Most people in healthcare-related industries know elements of HIPAA law – most often the elements that are relevant to their specific roles. However, in order to fully understand HIPAA compliance and why HIPAA regulations are written in the way they are, it is beneficial to have a little knowledge about the origins of the Healthcare Insurance Portability and Accountability Act and the changes to HIPAA law made since its enactment.
The origins of HIPAA law go back a long way before the Healthcare Insurance Portability and Accountability Act was enacted in 1996. The original proposals – to prohibit self-insuring employers and the insurance industry from denying coverage to employees with pre-existing conditions – evolved from Congressional Acts such as the Employee Retirement Income Security Act (ERISA) in 1974 and the Consolidated Omnibus Reconciliation Act of 1985 (COBRA).
The proposals relating to healthcare insurance portability and accountability were passed under the Senate´s Health Insurance Reform Bill in 1995 and eventually became Title I of HIPAA. The privacy and security regulations most people associate with HIPAA law today did not materialize until 1999, when the Department of Health & Human Services (HHS) released a proposed Privacy Rule for public comment in compliance with the Administrative Simplification Provision (part of Title II of HIPAA).
A final Privacy Rule was published in December 2000 and subsequently modified in 2002. The Rule set the standards for the protection of individually identifiable health information by healthcare plans and healthcare clearing houses, and by certain healthcare providers. The standards had the objective of protecting personal data in order to prevent fraud and abuse in the healthcare system; but because they apply to so many use cases, the language used in the Privacy Rule is ambiguous in certain circumstances.
A final Security Rule was published three years later. This Rule established national standards to ensure the confidentiality, integrity and security of “Protected Health Information” (PHI) when it is created, received, used, stored or transmitted electronically. The Security Rule requires the implementation of appropriate administrative, physical and technical safeguards and HIPAA-covered entities were required to comply with the Security Rule safeguards by April 2005.
Also in 2003, HHS published the first “Procedures for Investigations, Imposition of Penalties and Hearings” to enforce HIPAA law. The HIPAA Enforcement Rule was supposed to address the unauthorized use or disclosure of PHI and resolve complaints from the public about breaches of the Privacy Rule, such as when they were not allowed access to their own health information.
However, as HHS lacked the resources to deal with the volume of complaints received from the public, very little enforcement action was taken until the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This Act introduced the Breach Notification Rule and new penalties for violating HIPAA which gave HHS the tools to effectively enforce HIPAA law.
The aim of the HITECH Act was to make the healthcare system more efficient by encouraging the adoption and meaningful use of health information technology. In order to ensure the HIPAA Privacy and Security Rules were complied with as the volume of electronic transactions increased, higher penalties were introduced for the unauthorized disclosure of PHI due to a lack of compliance.
HITECH also introduced the Breach Notification Rule – a Rule that required breaches of PHI affecting more than 500 individuals to be reported to HHS within sixty days. Additional procedures were also required in order to inform those affected by the breach and provide credit monitoring services were necessary. Failure to comply with the Breach Notification Rule was also penalized.
The cost of non-compliance with HIPAA law can be significant. Whereas some HIPAA covered entities will be asked to agree a course of corrective action after an unforeseeable breach of PHI occurs, HHS´ Office of Civil Rights has the authority to impose fines of up to $50,000 per violation when breaches of PHI are attributable to willful neglect of HIPAA law.
Following the publication of the Final Omnibus Rule in 2013, “Business Associates” – entities to whom PHI is lawfully disclosed for the provision of a service on behalf of a healthcare plan, healthcare clearing house or healthcare provider – are also required to comply with HIPAA law and subject to the same penalties when breaches of PHI occur.