule Issued
• February 20, 2003 – HIPAA Final Security Rule Issued
• April 14, 2003 – HIPAA Privacy Rule compliance deadline
• April 21, 2006 – HIPAA Security Rule compliance deadline
• March 16, 2006 – HIPAA Enforcement Rule becomes effective
• February 17, 2009 – HITECH Act signed into law
• February 27, 2010 – HITECH Act compliance deadline
• January 17, 2013 – HIPAA Omnibus Final Rule Issued
• September 23, 2013 – Omnibus Rule compliance deadline