History of HIPAA

Establishment of HIPAA

On the 21st August 1996, the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law. The purpose of the legislation was to “improve the portability and accountability of health insurance coverage” for anyone between jobs. The act also focused on reducing waste, fraud and abuse in the healthcare sector.

HIPAA also aimed to streamline the administration of healthcare, thus reducing the administrative burden on healthcare organizations. This was achieved through the HIPAA Administrative Simplification Rules, which required healthcare organizations to comply with a new set of standards for healthcare transactions and the adoption of standard code sets.

While not part of the original legislation in 1996, HIPAA became the vehicle that was used to improve the privacy and security of healthcare data, especially with regards to the transition from hard copies of medical data to computer databases. This had huge, unforeseen consequences, requiring the creation of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This led to the creation of the Meaningful Use program which incentivized healthcare providers to adopt electronic medical records.

Privacy and Security Rules

Shortly after HIPAA was enacted, the Department of Health and Human Services began devising the Privacy Rule, which became enforceable  on April 14, 2003. The Privacy Rule defined the term “Protected Health Information” (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.

The Privacy Rule instructs “covered entities” (CEs) on how best to maintain the integrity of private data and stipulates the allowable uses and disclosures of identifiable health information. The Privacy rule also gave patients new rights over their healthcare data, including the right to obtain a copy of their health records, the right to amend healthcare records to correct errors, and the right to prevent details of private healthcare treatments from being disclosed to health insurers.

Two years later came the Security Rule. The Security Rule introduced standards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) and requires covered entities to implement administrative, technical, and physical safeguards.

Administrative safeguards require CEs to have clear policies and procedures covering the security of healthcare data. Physical safeguards protect the locations where hardware containing ePHI is stored, and technical safeguards protect stored ePHI and ensure it is protected in transit.

The Enforcement Rule

Despite the privacy and security risks that persist if healthcare organizations do not comply with HIPAA, many CEs failed to implement compliance programs. This led to the introduction of the Enforcement Rule in 2006, which gave the Department of Health and Human Services the authority to enforce compliance with HIPAA and fine covered entities found not to be in compliance with the HIPAA Privacy and Security Rules. It also gave HHS the right to pursue criminal charges against covered entities and individuals for serious violations of HIPAA Rules.

The HITECH Act and the Breach Notification Rule

The HITECH Act was signed into law in 2009, in part, to introduce new requirements for electronic health records (EHRs) and to encourage healthcare providers to adopt EHRs. The HITECH Act led to the creation of the Meaningful Use incentive program, which provided financial incentives for healthcare organizations that adopted EHRs.

The HITECH Act led to the creation of the Breach Notification Rule, which requires breaches of PHI to be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and all individuals whose PHI was exposed or compromised to be notified of the breach within 60 days of the discovery.

The Omnibus Final Rule

In 2013, the most recent addition to HIPAA came into law – the Omnibus Final Rule. Though it did add much in the way of new legislation, it served to tighten up the language of HIPAA and addressed many gaps in the original laws. For example, the Omnibus Final Rule stipulated that under HITECH requirements, all messages sent outside the CE’s firewall must be encrypted.

The original HIPAA legislation was vague in its definitions, which the Omnibus Final Rule rectified. For example, the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct control of the covered entity or Business Associate.

The Omnibus Final Rule also amended the Privacy and Security Rules. Patient records allowed to be held indefinitely, rather than the fifty years. The HITECH Act also increased the penalties for HIPAA violations to encourage compliance with HIPAA Rules.

The deadline for the using Clinical Modification ICD-10-CM for diagnosis coding and Procedure Coding System ICD-10-PCA for inpatient hospital procedure coding was set for October 2015.

HIPAA Audit Program

To ensure that CEs were complying with HIPAA regulations OCR began conducting compliance audits in 2011. The first phase of audits, which were completed in 2012, revealed many HIPAA covered entities were not in compliance with all aspects of HIPAA Rules. Many breaches of the Privacy Rule, Security Rule and the Breach Notification Rules were recorded. OCR has since issued further guidance to help healthcare organizations improve their compliance programs.

OCR also started issuing financial penalties for serious compliance failures, and has stepped up its enforcement activities in recent years. Today, it is common for multi-million-dollar financial penalties to be issued for serious violations of HIPAA Rules.