To best understand why HIPAA was established, you have to go back more than a century to the 1850s, when the health insurance industry consisted of a handful of companies offering accident insurance. The industry expanded in the early 1900s due to the introduction of employer-sponsored plans, but at the time was governed by individual state laws lacking in consistency.
The federal government got involved in regulating the industry in the 1970 with the passage of Employee Retirement Income Security Act (ERISA). However, this Act only covered employer-sponsored and individually purchased health plans, while commercial for-profit group health plans were still governed by inconsistent state laws.
The inconsistency of state laws meant it was difficult for many employees to change jobs without losing benefits. The majority of state laws also allowed group health plans to deny coverage, enforce higher deductibles, or charge higher premiums for plan members with pre-existing conditions – creating a “job lock” scenario in which many workers were stuck in jobs permanently.
On the 21st August 1996, the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law. The purpose of the legislation was to “improve the portability and accountability of health insurance coverage” for anyone between jobs. The act also focused on reducing waste, fraud, and abuse in the healthcare sector.
HIPAA also aimed to streamline the administration of healthcare, thus reducing the administrative burden on covered organizations. This was achieved through the HIPAA Administrative Simplification Rule, which required health plans and healthcare organizations to comply with a new set of standards for healthcare transactions and the adoption of standard code sets.
The Administrative Simplification Rule also instructed the Secretary of Health and Human Services (HHS) to make recommendation for the privacy of health information and to develop standards for the security of health information when it was transmitted electronically. These instructions evolved into the Privacy and Security Rules.
Shortly after HIPAA was enacted, the Department of Health and Human Services began devising the Privacy Rule, which became enforceable on April 14, 2003. The Privacy Rule defined the term “Protected Health Information” (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.
The Privacy Rule instructs “covered entities” (CEs) on how best to maintain the integrity of private data and stipulates the allowable uses and disclosures of identifiable health information. The Privacy rule also gave patients new rights over their healthcare data, including the right to obtain a copy of their health records, the right to amend healthcare records to correct errors, and the right to prevent details of private healthcare treatments from being disclosed to health insurers.
Two years later came the Security Rule. The Security Rule introduced standards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) and requires covered entities to implement administrative, technical, and physical safeguards.
Administrative safeguards require CEs to have clear policies and procedures covering the security of healthcare data. Physical safeguards protect the locations where hardware containing ePHI is stored, and technical safeguards protect stored ePHI and ensure it is protected in transit.
Despite the privacy and security risks that persist if healthcare organizations do not comply with HIPAA, many CEs failed to implement compliance programs. This led to the introduction of the Enforcement Rule in 2006, which gave the Department of Health and Human Services the authority to enforce compliance with HIPAA and fine covered entities found not to be in compliance with the HIPAA Privacy and Security Rules. It also gave HHS the right to pursue criminal charges against covered entities and individuals for serious violations of HIPAA Rules.
The HITECH Act was signed into law in 2009, in part, to introduce new requirements for electronic health records (EHRs) and to encourage healthcare providers to adopt EHRs. The HITECH Act led to the creation of the Meaningful Use incentive program, which provided financial incentives for healthcare organizations that adopted EHRs.
The HITECH Act led to the creation of the Breach Notification Rule, which requires breaches of PHI to be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and all individuals whose PHI was exposed or compromised to be notified of the breach within 60 days of the discovery.
In 2013, the most recent addition to HIPAA came into law – the Omnibus Final Rule. Though it did add much in the way of new legislation, it served to tighten up the language of HIPAA and addressed many gaps in the original laws. For example, the Omnibus Final Rule stipulated that under HITECH requirements, all messages sent outside the CE’s firewall must be encrypted.
The original HIPAA legislation was vague in its definitions, which the Omnibus Final Rule rectified. For example, the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct control of the covered entity or Business Associate.
The Omnibus Final Rule also amended the Privacy and Security Rules. Patient records allowed to be held indefinitely, rather than the fifty years. The HITECH Act also increased the penalties for HIPAA violations to encourage compliance with HIPAA Rules.
The deadline for the using Clinical Modification ICD-10-CM for diagnosis coding and Procedure Coding System ICD-10-PCA for inpatient hospital procedure coding was set for October 2015.
To ensure that CEs were complying with HIPAA regulations OCR began conducting compliance audits in 2011. The first phase of audits, which were completed in 2012, revealed many HIPAA covered entities were not in compliance with all aspects of HIPAA Rules. Many breaches of the Privacy Rule, Security Rule and the Breach Notification Rules were recorded. OCR has since issued further guidance to help healthcare organizations improve their compliance programs.
OCR also started issuing financial penalties for serious compliance failures, and has stepped up its enforcement activities in recent years. Today, it is common for multi-million-dollar financial penalties to be issued for serious violations of HIPAA Rules.
Before HIPAA, the health insurance market made it difficult for employees to move benefits between health plans, and individuals with pre-existing conditions were often prevented from getting plans. The Senate Labor and Human Resources Committee published a report saying that policyholders and employees were not being adequately protected by their plans. Since then, however, it has been adapted to include rules that govern the protection of patient privacy.
There are a few different HIPAA origin stories. Many say that the “Health Insurance Reform Act” proposed by in 1995 by Senators Ted Kennedy and Nancy Kassebaum was the precursor to HIPAA. However, this Act was not passed by congress. In light of this, a later bill (HR.3103, sponsored by Representative Bill Archer) is considered the precursor to HIPAA. The Health Insurance Portability and Accountability Act was signed into law by Bill Clinton in August 1996.
As detailed in the article, HIPAA is the Health Insurance Portability and Accountability Act of 1996, with the aim of reforming the health industry.
HITECH is the Health Information Technology for Economic and Clinical Health Act, passed in 2009. It is closely related to HIPAA, often leading to confusion between the two acts. Its primary purpose was to incentivize organizations to switch to electronic health records (EHRs). HITECH also led to the addition of the Breach Notification Rule to HIPAA in 2009.
Since its enactment in 1996, several additional “Rules” have been added to the Act. These have helped refine its remit and outline the standards necessary to ensure patient data is secure. The major updates are as follows: