History of HIPAA

Establishment of HIPAA

On the 21st August 1996, the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law. The purpose of the legislation was to “improve the portability and accountability of health insurance coverage” for anyone going between jobs. The act also focused on reduced waste, fraud and abuse in the health sector.

It also aimed to streamline administration in the health sector. A large part of this was transferring hardcopies of medical data to computer databases. This had huge, unforeseen consequences, requiring the creation of the Health Information Technology for Economic and Clinical Health Act (HITECH) In 2009. This also lead to the Meaningful Use program.

Privacy and Security Rules

Shortly after HIPAA was enacted, the Department of Health and Human Services began devising the Privacy Rule. It came into effect in 2003. Importantly, it provided a definition of “Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.

The Privacy Rule also instructs so called “covered entities” (CEs) on how best to maintain the integrity of private data. Patients were also given the right not to disclose the details of private healthcare treatments to health insurers.

Two years later came the Security Rule. This specifically addressed the integrity of electronically-stored PHI (ePHI), detailing three primary safeguards: administrative, physical and technical. These must be strictly followed to ensure full HIPAA compliance.

Administrative safeguards are there to ensure that the CE has clear policies and procedures in place to comply with HIPAA. Physical safeguards protect the locations where hardware containing the ePHI is stored. Finally, technical safeguards are there to protect ePHI when it is transferred between devices.

The Enforcement Rule

Despite the potential security risks of non-compliance, many CEs ignored HIPAA. This led to the introduction of the Enforcement Rule in 2006, giving the Department of Health and Human Services the right to issue charges against those who do not comply with HIPAA. They were also able to levy criminal charges against those who committed serious breaches or fail to begin corrective action within 30 days of the breach.

HITECH and Breach Notification Rule

HITECH was enacted in 2009 in response to the widespread technological development that allowed healthcare data to be stored digitally as Electronic Health Records. The Meaningful Use incentive program was also created to try and encourage the use of digital PHI rather than keep it in hardcopies.

Around the same time there were modifications to the Rules to Business Associates and other third-party suppliers. The Breach Notification Rule also came into place, dictating that any breaches of ePHI that involve more than 500 individuals must be relayed to the Department of Health and Human Services’ Office for Civil Rights (OCR). For smaller breaches, a report on the OCR website is required.

The Omnibus Rule

In 2013, the most recent addition to HIPAA came into law – the Final Omnibus Rule. Though it did not specifically add to the existing legislation, it covered anything that was not included in the original laws. For example, it added stipulated that under HITECH all messages sent within or outside the CE’s firewall must be securely encrypted.

The original HIPAA legislation was vague in its definitions, which the omnibus rule sought to rectify. For example, the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct control of the covered entity or Business Associate.

The Final Omnibus Rule also amended the Privacy and Security Rules. Patient records were then allowed to be held indefinitely, rather than the fifty years previously stipulated under the rule. New penalties were added under the Breach Notification Rule.

The deadline for the United States to use Clinical Modification ICD-10-CM for diagnosis coding and Procedure Coding System ICD-10-PCA for inpatient hospital procedure coding was set for October 2015. All HIPAA covered entities must use ICD-10-CM. Another requirement is these of EDI Version 5010.

HIPAA Audit Program

To ensure that CEs were complying with HIPAA regulations the OCR began conducting compliance audits in 2011. Finishing in 2012, they showed that the rate of HIPAA compliance to be very low. Many breaches of the Privacy Rule, Security Rule and the Breach Notification Rules were recorded. The OCR was relatively lenient after this initial round, though it can be expected that this will not happen in the future.