It may have been around for a long time now, but is HIPAA still in effect? In short, yes, HIPAA is still in effect, but there have been numerous additions since it was first enacted in 1996. These additions have strengthened the legislation and provided greater protection to patients.
The Health Insurance Portability and Accountability Act was first enacted in 1996 with the aim of reforming the health insurance industry. However, it is now known most for its connections with safeguarding patient privacy. The Rules that put these standards in place were largely added after the Act was first written.
HIPAA stipulates that any organization that meets its definition of a “covered entity” must be HIPAA compliant. Generally, these covered entities include health plans, healthcare clearinghouses, and healthcare providers. These covered entities and their business associates (BAs) must adhere to the HIPAA rules for as long as HIPAA is in effect.
The HIPAA Privacy Rule was enacted in 2002, and is still in effect today. It defines protected health information (PHI) as any health data that contains individually-identifiable information and is used for purposes including treatment and payment of health operations. The HIPAA Security Rule was then enacted in 2009, and laid out the minimum technical, administrative, and physical safeguards required to maintain the integrity of PHI. This, and the other HIPAA rules (such as the Breach Notification Rule and Final Omnibus Rule) are also still in effect.
However, though no new rule has come into force since 2013, it 2022 may bring changes to HIPAA. These changes may reflect the responses the OCR received from HIPAA covered entities when they were asked which aspects of HIPAA were most burdensome or impeded the functioning of their organization. Other HIPAA-related pieces of legislation have been implemented recently, such as the 2021 HIPAA Safe Harbor Law, which amended the HITECH Act and encouraged CEs and BAs to improve their cybersecurity.
For as long as CEs or BAs are in possession of PHI, they must be HIPAA-compliant. If data has been anonymized, the data is no longer considered to be PHI and HIPAA does not apply. There are some other instances where HIPAA is still in effect, but with a different scope to what would be usual for CEs; for example, patient data may be used by government bodies in the event of a public health emergency. HIPAA is still in effect, but not in the same way as it would usually apply to CEs.
HIPAA will remain in effect even when new data privacy legislations, such as ADPPA, come into force.